[jira] [Updated] (GEODE-10536) Review Documentation for HTTP Session Deserialization Security Model (ObjectInputFilter)

Thu, 11 Dec 2025 09:48:09 -0800 


     [ 
https://issues.apache.org/jira/browse/GEODE-10536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jinwoo Hwang updated GEODE-10536:
---------------------------------
    Description: 
*Description:*

Review the new security documentation for HTTP Session Management that 
describes configuring ObjectInputFilter (JEP 290) to protect against 
deserialization vulnerabilities.

*Documentation Location:*
session_security_filter.html.md.erb

*Key Content Areas:*
 # *Overview* - Application-level security using JEP 290 ObjectInputFilter
 # *Security Warning* - Explains risks of unprotected deserialization (RCE, DoS)
 # *Configuration* - Step-by-step setup in web.xml with pattern syntax
 # *Pattern Syntax* - JEP 290 filter patterns (allowlist/denylist rules)
 # *Examples* - Real-world configurations (e-commerce, multi-module apps)
 # *Multi-App Deployments* - Isolated security policies per web application
 # *Best Practices* - Explicit allowlists, default-deny, specific packages
 # *Troubleshooting* - Common issues and solutions
 # *Migration Guide* - Steps for existing applications, backward compatibility

*Review Focus:*
 * Technical accuracy of JEP 290 filter syntax and behavior
 * Clarity of security warnings and best practices
 * Completeness of configuration examples
 * Usefulness of troubleshooting guidance
 * Documentation structure and navigation

*Related PR:* #7966 - GEODE-10535 Secure Session Deserialization

  was:
*Summary:* Review Documentation for HTTP Session Deserialization Security Model 
(ObjectInputFilter)

*Description:*

Please review the new security documentation for HTTP Session Management that 
describes configuring ObjectInputFilter (JEP 290) to protect against 
deserialization vulnerabilities.

*Documentation Location:*
session_security_filter.html.md.erb

*Key Content Areas:*
 # *Overview* - Application-level security using JEP 290 ObjectInputFilter
 # *Security Warning* - Explains risks of unprotected deserialization (RCE, DoS)
 # *Configuration* - Step-by-step setup in web.xml with pattern syntax
 # *Pattern Syntax* - JEP 290 filter patterns (allowlist/denylist rules)
 # *Examples* - Real-world configurations (e-commerce, multi-module apps)
 # *Multi-App Deployments* - Isolated security policies per web application
 # *Best Practices* - Explicit allowlists, default-deny, specific packages
 # *Troubleshooting* - Common issues and solutions
 # *Migration Guide* - Steps for existing applications, backward compatibility

*Review Focus:*
 * Technical accuracy of JEP 290 filter syntax and behavior
 * Clarity of security warnings and best practices
 * Completeness of configuration examples
 * Usefulness of troubleshooting guidance
 * Documentation structure and navigation

*Related PR:* #7966 - GEODE-10535 Secure Session Deserialization


> Review Documentation for HTTP Session Deserialization Security Model 
> (ObjectInputFilter)
> ----------------------------------------------------------------------------------------
>
>                 Key: GEODE-10536
>                 URL: https://issues.apache.org/jira/browse/GEODE-10536
>             Project: Geode
>          Issue Type: Improvement
>            Reporter: Jinwoo Hwang
>            Assignee: Jinwoo Hwang
>            Priority: Major
>
> *Description:*
> Review the new security documentation for HTTP Session Management that 
> describes configuring ObjectInputFilter (JEP 290) to protect against 
> deserialization vulnerabilities.
> *Documentation Location:*
> session_security_filter.html.md.erb
> *Key Content Areas:*
>  # *Overview* - Application-level security using JEP 290 ObjectInputFilter
>  # *Security Warning* - Explains risks of unprotected deserialization (RCE, 
> DoS)
>  # *Configuration* - Step-by-step setup in web.xml with pattern syntax
>  # *Pattern Syntax* - JEP 290 filter patterns (allowlist/denylist rules)
>  # *Examples* - Real-world configurations (e-commerce, multi-module apps)
>  # *Multi-App Deployments* - Isolated security policies per web application
>  # *Best Practices* - Explicit allowlists, default-deny, specific packages
>  # *Troubleshooting* - Common issues and solutions
>  # *Migration Guide* - Steps for existing applications, backward compatibility
> *Review Focus:*
>  * Technical accuracy of JEP 290 filter syntax and behavior
>  * Clarity of security warnings and best practices
>  * Completeness of configuration examples
>  * Usefulness of troubleshooting guidance
>  * Documentation structure and navigation
> *Related PR:* #7966 - GEODE-10535 Secure Session Deserialization



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to