How to Run JBoss Enterprise Application Platform 6, or 7 with Notsoserial?

Solution Verified - Updated

Environment

JBoss Enterprise Application Platform (EAP)

  • 6.x
  • 7.x

Issue

I'd like to run the Content from github.com is not included.Notsoserial agent with JBoss Enterprise Application Platform (EAP) 6 or 7. Is it possible to do that with Content from byteman.jboss.org is not included.Byteman?

Resolution

  1. Create the a whitelist of classes which are allowed to be deserialized:

For example:

org.infinispan.partitionhandling.AvailabilityMode
java.util.Properties
org.jboss.as.ee.concurrent.handle.SecurityContextHandleFactory$SecuritySetupContextHandle
java.util.Hashtable
org.jboss.as.ee.concurrent.DefaultContextSetupProviderImpl
org.jboss.security.auth.callback.JBossCallbackHandler
java.util.Collections$UnmodifiableCollection
java.net.URI
org.jboss.as.server.DomainServerCommunicationServices
org.infinispan.factories.components.JmxOperationMetadata
org.glassfish.enterprise.concurrent.internal.ContextProxyInvocationHandler
org.infinispan.factories.components.ComponentMetadata$InjectMetadata
[Lorg.infinispan.factories.components.JmxOperationParameter;
org.jboss.security.plugins.JBossSecurityContext
org.infinispan.factories.components.ComponentMetadata
org.jboss.security.plugins.DefaultSecurityManagement
com.sun.el.ValueExpressionImpl
com.sun.el.MethodExpressionImpl
java.util.HashMap
org.jboss.as.ejb3.timerservice.TimerHandleImpl
javax.el.MethodExpression
org.glassfish.enterprise.concurrent.ContextServiceImpl
org.jboss.security.SubjectInfo
org.infinispan.factories.components.ManageableComponentMetadata
org.jboss.msc.service.ServiceName
org.jboss.as.ee.concurrent.ConcurrentContext$ChainedSetupContextHandle
org.jboss.as.server.ServerStartTask
[Ljava.lang.String;
org.infinispan.factories.components.JmxOperationParameter
org.infinispan.factories.components.ComponentMetadata$PrioritizedMethodMetadata
[Lorg.infinispan.factories.components.ComponentMetadata$PrioritizedMethodMetadata;
javax.el.Expression
org.jboss.security.identity.extensions.CredentialIdentityFactory$1
com.sun.el.MethodExpressionLiteral
java.lang.reflect.Proxy
org.jboss.as.ee.concurrent.ContextServiceImpl
org.infinispan.factories.components.JmxAttributeMetadata
org.jboss.dmr.ModelNode
java.util.HashSet
org.jboss.as.ee.concurrent.ServiceTransactionSetupProvider
java.util.Collections$UnmodifiableList
javax.el.ValueExpression
java.lang.StringBuffer
[Lorg.infinispan.factories.components.ComponentMetadata$InjectMetadata;
org.infinispan.commands.write.ValueMatcher

This list was generated by notsoserial for EAP 7 Beta. In order to generate you're own whitelist follow the instructions in the Content from github.com is not included.Notsoserial README.md

  1. Setup the following environment variables:
  • BYTEMAN_HOME = Path to Byteman installation.
  • NOTSOSERIAL_HOME = Path to Notsoserial installation
  1. Create the following Byteman rule in $NOTSOSERIAL_HOME/resolveClass.btm to instrument standard Java deserialization:
RULE notsoserial
CLASS ObjectInputStream
METHOD resolveClass
HELPER org.kantega.notsoserial.DefaultNotSoSerial
BIND objectStreamClass:ObjectStreamClass = $1
AT ENTRY
IF true
DO onBeforeResolveClass($1.getName())
ENDRULE

Create the following Byteman rule in $NOTSOSERIAL_HOME/jbossMarshall.btm to instrument JBoss Marshalling deserialization:

RULE notsoserial jboss marshalling
INTERFACE org.jboss.marshalling.ClassResolver
METHOD resolveClass
HELPER org.kantega.notsoserial.DefaultNotSoSerial
BIND name:String = $2
AT ENTRY
IF true
DO onBeforeResolveClass($2)
ENDRULE
  1. Setup EAP to run with the Byteman agent, and Notsoserial installed as a helper class:

Standalone mode:

Append the following line to $JBOSS_HOME/bin/standalone.conf

JAVA_OPTS="$JAVA_OPTS -javaagent:$BYTEMAN_HOME/lib/byteman.jar=script:$NOTSOSERIAL_HOME/resolveClass.btm,script:$NOTSOSERIAL_HOME/jbossMarshall.btm,boot:$BYTEMAN_HOME/lib/byteman.jar,boot:$NOTSOSERIAL_HOME/target/notsoserial-1.0-SNAPSHOT.jar -Dnotsoserial.whitelist=whitelist.txt"

Change the following line in $JBOSS_HOME/bin/standalone.conf:

-   JBOSS_MODULES_SYSTEM_PKGS="org.jboss.byteman"
+   JBOSS_MODULES_SYSTEM_PKGS="org.jboss.byteman,org.kantega.notsoserial"

Domain mode

Add the following lines to your $JBOSS_HOME/domain/configuration/host.xml:

             <jvm-options>
                 <option value="-server"/>
+               <option value="-javaagent:${env.BYTEMAN_HOME}/lib/byteman.jar=script:${env.NOTSOSERIAL_HOME}/resolveClass.btm,script:${env.NOTSOSERIAL_HO
ME}/jbossMarshall.btm,boot:${env.BYTEMAN_HOME}/lib/byteman.jar,boot:${env.NOTSOSERIAL_HOME}/target/notsoserial-1.0-SNAPSHOT.jar"/>
+               <option value="-Dnotsoserial.whitelist=${env.JBOSS_HOME}/whitelist.txt"/>
             </jvm-options>
         </jvm>

Change the follow line in $JBOSS_HOME/bin/domain.conf

-   JBOSS_MODULES_SYSTEM_PKGS="org.jboss.byteman"
+   JBOSS_MODULES_SYSTEM_PKGS="org.jboss.byteman,org.kantega.notsoserial"

See also, Using Byteman to troubleshoot Java issues

Root Cause

While it's possible to run Notsoserial directly as an agent. Red Hat does not support the use of 3rd party agents. Red Hat has more experience instrumenting Java byte code with the Byteman project, while it also is not supported as a standalone product.

If you do choose to run Notsoserial directly as an agent, you'll have to add instrumentation to the JBoss Marshalling libraries using org.ow2.asm in the source code. JBoss EAP uses both Java Serialization, and JBoss Marshalling to deserialize object streams.

We've forked the Notsoserial project, and removed the dependency on org.ow2.asm, however the original project should still work. We recommend to use our fork Content from github.com is not included.here.

SBR
Product(s)
Category

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.