The Serialization Info screen

The Server Tools Serialization Info screen (under Info Pages) shows, for any specific server in the cluster, the entire set of Java objects (classes) deserialized by that server instance. This screen contains an optional filter (Including listed in the serialization whitelist classes) that filters the list of classes:

  • Checking this box means that the list of class names includes the names of all Java classes encountered and deserialized by the local server. This list includes the names of classes that exist in the serialization white (permitted) list as well.
  • Un-checking this box means that the list of class names includes only the names of classes encountered and deserialized that are not on the serialization white list. Guidewire recommends that you add these classes to the serialization whitelist. After you complete your whitelisting of Java classes, the class listing will be empty.

Enabling object deserialization

Configuration parameter SerializationWhitelistEnabled in config.xml determines whether PolicyCenter permits only those Java classes placed on a serialization whitelist to be deserialized. Before you enable the use of the whitelist, ensure that you first add any additional types needed due to customizations.  Primarily, this is due to creating batch processes that accept custom objects as arguments.  Such objects must be serialized if the batch process is invoked from a server other than the server with the batch role. If you do not add these objects to the whitelist, it is possible that the related services that uses them to not function properly.

See also

The black and white serialization lists

In Guidewire Studio, you can access the serialization black list and white lists in the following location:

configuration > config > security

To blacklist a Java class, add an entry in serialization-blacklist.lst in that folder. To whitelist a Java class, add an entry in serialization-whitelist.lst in that folder.

In making entries in these files, use the following syntax:

  • Place a # symbol at the beginning of a line to indicate that the line is a comment.
  • Use a separate line for each class or package name, for example, gw.api.myPackage.*.
  • Do not place the * separator in the middle of a class or package name. For example, do not do the following:
    #Incorrect example
gw.api.*.myClass
  • Use blank lines and leading spaces as desired to enhance readability of the file.

CDE-2018-8088

About this task

Due to an issue with org.slf4j;slf4j-ext version 1.7.5 as described in https://nvd.nist.gov/vuln/detail/CVE-2018-8088, Guidewire recommends that you explicitly blacklist this class to prevent it from being serialized.

Procedure

  1. In Guidewire Studio, navigate to the following location:
    • Configuration > config > security
  2. Open the following file for editing:
    • serialization-blacklist.lst
  3. Add the following text to this file on its own line:
    • org.slf4j.ext.EventData