GridGain Developers Hub

Securing Data Deserialization

Serialized data is vulnerable to malicious data attacks if an attacker finds a way to add malicious code to the classpath of your cluster nodes. Best practice is to make sure that the access to the cluster is protected and granted only to a limited group of people.

However, if the attacker breaks through to your deployment environment,​ GridGain provides the ability to specify IGNITE_MARSHALLER_WHITELIST and IGNITE_MARSHALLER_BLACKLIST as system properties. These properties allow you to define a list of classes that will be allowed/disallowed for safe deserialization.

IGNITE_MARSHALLER_WHITELIST

To use IGNITE_MARSHALLER_WHITELIST, create a file containing the list of files allowed for deserialization. For example, a text file (whitelist.txt) would look like so:

ignite.myexamples.model.Address
ignite.myexamples.model.Person
...

Then, set the system property when you run your application, or programmatically:

-DIGNITE_MARSHALLER_WHITELIST=path/to/whitelist.txt
System.setProperty(IGNITE_MARSHALLER_WHITELIST, "Path/to/whitelist.txt");

Substitute path/to/whitelist.txt with actual path to your whitelist file.

When the IGNITE_MARSHALLER_WHITELIST system property is used, an attempt to deserialize any file not on the whitelist will result in an exception:

Exception in thread "main" javax.cache.CacheException: class org.apache.ignite.IgniteCheckedException: Deserialization of class ignite.myexamples.model.Organization is disallowed.

IGNITE_MARSHALLER_BLACKLIST

To use IGNITE_MARSHALLER_BLACKLIST, create a file containing the list of files disallowed for deserialization. For example, a text file (blacklist.txt) would look like so:

ignite.myexamples.model.SomeFile
ignite.myexamples.model.SomeOtherFile
...

Then, set the system property when you run your application, or programmatically:

-DIGNITE_MARSHALLER_BLACKLIST=path/to/blacklist.txt
System.setProperty(IGNITE_MARSHALLER_BLACKLIST, "Path/to/blacklist.txt");

Substitute path/to/blacklist.txt with actual path to your blacklist file.

When the IGNITE_MARSHALLER_BLACKLIST system property is used, an attempt to deserialize any file mentioned on the blacklist will result in an exception:

Exception in thread "main" javax.cache.CacheException: class org.apache.ignite.IgniteCheckedException: Deserialization of class ignite.myexamples.model.SomeOtherFile is disallowed.