Quality Outreach Heads-up - JDK 20: JMX Connections Use an ObjectInputFilter by DefaultDavid Delabassee on February 20, 2023
The OpenJDK Quality Group is promoting the testing of FOSS projects with OpenJDK builds as a way to improve the overall quality of the release. This heads-up is part of a regular communication sent to the projects involved. To learn more about the program, and how-to join, please check here.
JDK 20 - JMX Connections Use an ObjectInputFilter by Default
The default JMX agent now sets an
ObjectInputFilter on the RMI connection to restrict the types that the server will deserialize. This should not affect normal usage of the MBeans in the JDK. Applications which register their own MBeans in the platform
MBeanServer may need to extend the serialization filter to support any additional types that their custom MBeans accept as parameters. The default filter already covers any type that OpenMBeans and MXBeans might use.
The serialization filter pattern is set in
JDK/conf/management/management.properties using the property
com.sun.management.jmxremote.serial.filter.pattern. If additional Java types need to be passed, the default can be overridden by running with
Serialization Filtering and the filter pattern format are described in detail in the Core Libraries Guide.
For more details, please check JDK-8283093.