我的书签
添加书签
移除书签Serialization Security Audit
Serialization Security Audit
Dubbo supports real-time viewing of current configuration information and the list of trusted/untrusted classes through QoS commands. Currently, two commands are supported: serializeCheckStatus to view current configuration information, and serializeWarnedClasses to view the real-time warning list.
serializeCheckStatus Command
Access directly through the console:
> telnet 127.0.0.1 22222Trying 127.0.0.1...Connected to localhost.Escape character is '^]'.___ __ __ ___ ___ ____/ _ \ / / / // _ ) / _ ) / __ \/ // // /_/ // _ |/ _ |/ /_/ //____/ \____//____//____/ \____/dubbo>serializeCheckStatusCheckStatus: WARNCheckSerializable: trueAllowedPrefix:...DisAllowedPrefix:...dubbo>
By HTTP request for JSON format results:
> curl http://127.0.0.1:22222/serializeCheckStatus{"checkStatus":"WARN","allowedPrefix":[...],"checkSerializable":true,"disAllowedPrefix":[...]}
serializeWarnedClasses Command
Access directly through the console:
> telnet 127.0.0.1 22222Trying 127.0.0.1...Connected to localhost.Escape character is '^]'.___ __ __ ___ ___ ____/ _ \ / / / // _ ) / _ ) / __ \/ // // /_/ // _ |/ _ |/ /_/ //____/ \____//____//____/ \____/dubbo>serializeWarnedClassesWarnedClasses:io.dubbo.test.NotSerializableio.dubbo.test2.NotSerializableio.dubbo.test2.OthersSerializableorg.apache.dubbo.samples.NotSerializabledubbo>
By HTTP request for JSON format results:
> curl http://127.0.0.1:22222/serializeWarnedClasses{"warnedClasses":["io.dubbo.test2.NotSerializable","org.apache.dubbo.samples.NotSerializable","io.dubbo.test.NotSerializable","io.dubbo.test2.OthersSerializable"]}
Note
It is recommended to pay attention to the results of serializeWarnedClasses promptly and determine if an attack is occurring by checking whether the returned result is non-empty.
Feedback
Was this page helpful?
Yes No
Last modified September 30, 2024: Update & Translate Overview Docs (#3040) (d37ebceaea7)
