Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

This content has been archived and is no longer being updated.

Links may not function; however, this content may be relevant to outdated versions of the product.

Java deserialization

Updated on July 1, 2021

Deserialization is the process of rebuilding a data stream into a Java object. The Open Web Application Security Project (OWASP) has identified insecure deserialization as one of the top ten security vulnerabilities for web applications. Pega Platform protects against this vulnerability by using features in the Java JDK.

In Pega Platform, a global filter checks a list of blocked classes that are not allowed to be deserialized. This global filter also adds known internal classes to the allow list. You can add classes to the global deserialization filter. If the filter flags a data stream as invalid, a security event is written to the security event log and the stream is not deserialized.

By default, the filter blocks the following classes:

  • com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
  • org.apache.commons.collections.functors.InvokerTransformer
  • org.apache.commons.collections.functors.InstantiateTransformer
  • org.apache.commons.collections4.functors.InvokerTransformer
  • org.apache.commons.collections4.functors.InstantiateTransformer
  • org.apache.xalan.xsltc.trax.TemplatesImpl
  • org.codehaus.groovy.runtime.ConvertedClosure
  • org.codehaus.groovy.runtime.MethodClosure
  • org.springframework.beans.factory.ObjectFactory

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us