Peter, I, along with others within Oracle, are interested in this general area. We are tied up with other issues at the moment, but I hope to get this within the next couple of weeks.
-Chris. On 04/02/16 00:40, Peter Firmstone wrote:
In light of recent examples of gadget deserialization attacks, I believe we need an OIS SPI. While OIS functionality can be overridden, there's no way to ensure this can be done for all uses of OIS. I believe this is necessary for security reasons, to allow Serialization to be completely disabled or restricted to only those classes in use by an application or reimplemented to allow input validation. An OIS SPI would be a very simple straightforward solution. Regards, Peter Firmstone. Sent from my Samsung device.
