You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dubbo Serialization Fury keeps running an exception during deserialization, indicating that it is not in the serialization allowlist.
After debugging, the reason for this exception is that FuryCheckerListener#notifyPrefix method calls AllowListChecker without adding * to the allowedList and Fury AllowListChecker uses the suffix character * to determine whether it is a prefix match or an exact match..
For example, for DTO io.github.playground.server.model.User, the allowedList finally parsed by the dubbo security mechanism io.github.playground is added to AllowListChecker through FuryCheckerListener and saved in allowList instead of allowListPrefix.
Describe the solution you'd like
FuryCheckerListener adapts to AllowListChecker by appending the suffix character * .
Is your feature request related to a problem? Please describe.
When Dubbo class serialization security check is enabled:
Dubbo Serialization Fury keeps running an exception during deserialization, indicating that it is not in the serialization allowlist.
After debugging, the reason for this exception is that FuryCheckerListener#notifyPrefix method calls AllowListChecker without adding
*
to the allowedList and Fury AllowListChecker uses the suffix character*
to determine whether it is a prefix match or an exact match..For example, for DTO
io.github.playground.server.model.User
, the allowedList finally parsed by the dubbo security mechanismio.github.playground
is added to AllowListChecker through FuryCheckerListener and saved in allowList instead of allowListPrefix.Describe the solution you'd like
FuryCheckerListener adapts to AllowListChecker by appending the suffix character
*
.Additional context
dubbo: 3.2
dubbo-serialization-fury: 3.2.0
dubbo security mechanism: https://cn.dubbo.apache.org/en/docs3-v2/java-sdk/advanced-features-and-usage/security/class-check/
The text was updated successfully, but these errors were encountered: