Dubbo Class Inspection Mechanism

Understand the Dubbo class inspection mechanism

Supported versions

Dubbo >= 3.1.6

Scope of application

Currently, the serialization check supports Hessian2, Fastjson2 serialization and generalized calls. Other serialization methods are not currently supported.

configuration method

1. Check mode

The inspection mode is divided into three levels: STRICT strict inspection, WARN warning, DISABLED disabled. STRICT Strict checks: disallow deserialization of all classes that are not in the allowed serialization list (whitelist). WARN warning: only prohibits serialization of all classes in the disallowed serialization list (blacklist), and alerts through logs when deserializing classes that are not in the allowed serialization list (whitelist). DISABLED Disabled: Do not do any checks.

Version 3.1 defaults to WARN warning level, and version 3.2 defaults to STRICT strict checking level.

Configuration via ApplicationConfig:

ApplicationConfig applicationConfig = new ApplicationConfig();
applicationConfig.setSerializeCheckStatus("STRICT");

Configuration via Spring XML:

<dubbo:application name="demo-provider" serialize-check-status="STRICT"/>

Configure via Spring Properties / dubbo.properties:

dubbo.application.serialize-check-status=STRICT

Configure via System Property:

-Ddubbo.application.serialize-check-status=STRICT

After the configuration is successful, you can see the following prompts in the log:

INFO utils.SerializeSecurityManager: [DUBBO] Serialize check level: STRICT

Note: If multiple applications under the same process (Dubbo Framework Model) are configured with different inspection modes at the same time, the “loosenest” level will eventually take effect. If two Spring Contexts are started at the same time, one is configured as STRICT and the other is configured as WARN, the WARN level configuration will finally take effect.

2. Serializable interface check

The Serializable interface check mode is divided into two levels: true is enabled, and false is disabled. When the check is turned on, it will refuse to deserialize all classes that do not implement Serializable.

The default configuration in Dubbo is true to enable the check.

Configuration via ApplicationConfig:

ApplicationConfig applicationConfig = new ApplicationConfig();
applicationConfig.setCheckSerializable(true);

Configuration via Spring XML:

<dubbo:application name="demo-provider" check-serializable="true"/>

Configure via Spring Properties / dubbo.properties:

dubbo.application.check-serializable=true

Configure via System Property:

-Ddubbo.application.check-serializable=true

After the configuration is successful, you can see the following prompts in the log:

INFO utils.SerializeSecurityManager: [DUBBO] Serialize check serializable: true

Note 1: If multiple applications under the same process (Dubbo Framework Model) are configured with different Serializable interface inspection modes at the same time, the “loosenest” level will eventually take effect. If two Spring Contexts are started at the same time, one configured as true and the other configured as false, the false level configuration will finally take effect. Note 2: At present, the built-in Serializable check configuration of Hessian2 and Fastjson2 has not been opened. For generalized calls, you only need to configure dubbo.application.check-serializable to modify the check configuration; for Hessian2 serialization, you need to modify dubbo.application.check-serializable and dubbo.hessian.allowNonSerializable at the same time

There are two configuration items in the Dubbo class automatic scanning mechanism: `AutoTrustSerializeClass

To put it simply, after automatic class scanning is enabled, Dubbo will automatically scan all related classes that may be used by the interface through ReferenceConfig and ServiceConfig, and recursively trust its package. `TrustSerializeClassLevel

The default configuration in Dubbo is `AutoTrustSerializeClass

Configuration via ApplicationConfig:

ApplicationConfig applicationConfig = new ApplicationConfig();
applicationConfig.setAutoTrustSerializeClass(true);
applicationConfig.setTrustSerializeClassLevel(3);

Configuration via Spring XML:

<dubbo:application name="demo-provider" auto-trust-serialize-class="true" trust-serialize-class-level="3"/>

Configure via Spring Properties / dubbo.properties:

dubbo.application.auto-trust-serialize-class=true
dubbo.application.trust-serialize-class-level=3

Configure via System Property:

-Ddubbo.application.auto-trust-serialize-class=true
-Ddubbo.application.trust-serialize-class-level=3

After the configuration is successful, you can use the QoS command to check whether the results of the currently loaded trusted classes meet expectations.

Note: After the check is enabled, there will be a certain performance loss during the startup process.

4. Custom configuration of trusted/untrusted classes

In addition to Dubbo’s automatic scanning classes, it also supports configuration of trusted/untrusted class lists through resource files.

Configuration method: define the following files under the resource directory (resource).

# security/serialize.allowlist
io.dubbo.test
# security/serialize.blockedlist
io.dubbo.block

After the configuration is successful, you can see the following prompts in the log:

INFO utils.SerializeSecurityConfigurator: [DUBBO] Read serialize allow list from file:/Users/albumen/code/dubbo-integration-cases/99-integration/dubbo-samples-serialize-check/target/classes/security/serialize.allowlist
INFO utils.SerializeSecurityConfigurator: [DUBBO] Read serialize blocked list from file:/Users/albumen/code/dubbo-integration-cases/99-integration/dubbo-samples-serialize-check/target/classes/security/serialize.blockedlist

The configuration priority is: user-defined trusted class = built-in trusted class of the framework > user-defined untrusted class = built-in untrusted class of the framework > automatic class scanning trusted class.

Audit method

Dubbo supports real-time viewing of current configuration information and trusted/untrusted class lists through QoS commands. Currently supports two commands: serializeCheckStatus to view the current configuration information, serializeWarnedClasses to view the real-time alarm list.

  1. serializeCheckStatus View the current configuration information

Access directly through the console:

> telnet 127.0.0.1 22222
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
   ___ __ __ ___ ___ ____
  / _ \ / / / // _ ) / _ ) / __ \
 / // // /_/ // _ |/ _ |/ /_/ /
/____/ \____//____//____/ \____/
dubbo>serializeCheckStatus
CheckStatus: WARN

CheckSerializable: true

AllowedPrefix:
...

DisAllowedPrefix:
...


dubbo>

Request the result in json format via http:

> curl http://127.0.0.1:22222/serializeCheckStatus
{"checkStatus": "WARN","allowedPrefix":[...],"checkSerializable":true,"disAllowedPrefix":[...]}
  1. serializeWarnedClasses view real-time warning list

Access directly through the console:

> telnet 127.0.0.1 22222
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
   ___ __ __ ___ ___ ____
  / _ \ / / / // _ ) / _ ) / __ \
 / // // /_/ // _ |/ _ |/ /_/ /
/____/ \____//____//____/ \____/
dubbo>serializeWarnedClasses
Warned Classes:
io.dubbo.test.NotSerializable
io.dubbo.test2.NotSerializable
io.dubbo.test2.OthersSerializable
org.apache.dubbo.samples.NotSerializable


dubbo>

Request the result in json format via http:

> curl http://127.0.0.1:22222/serializeWarnedClasses
{"warnedClasses":["io.dubbo.test2.NotSerializable","org.apache.dubbo.samples.NotSerializable","io.dubbo.test.NotSerializable","io.dubbo.test2.OthersSerializable"]}

Note: It is recommended to pay attention to the result of serializeWarnedClasses in time, and judge whether it is attacked by whether the returned result is not empty.

Last modified December 15, 2023: Update broken links (7b8d601e9f8)