Configuring the deserialization filter
In Pega Platform, a global filter checks a list of blocked classes that are not allowed to be deserialized. You can add classes to the global deserialization filter to increase the security of your application by preventing unauthorized access.
In the header of Dev Studio, click.
To add a class to the list of blocked classes, click Add gadget class to blacklist, and enter a class name.
Pega Platform does not deserialize classes that match this class name or pattern. Repeat this step to add multiple class names or patterns. You can use wildcards to specify a pattern for the class names to block.
Wildcard Function <package name>
Match any class in the package and all subpackages. <package name>
Match any class in the package. <partial name>
Match anything that starts with <partial name>.
- Java deserialization
Deserialization is the process of rebuilding a data stream into a Java object. The Open Web Application Security Project (OWASP) has identified insecure deserialization as one of the top ten security vulnerabilities for web applications. Pega Platform protects against this vulnerability by using features in the Java JDK.