Java System Properties
Quick Reference Guide


jdk.serialFilter Java System Property

The jdk.serialFilter java system property sets a policy to determine which classes may loaded during the java deserialization process.

Overview of jdk.serialFilter

The jdk.serialFilter java system property defines a set of rules for use during java object deserialization.

As a Security Property

The jdk.serialFilter can also be defined as a security property in a java.security file, but if defined as a system property it takes priority over the security property.

Runtime Setting of jdk.serialFilter

It is typically impossible to set jdk.serialFilter at runtime using System.property because it read early and cached in a static runtime variable upon startup. We have found even when attempting to set this in a java agent, that it is not early enough to apply the value. For those reasons you should set it on the command line when starting your application inside a java.security policy file, or using the JAVA_TOOL_OPTIONS environment variable.

You may instead be able to set the jdk.serialFilter via the setSerialFilter method of the java.io.ObjectInputFilter Config class.

//requires Java 9+
java.io.ObjectInputFilter filter = java.io.ObjectInputFilter.Config.createFilter("!*");
java.io.ObjectInputFilter.Config.setSerialFilter(filter);

To see the current filter value:

java.io.ObjectInputFilter currentFilter = java.io.ObjectInputFilter.Config.getSerialFilter();
if (currentFilter != null) {
    System.out.println("jdk.serialFilter = " + currentFilter.toString());
} else {
    System.out.println("jdk.serialFilter is null");
}

You can check if it has been set as either a security property or system property using this code:

String serialFilter = System.getProperty("jdk.serialFilter");
if (serialFilter == null) {
    //if not set as a system property the security property would be used
    serialFilter = java.security.Security.getProperty("jdk.serialFilter");
}
if (serialFilter != null) {
    System.out.println("jdk.serialFilter = " + serialFilter);
} else {
    System.out.println("jdk.serialFilter was null");
}

Block all Java Deserialization

Because java deserialization can be a dangerous process you can disable it all together if your java application does not normally use it.

-Djdk.serialFilter=!*

Example Exception

When the jdk.serialFilter property blocks a java deserialization you will see an InvalidClassException with the message filter status: REJECTED. Here's an example stacktrace:

java.io.InvalidClassException: filter status: REJECTED 
    at java.base/java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1351) 
    at java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1996) 
    at java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1853) 
    at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2184) 
    at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1670) 
    at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:488) 
    at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:446)   

References

Supported Since

Java has supported the jdk.serialFilter system property since Java 9 (as part of JEP 290), but has also been back ported to Java 8.

Setting jdk.serialFilter on Startup

You can set the jdk.serialFilter java system property during startup of the java runtime using the -D command line argument:

java -Djdk.serialFilter=value MyAppMain

You may also be able to specify jdk.serialFilter via the JAVA_TOOL_OPTIONS environment variable:

JAVA_TOOL_OPTIONS=-Djdk.serialFilter=value

Setting / Reading jdk.serialFilter at Runtime

You can set jdk.serialFilter at runtime with the following Java code:

System.setProperty("jdk.serialFilter", "value");

WARNING: Depending on the property and JVM version using setProperty may or may not work if the JDK Java class that uses this variable has already been loaded. The value of the jdk.serialFilter system property may be cached within an internal private static variable of the implementing class.

To read the value of jdk.serialFilter at runtime, you can use this Java code:

String propertyValue = System.getProperty("jdk.serialFilter");
if (propertyValue != null) {
    System.out.println("jdk.serialFilter = " + propertyValue);
} else {
    System.out.println("jdk.serialFilter was null");
}