[jboss-jira] [JBoss JIRA] (WFLY-13296) Allow distributable deployments to leverage ProtoStream to marshal distributable objects

Paul Ferraro (Jira) issues at jboss.org
Fri Mar 27 07:32:22 EDT 2020 

     [ https://issues.redhat.com/browse/WFLY-13296?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Paul Ferraro closed WFLY-13296.
-------------------------------
    Resolution: Duplicate Issue


Duplicate of WFLY-13077.

> Allow distributable deployments to leverage ProtoStream to marshal distributable objects
> ----------------------------------------------------------------------------------------
>
>                 Key: WFLY-13296
>                 URL: https://issues.redhat.com/browse/WFLY-13296
>             Project: WildFly
>          Issue Type: Feature Request
>          Components: Clustering
>    Affects Versions: 19.0.0.Final
>            Reporter: Paul Ferraro
>            Assignee: Paul Ferraro
>            Priority: Major
>
> EAP currently uses JBoss Marshalling to serialize user objects (e.g. HttpSession attributes, SFSB instances, JPA entity keys, CommandDispatcher commands, etc.).
> JBoss Marshalling is convenient, as it follows roughly the same usage semantics as Java Serialization.  Consequently, it suffers from the same security concerns as Java Serialization, specifically:
> https://cwe.mitre.org/data/definitions/502.html
> https://docs.oracle.com/javase/6/docs/platform/serialization/spec/security.html#4169
> ProtoStream (https://github.com/infinispan/protostream), which is now the default marshalling framework used by Infinispan since RHDG 8, offers an alternative to JBoss Marshalling, with some attractive advantages:
> * Invulnerable to arbitrary code execution during unmarshalling
> * Reduced memory footprint during marshalling/unmarshalling
> * Marginally smaller replication/persistence payload sizes (in general)
> This RFE seeks to allow users to use ProtoStream for marshalling of distributable objects.  This will require:
> * The org.infinispan.protostream module to be public and exported to user deployments
> * Instructions for developers on how to generate protobuf schemas for their distributable objects
> * A mechanism for determining the user's intention to use ProtoStream instead of JBoss Marshalling.



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list