Monday, November 23, 2015

Re: Java Deserialization Vulnerability

Thanks Lars for the clarification. Looks like a bad plan to fix all broken implementations using ObjectInputStream and better remove it completely in a GWT-RPC environment.

You can use Java serialization just fine as long as you can be sure no one has modified your serialized data and that the data has actually been produced by your app. A digital signature would solve that.

-- J.

You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
Visit this group at
For more options, visit

No comments:

Post a Comment