This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned.
Security-libs/curity ➜ Disabled SHA-1 Signed JARs For reference information about using and configuring JFR, see the JFR Runtime Guide and JFR Command Reference sections of the JDK Mission Control documentation. For further information about how to use the JFR deserialization event, see the article Monitoring Deserialization to Improve Application Security.
Additionally, if a filter is enabled, the JFR event indicates whether the filter accepted or rejected deserialization of the object. The deserialization event contains information that is used by the serialization filter mechanism see the ObjectInputFilter specification. The deserialization event is named jdk.Deserialization, and it is disabled by default. When JFR is enabled and the JFR configuration includes deserialization events, JFR will emit an event whenever the running program attempts to deserialize an object. It is now possible to monitor deserialization of objects using JDK Flight Recorder (JFR). Core-libs/java.io:serialization ➜ JDK Flight Recorder Event for Deserialization
0 kommentar(er)
