[esb-issues] [JBoss JIRA] Closed: (JBESB-1130) Object deserialisation retrieves the wrong class instance

[Kevin Conner (JIRA)]

     [ http://jira.jboss.com/jira/browse/JBESB-1130?page=all ]

Kevin Conner closed JBESB-1130.
-------------------------------

    Resolution: Done

Fixed in revision 15576.

> Object deserialisation retrieves the wrong class instance
> ---------------------------------------------------------
>
>                 Key: JBESB-1130
>                 URL: http://jira.jboss.com/jira/browse/JBESB-1130
>             Project: JBoss ESB
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Rosetta
>    Affects Versions: 4.2.1 IR1
>            Reporter: Kevin Conner
>         Assigned To: Kevin Conner
>            Priority: Critical
>             Fix For: 4.2.1 IR2
>
>
> The object deserialisation used within the codebase is not safe within an EE environment.
> The standard ObjectInputStream ignores the thread context classloader when loading classes, associating any loaded class with the first classloader discovered while checking up the current stack.  In our case this will usually be the classloader associated with the jbossesb.sar.
> The outcome of this is that the class retrieved from the incorrect classloader may represent a stale class and will result in runtime errors such as the one below.
> java.lang.ClassCastException: org.jboss.soa.esb.dvdstore.OrderHeader
>         at org.jboss.soa.esb.samples.quickstart.businessrules.ReviewMessage.process(ReviewMessage.java:41)
>         at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.process(ActionProcessingPipeline.java:266)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira