Java deserialization

Deserialization is the process of rebuilding a data stream into a Java object. The Open Web Application Security Project (OWASP) has identified insecure deserialization as one of the top ten security vulnerabilities for web applications. Pega Platform protects against this vulnerability by using features in the Java JDK.

In Pega Platform, a global filter checks a list of blocked classes that are not allowed to be deserialized. This global filter also adds known internal classes to the allow list. You can add classes to the global deserialization filter. If the filter flags a data stream as invalid, a security event is written to the security event log and the stream is not deserialized.

By default, the filter blocks the following classes:

com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
org.apache.commons.collections.functors.InvokerTransformer
org.apache.commons.collections.functors.InstantiateTransformer
org.apache.commons.collections4.functors.InvokerTransformer
org.apache.commons.collections4.functors.InstantiateTransformer
org.apache.xalan.xsltc.trax.TemplatesImpl
org.codehaus.groovy.runtime.ConvertedClosure
org.codehaus.groovy.runtime.MethodClosure
org.springframework.beans.factory.ObjectFactory