JDK-8185539 : Relax RMI Registry Serial Filter to allow arrays of any type
  • Type: CSR
  • Component: core-libs
  • Sub-Component: java.rmi
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 10
  • Submitted: 2017-07-28
  • Updated: 2017-08-16
  • Resolved: 2017-08-16
Related Reports
CSR :  

The RMI Registry filter is relaxed to allow binding arrays of any type. 


The built-in filter applied to the RMI Registry remote methods checks the argument types against a known list of allowed types.
For arrays it checks that the component type is one of the allowed types.  
However, RMI and Serialization considers all arrays to be serializable and it is common for the component type of the array to be a serializable array to be a non-serializable type such as java.lang.Object.
The constraint on the component type is unnecessary and should be removed.  
Developers also considered the build-in limit on the maximum array size to be too small (10000).

The workaround is to override of the built-in filter using the system property `sun.rmi.registry.registryFilter` to allow java.lang.Object or the component type as needed.  The property can be defined on the command line or in the `conf/security/java.security` configuration file.


The RMI Registry built-in serial filter is modified to check only the array size and not the component type. Array sizes greater than the `maxarray` limit will be rejected and otherwise will be allowed.  The description of the `sun.rmi.registry.registryFilter` property will be updated in the `conf/security/java.security` configuration to better describe the default behavior and how to override.
Both the system property sun.rmi.registry.registryFilter and the corresponding java.security property use the same syntax and behavior.

The maximum array size is increased to 1,000,000.  The override filter can be used to decrease the limit but can not raise it so a higher default value provides greater flexibility.

The description of the system property and the java.security property is updated:

    diff  conf/security/java.security 
    --- 949,979 ----
      # RMI Registry Serial Filter
      # The filter pattern uses the same format as jdk.serialFilter.
      # This filter can override the builtin filter if additional types need to be
    ! # allowed or rejected from the RMI Registry or to decrease limits but not
    ! # to increase limits.
    ! # If the limits (maxdepth, maxrefs, or maxbytes) are exceeded, the object is rejected.
    ! #
    ! # Each non-array type is allowed or rejected if it matches one of the patterns,
    ! # evaluated from left to right, and is otherwise allowed. Arrays of any
    ! # component type, including subarrays and arrays of primitives, are allowed.
    ! #
    ! # Array construction of any component type, including subarrays and arrays of
    ! # primitives, are allowed unless the length is greater than the maxarray limit.
    ! # The filter is applied to each array element.
      # Note: This property is currently used by the JDK Reference implementation.
      # It is not guaranteed to be examined and used by other implementations.
    ! # The built-in filter allows subclasses of allowed classes and
    ! # can approximately be represented as the pattern:
    ! #
    ! #sun.rmi.registry.registryFilter=\
    ! #    maxarray=1000000;\
    ! #    maxdepth=20;\
    ! #    java.lang.String;\
    ! #    java.lang.Number;\
    ! #    java.lang.reflect.Proxy;\
    ! #    java.rmi.Remote;\
    ! #    sun.rmi.server.UnicastRef;\
    ! #    sun.rmi.server.RMIClientSocketFactory;\
    ! #    sun.rmi.server.RMIServerSocketFactory;\
    ! #    java.rmi.activation.ActivationID;\
    ! #    java.rmi.server.UID

If Foo objects are so dangerous they cannot be deserialized, I don't see how an array of Foo objects is judged as not of concern.