[jira] [Created] (GEODE-10536) Review Documentation for HTTP Session Deserialization Security Model (ObjectInputFilter)

Thu, 11 Dec 2025 09:47:17 -0800 

Jinwoo Hwang created GEODE-10536:
------------------------------------

             Summary: Review Documentation for HTTP Session Deserialization 
Security Model (ObjectInputFilter)
                 Key: GEODE-10536
                 URL: https://issues.apache.org/jira/browse/GEODE-10536
             Project: Geode
          Issue Type: Improvement
            Reporter: Jinwoo Hwang


*Summary:* Review Documentation for HTTP Session Deserialization Security Model 
(ObjectInputFilter)

*Description:*

Please review the new security documentation for HTTP Session Management that 
describes configuring ObjectInputFilter (JEP 290) to protect against 
deserialization vulnerabilities.

*Documentation Location:*
session_security_filter.html.md.erb

*Key Content Areas:*
 # *Overview* - Application-level security using JEP 290 ObjectInputFilter
 # *Security Warning* - Explains risks of unprotected deserialization (RCE, DoS)
 # *Configuration* - Step-by-step setup in web.xml with pattern syntax
 # *Pattern Syntax* - JEP 290 filter patterns (allowlist/denylist rules)
 # *Examples* - Real-world configurations (e-commerce, multi-module apps)
 # *Multi-App Deployments* - Isolated security policies per web application
 # *Best Practices* - Explicit allowlists, default-deny, specific packages
 # *Troubleshooting* - Common issues and solutions
 # *Migration Guide* - Steps for existing applications, backward compatibility

*Review Focus:*
 * Technical accuracy of JEP 290 filter syntax and behavior
 * Clarity of security warnings and best practices
 * Completeness of configuration examples
 * Usefulness of troubleshooting guidance
 * Documentation structure and navigation

*Related PR:* #7966 - GEODE-10535 Secure Session Deserialization



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to