[jboss-jira] [JBoss JIRA] (WFLY-13296) Allow distributable deployments to leverage ProtoStream to marshal distributable objects

Paul Ferraro (Jira) issues at jboss.org
Thu Mar 26 14:40:51 EDT 2020 

     [ https://issues.redhat.com/browse/WFLY-13296?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Paul Ferraro moved EAP7-1476 to WFLY-13296:
-------------------------------------------

                          Project: WildFly  (was: JBoss EAP Planning for version 7 and above)
                              Key: WFLY-13296  (was: EAP7-1476)
                       Issue Type: Feature Request  (was: Requirement)
                         Workflow: GIT Pull Request workflow   (was: EAP Agile Workflow 2.0)
                      Component/s: Clustering
                                       (was: Clustering)
          EAP PT Pre-Checked (PC):   (was: TODO)
                   Target Release:   (was: 7.backlog.GA)
       EAP PT Community Docs (CD):   (was: TODO)
         EAP PT Product Docs (PD):   (was: New)
                Affects Version/s: 19.0.0.Final
                                       (was: 7.3.0.GA)
             EAP PT Test Dev (TD):   (was: TODO)
        EAP PT Docs Analysis (DA):   (was: TODO)
            EAP PT Test Plan (TP):   (was: TODO)
    EAP PT Analysis Document (AD):   (was: TODO)


> Allow distributable deployments to leverage ProtoStream to marshal distributable objects
> ----------------------------------------------------------------------------------------
>
>                 Key: WFLY-13296
>                 URL: https://issues.redhat.com/browse/WFLY-13296
>             Project: WildFly
>          Issue Type: Feature Request
>          Components: Clustering
>    Affects Versions: 19.0.0.Final
>            Reporter: Paul Ferraro
>            Assignee: Paul Ferraro
>            Priority: Major
>
> EAP currently uses JBoss Marshalling to serialize user objects (e.g. HttpSession attributes, SFSB instances, JPA entity keys, CommandDispatcher commands, etc.).
> JBoss Marshalling is convenient, as it follows roughly the same usage semantics as Java Serialization.  Consequently, it suffers from the same security concerns as Java Serialization, specifically:
> https://cwe.mitre.org/data/definitions/502.html
> https://docs.oracle.com/javase/6/docs/platform/serialization/spec/security.html#4169
> ProtoStream (https://github.com/infinispan/protostream), which is now the default marshalling framework used by Infinispan since RHDG 8, offers an alternative to JBoss Marshalling, with some attractive advantages:
> * Invulnerable to arbitrary code execution during unmarshalling
> * Reduced memory footprint during marshalling/unmarshalling
> * Marginally smaller replication/persistence payload sizes (in general)
> This RFE seeks to allow users to use ProtoStream for marshalling of distributable objects.  This will require:
> * The org.infinispan.protostream module to be public and exported to user deployments
> * Instructions for developers on how to generate protobuf schemas for their distributable objects
> * A mechanism for determining the user's intention to use ProtoStream instead of JBoss Marshalling.



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list