Dubbo >= 3.1.6
Currently, the serialization check supports Hessian2, Fastjson2 serialization and generalized calls. Other serialization methods are not currently supported.
The inspection mode is divided into three levels: STRICT
strict inspection, WARN
warning, DISABLED
disabled.
STRICT
Strict checks: disallow deserialization of all classes that are not in the allowed serialization list (whitelist).
WARN
warning: only prohibits serialization of all classes in the disallowed serialization list (blacklist), and alerts through logs when deserializing classes that are not in the allowed serialization list (whitelist).
DISABLED
Disabled: Do not do any checks.
Version 3.1 defaults to WARN
warning level, and version 3.2 defaults to STRICT
strict checking level.
Configuration via ApplicationConfig:
ApplicationConfig applicationConfig = new ApplicationConfig();
applicationConfig.setSerializeCheckStatus("STRICT");
Configuration via Spring XML:
<dubbo:application name="demo-provider" serialize-check-status="STRICT"/>
Configure via Spring Properties / dubbo.properties:
dubbo.application.serialize-check-status=STRICT
Configure via System Property:
-Ddubbo.application.serialize-check-status=STRICT
After the configuration is successful, you can see the following prompts in the log:
INFO utils.SerializeSecurityManager: [DUBBO] Serialize check level: STRICT
Note: If multiple applications under the same process (Dubbo Framework Model) are configured with different inspection modes at the same time, the “loosenest” level will eventually take effect. If two Spring Contexts are started at the same time, one is configured as STRICT
and the other is configured as WARN
, the WARN
level configuration will finally take effect.
The Serializable interface check mode is divided into two levels: true
is enabled, and false
is disabled. When the check is turned on, it will refuse to deserialize all classes that do not implement Serializable
.
The default configuration in Dubbo is true
to enable the check.
Configuration via ApplicationConfig:
ApplicationConfig applicationConfig = new ApplicationConfig();
applicationConfig.setCheckSerializable(true);
Configuration via Spring XML:
<dubbo:application name="demo-provider" check-serializable="true"/>
Configure via Spring Properties / dubbo.properties:
dubbo.application.check-serializable=true
Configure via System Property:
-Ddubbo.application.check-serializable=true
After the configuration is successful, you can see the following prompts in the log:
INFO utils.SerializeSecurityManager: [DUBBO] Serialize check serializable: true
Note 1: If multiple applications under the same process (Dubbo Framework Model) are configured with different Serializable interface inspection modes at the same time, the “loosenest” level will eventually take effect. If two Spring Contexts are started at the same time, one configured as true
and the other configured as false
, the false
level configuration will finally take effect.
Note 2: At present, the built-in Serializable
check configuration of Hessian2 and Fastjson2 has not been opened. For generalized calls, you only need to configure dubbo.application.check-serializable
to modify the check configuration; for Hessian2 serialization, you need to modify dubbo.application.check-serializable
and dubbo.hessian.allowNonSerializable
at the same time
There are two configuration items in the Dubbo class automatic scanning mechanism: `AutoTrustSerializeClass
To put it simply, after automatic class scanning is enabled, Dubbo will automatically scan all related classes that may be used by the interface through ReferenceConfig
and ServiceConfig
, and recursively trust its package. `TrustSerializeClassLevel
The default configuration in Dubbo is `AutoTrustSerializeClass
Configuration via ApplicationConfig:
ApplicationConfig applicationConfig = new ApplicationConfig();
applicationConfig.setAutoTrustSerializeClass(true);
applicationConfig.setTrustSerializeClassLevel(3);
Configuration via Spring XML:
<dubbo:application name="demo-provider" auto-trust-serialize-class="true" trust-serialize-class-level="3"/>
Configure via Spring Properties / dubbo.properties:
dubbo.application.auto-trust-serialize-class=true
dubbo.application.trust-serialize-class-level=3
Configure via System Property:
-Ddubbo.application.auto-trust-serialize-class=true
-Ddubbo.application.trust-serialize-class-level=3
After the configuration is successful, you can use the QoS command to check whether the results of the currently loaded trusted classes meet expectations.
Note: After the check is enabled, there will be a certain performance loss during the startup process.
In addition to Dubbo’s automatic scanning classes, it also supports configuration of trusted/untrusted class lists through resource files.
Configuration method: define the following files under the resource directory (resource).
# security/serialize.allowlist
io.dubbo.test
# security/serialize.blockedlist
io.dubbo.block
After the configuration is successful, you can see the following prompts in the log:
INFO utils.SerializeSecurityConfigurator: [DUBBO] Read serialize allow list from file:/Users/albumen/code/dubbo-integration-cases/99-integration/dubbo-samples-serialize-check/target/classes/security/serialize.allowlist
INFO utils.SerializeSecurityConfigurator: [DUBBO] Read serialize blocked list from file:/Users/albumen/code/dubbo-integration-cases/99-integration/dubbo-samples-serialize-check/target/classes/security/serialize.blockedlist
The configuration priority is: user-defined trusted class = built-in trusted class of the framework > user-defined untrusted class = built-in untrusted class of the framework > automatic class scanning trusted class.
Dubbo supports real-time viewing of current configuration information and trusted/untrusted class lists through QoS commands. Currently supports two commands: serializeCheckStatus
to view the current configuration information, serializeWarnedClasses
to view the real-time alarm list.
serializeCheckStatus
View the current configuration informationAccess directly through the console:
> telnet 127.0.0.1 22222
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
___ __ __ ___ ___ ____
/ _ \ / / / // _ ) / _ ) / __ \
/ // // /_/ // _ |/ _ |/ /_/ /
/____/ \____//____//____/ \____/
dubbo>serializeCheckStatus
CheckStatus: WARN
CheckSerializable: true
AllowedPrefix:
...
DisAllowedPrefix:
...
dubbo>
Request the result in json format via http:
> curl http://127.0.0.1:22222/serializeCheckStatus
{"checkStatus": "WARN","allowedPrefix":[...],"checkSerializable":true,"disAllowedPrefix":[...]}
serializeWarnedClasses
view real-time warning listAccess directly through the console:
> telnet 127.0.0.1 22222
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
___ __ __ ___ ___ ____
/ _ \ / / / // _ ) / _ ) / __ \
/ // // /_/ // _ |/ _ |/ /_/ /
/____/ \____//____//____/ \____/
dubbo>serializeWarnedClasses
Warned Classes:
io.dubbo.test.NotSerializable
io.dubbo.test2.NotSerializable
io.dubbo.test2.OthersSerializable
org.apache.dubbo.samples.NotSerializable
dubbo>
Request the result in json format via http:
> curl http://127.0.0.1:22222/serializeWarnedClasses
{"warnedClasses":["io.dubbo.test2.NotSerializable","org.apache.dubbo.samples.NotSerializable","io.dubbo.test.NotSerializable","io.dubbo.test2.OthersSerializable"]}
Note: It is recommended to pay attention to the result of serializeWarnedClasses
in time, and judge whether it is attacked by whether the returned result is not empty.