LOG4J2-2163 Deprecate ObjectInputStreamLogEventBridge
diff --git a/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java b/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java
index 428ab83..c5ab4eb 100644
--- a/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java
+++ b/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java
@@ -25,10 +25,15 @@
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.LogEventListener;
import org.apache.logging.log4j.util.FilteredObjectInputStream;
+import org.apache.logging.log4j.core.layout.SerializedLayout;
/**
- * Reads and logs serialized {@link LogEvent} objects from an {@link ObjectInputStream}.
+ * Reads and logs serialized {@link LogEvent} objects (created with {@link SerializedLayout}) from an {@link ObjectInputStream}.
+ *
+ * @deprecated Java Serialization has inherent security weaknesses, see https://www.owasp.org/index.php/Deserialization_of_untrusted_data .
+ * Therefore {@link SerializedLayout} is deprecated, and so is this class. We recommend using {@link JsonInputStreamLogEventBridge} instead.
*/
+@Deprecated
public class ObjectInputStreamLogEventBridge extends AbstractLogEventBridge<ObjectInputStream> {
private final List<String> allowedClasses;
diff --git a/log4j-server/src/main/java/org/apache/logging/log4j/server/TcpSocketServer.java b/log4j-server/src/main/java/org/apache/logging/log4j/server/TcpSocketServer.java
index 52eafcc..6d163fe 100644
--- a/log4j-server/src/main/java/org/apache/logging/log4j/server/TcpSocketServer.java
+++ b/log4j-server/src/main/java/org/apache/logging/log4j/server/TcpSocketServer.java
@@ -161,6 +161,7 @@
* @throws IOException
* if an I/O error occurs when opening the socket.
*/
+ @Deprecated
public static TcpSocketServer<ObjectInputStream> createSerializedSocketServer(final int port) throws IOException {
LOGGER.entry(port);
final TcpSocketServer<ObjectInputStream> socketServer = new TcpSocketServer<>(port, new ObjectInputStreamLogEventBridge());
@@ -181,6 +182,7 @@
* if an I/O error occurs when opening the socket.
* @since 2.7
*/
+ @Deprecated
public static TcpSocketServer<ObjectInputStream> createSerializedSocketServer(final int port, final int backlog,
final InetAddress localBindAddress) throws IOException {
return createSerializedSocketServer(port, backlog, localBindAddress, Collections.<String>emptyList());
@@ -201,6 +203,7 @@
* if an I/O error occurs when opening the socket.
* @since 2.8.2
*/
+ @Deprecated
public static TcpSocketServer<ObjectInputStream> createSerializedSocketServer(
final int port, final int backlog, final InetAddress localBindAddress, final List<String> allowedClasses
) throws IOException {
diff --git a/log4j-server/src/main/java/org/apache/logging/log4j/server/UdpSocketServer.java b/log4j-server/src/main/java/org/apache/logging/log4j/server/UdpSocketServer.java
index 8f53e03..17a7cdd 100644
--- a/log4j-server/src/main/java/org/apache/logging/log4j/server/UdpSocketServer.java
+++ b/log4j-server/src/main/java/org/apache/logging/log4j/server/UdpSocketServer.java
@@ -61,6 +61,7 @@
* @throws IOException
* if an I/O error occurs when opening the socket.
*/
+ @Deprecated
public static UdpSocketServer<ObjectInputStream> createSerializedSocketServer(final int port) throws IOException {
return new UdpSocketServer<>(port, new ObjectInputStreamLogEventBridge());
}
@@ -74,6 +75,7 @@
* @throws IOException if an I/O error occurs when opening the socket.
* @since 2.8.2
*/
+ @Deprecated
public static UdpSocketServer<ObjectInputStream> createSerializedSocketServer(final int port,
final List<String> allowedClasses)
throws IOException {
