JDK 11 Documentation - Java Core Libraries Developer Guide P_Java知识分享网-免费Java资源下载

失效链接处理

JDK 11 Documentation - Java Core Libraries Developer Guide PDF 下载

本站整理下载：

链接：https://pan.baidu.com/s/1S2ZZq4CJU3SPjdJwdiGRgA

提取码：pwnc

相关截图：

主要内容：

Java Core Libraries

The core libraries consist of classes which are used by many portions of the JDK.

They include functionality which is close to the VM and is not explicitly included in

other areas, such as security. Here you will find current information that will help you

use some of the core libraries.

Topics in this Guide

• Serialization Filtering

• Enhanced Deprecation

• XML Catalog API

• Creating Unmodifiable Lists, Sets, and Maps

• Process API

• Preferences API

• Java Logging Overview

Other Core Libraries Guides

• Internationalization Overview in Java Platform, Standard Edition

Internationalization Guide

Security Related Topics

• Serialization Filtering

• RMI:

– RMI Security Recommendations in Java Platform, Standard Edition Java

Remote Method Invocation User's Guide

– Using Custom Socket Factories with Java RMI in the Java Tutorials

• JAXP:

– JAXP Processing Limits in the Java Tutorials

– External Access Restriction Properties in the Java Tutorials

1-1

Serialization Filtering

You can use the Java serialization filtering mechanism to help prevent deserialization

vulnerabilities. You can define pattern-based filters or you can create custom filters.

Topics:

• Addressing Deserialization Vulnerabilities

• Java Serialization Filters

• Whitelists and Blacklists

• Creating Pattern-Based Filters

• Creating Custom Filters

• Built-in Filters

• Logging Filter Actions

Addressing Deserialization Vulnerabilities

An application that accepts untrusted data and deserializes it is vulnerable to attacks.

You can create filters to screen incoming streams of serialized objects before they are

deserialized.

An object is serialized when its state is converted to a byte stream. That stream can be

sent to a file, to a database, or over a network. A Java object is serializable if its class

or any of its superclasses implements either the java.io.Serializable interface

or the java.io.Externalizable subinterface. In the JDK, serialization is used in

many areas, including Remote Method Invocation (RMI), custom RMI for interprocess

communication (IPC) protocols (such as the Spring HTTP invoker), Java Management

Extensions (JMX), and Java Messaging Service (JMS).

An object is deserialized when its serialized form is converted to a copy of the object. It

is important to ensure the security of this conversion. Deserialization is code

execution, because the readObject method of the class that is being deserialized

can contain custom code. Serializable classes, also known as "gadget classes", can

do arbitrary reflective actions such as create classes and invoke methods on them. If

your application deserializes these classes, they can cause a denial of service or

remote code execution.

When you create a filter, you can specify which classes are acceptable to an

application, and which should be rejected. You can control the object graph size and

complexity during deserialization so that the object graph doesn’t exceed reasonable

limits. Filters can be configured as properties, or implemented programmatically.

Besides creating filters, you can take the following actions to help prevent

deserialization vulnerabilities:

• Do not deserialized untrusted data.

• Use SSL to encrypt and authenticate the connections between applications.

2-1

• Validate field values before assignment, including checking object invariants by

using the readObject method.

Note:

Built-in filters are provided for RMI. However, you should use these built-in

filters as starting points only. Configure blacklists and/or extend the whitelist

to add additional protection for your application that uses RMI. See Built-in

Filters.

For more information about these and other strategies, see "Serialization and

Deserialization" in Secure Coding Guidelines for Java SE.

Java Serialization Filters

The Java serialization filtering mechanism screens incoming streams of serialized

objects to help improve security and robustness. Filters can validate incoming classes

before they are deserialized.

As stated in JEP 290, the goals of the Java serialization filtering mechanism are to:

• Provide a way to narrow the classes that can be deserialized down to a contextappropriate set of classes.

• Provide metrics to the filter for graph size and complexity during deserialization to

validate normal graph behaviors.

• Allow RMI-exported objects to validate the classes expected in invocations.

You can implement serialization filters in the following ways:

• Pattern-based filters do not require you to modify your application. They consist of

a sequence of patterns that are defined in properties, in a configuration file or on

the command line. Pattern-based filters can accept or reject specific classes,

packages, or modules. They can place limits on array sizes, graph depth, total

references, and stream size. A typical use case is to blacklist classes that have

been identified as potentially compromising the Java runtime. Pattern-based filters

are defined for one application or all applications in a process.

• Custom filters are implemented using the ObjectInputFilter API. They allow

an application to integrate finer control than pattern-based filters, because they

can be specific to each ObjectInputStream. Custom filters are set on an

individual input stream or on all streams in a process.

The filter mechanism is called for each new object in the stream. If more than one

active filter (process-wide filter, application filter, or stream-specific filter) exists, only

the most specific filter is called.

In most cases, a custom filter should check if a process-wide filter is set. If one exists,

the custom filter should invoke it and use the process-wide filter’s result, unless the

status is UNDECIDED.

Support for serialization filters is included starting with JDK 9, and in Java CPU

releases starting with 8u121, 7u131, and 6u141.

最新Java全栈就业实战课程(免费)

springcloud分布式电商秒杀实战课程

IDEA永久激活

66套java实战课程无套路领取

锋哥开始收Java学员啦！

Python学习路线图

JDK 11 Documentation - Java Core Libraries Developer Guide P

Java1234官方群25：
Java1234官方群25：	838462530