jdk.serialFilterThe jdk.serialFilter java system property defines a set of rules for use during java object deserialization.
The jdk.serialFilter can also be defined as a security property in a java.security file, but if defined as a system property it takes priority over the security property.
It is typically impossible to set jdk.serialFilter at runtime using System.setProperty() because it is read early and cached in a static runtime variable upon startup. We have found even when attempting to set this in a java agent, that it is not early enough to apply the value. For those reasons you should set it on the command line when starting your application inside a java.security policy file, or using the JAVA_TOOL_OPTIONS environment variable.
You may instead be able to set the jdk.serialFilter via the setSerialFilter method of the java.io.ObjectInputFilter Config class.
//requires Java 9+
java.io.ObjectInputFilter filter = java.io.ObjectInputFilter.Config.createFilter("!*");
java.io.ObjectInputFilter.Config.setSerialFilter(filter);
To see the current filter value:
java.io.ObjectInputFilter currentFilter = java.io.ObjectInputFilter.Config.getSerialFilter();
if (currentFilter != null) {
System.out.println("jdk.serialFilter = " + currentFilter.toString());
} else {
System.out.println("jdk.serialFilter is null");
}
You can check if it has been set as either a security property or system property using this code:
String serialFilter = System.getProperty("jdk.serialFilter");
if (serialFilter == null) {
//if not set as a system property the security property would be used
serialFilter = java.security.Security.getProperty("jdk.serialFilter");
}
if (serialFilter != null) {
System.out.println("jdk.serialFilter = " + serialFilter);
} else {
System.out.println("jdk.serialFilter was null");
}
Because java deserialization can be a dangerous process you can disable it all together if your java application does not normally use it.
-Djdk.serialFilter=!*
When the jdk.serialFilter property blocks a java deserialization you will see an InvalidClassException with the message filter status: REJECTED. Here's an example stacktrace:
java.io.InvalidClassException: filter status: REJECTED
at java.base/java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1351)
at java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1996)
at java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1853)
at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2184)
at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1670)
at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:488)
at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:446)
Java has supported the jdk.serialFilter system property since Java 9 (as part of JEP 290), but has also been back ported to Java 8.
jdk.serialFilter on StartupYou can set the jdk.serialFilter java system property during startup of the java runtime using the -D command line argument:
java -Djdk.serialFilter=value MyAppMain
You may also be able to specify jdk.serialFilter via the JAVA_TOOL_OPTIONS environment variable:
JAVA_TOOL_OPTIONS=-Djdk.serialFilter=value
jdk.serialFilter at RuntimeYou can set jdk.serialFilter at runtime with the following Java code:
System.setProperty("jdk.serialFilter", "value");
WARNING: Depending on the property and JVM version using
setPropertymay or may not work if the JDK Java class that uses this variable has already been loaded. The value of the jdk.serialFilter system property may be cached within an internal private static variable of the implementing class.
To read the value of jdk.serialFilter at runtime, you can use this Java code:
String propertyValue = System.getProperty("jdk.serialFilter");
if (propertyValue != null) {
System.out.println("jdk.serialFilter = " + propertyValue);
} else {
System.out.println("jdk.serialFilter was null");
}