Quality Outreach Heads-up - JDK 20: JMX Connections Use an ObjectInputFilter by Default
David Delabassee on February 20, 2023The OpenJDK Quality Group is promoting the testing of FOSS projects with OpenJDK builds as a way to improve the overall quality of the release. This heads-up is part of a regular communication sent to the projects involved. To learn more about the program, and how-to join, please check here.
JDK 20 - JMX Connections Use an ObjectInputFilter by Default
The default JMX agent now sets an ObjectInputFilter
on the RMI connection to restrict the types that the server will deserialize. This should not affect normal usage of the MBeans in the JDK. Applications which register their own MBeans in the platform MBeanServer
may need to extend the serialization filter to support any additional types that their custom MBeans accept as parameters. The default filter already covers any type that OpenMBeans and MXBeans might use.
The serialization filter pattern is set in JDK/conf/management/management.properties
using the property com.sun.management.jmxremote.serial.filter.pattern
. If additional Java types need to be passed, the default can be overridden by running with -Dcom.sun.management.jmxremote.serial.filter.pattern=.
Serialization Filtering and the filter pattern format are described in detail in the Core Libraries Guide.
For more details, please check JDK-8283093.