Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issues/430 custom serializers: Allow for custom serialization on all things stored in cache backend to mitigate security and performance problems #431

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

exabrial
Copy link

@exabrial exabrial commented Jun 7, 2021

Fix #430 and pave the path for #427 This PR adds two interfaces:

  • ObjectIOFactory
  • ObjectIOStrategy

The ObjectIOFactory just creates instances of the ObjectIOStrategy. The strategy is invoked when writing/reading anything objects from the the serialized stream that are not the session attributes.

This PR is implemented in a way so the current behavior is backwards compatible with older versions.

Why is this important: In the current codebase, ordinary ObjectInputStream/ObjectOutputStream are used to serialize various objects. This PR allows you to customize this process.

For full mitigation, both a SessionAttributesTranscoder and an ObjectIOStrategy (and their two factories) that perform serialization class filtering should be implemented.

In our case, we implemented a strategy that uses FST (https://github.com/fstpackage/fst), employs compression(https://github.com/lz4/lz4), encryption / signing / authentication ((https://github.com/martinwithaar/Encryptor4j), and Serialization class filtering (https://docs.oracle.com/en/java/javase/11/core/serialization-filtering1.html). As discussed in #427 this covers an attack vector in which bytecode injection is possible if other checks on the server fail.

We implemented these interfaces and they can be used like this in a context.xml:

<?xml version="1.0" encoding="UTF-8"?>
<Context>
	<Manager
		className="de.javakaffee.web.msm.MemcachedBackupSessionManager"
		memcachedNodes="${redis.url}"
		sticky="true"
		sessionBackupAsync="true"
		storageKeyPrefix="static:app-name"
		transcoderFactoryClass="com.xxx.sessionmanagement.fst.FstTranscoderFactory"
		objectIOFactoryClassName="com.xxx.sessionmanagement.fst.FstObjectIOFactory"
		requestUriIgnorePattern="(?:^.*\/javax\.faces\.resource\/.*$)|(?:^.*\.(?:ico|png|gif|jpg|css|js)$)|(?:^.*\/(?:404|500).jsf)" />
</Context>

@exabrial exabrial force-pushed the issues/430_custom-serializers branch from 3725529 to a9f98d6 Compare June 8, 2021 00:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Principal and other attributes need some flexibility with Serialization
1 participant