Support whitelists and custom serializers inside the DJVM.

Description

The initial integration of Corda with the DJVM assumed that all data types would be annotated as @CordaSerializable. This was sufficient for the Finance CorDapp, but a complete solution requires support for whitelists and custom serializers too.

As of v4.8.58, ClassGraph now allows us to scan attachment: URLs inside an AttachmentsClassLoader for all classes that implement SerializationCustomSerializer without executing any untrusted byte-code. Once we have identified the class names, we can construct their sandboxed equivalents.

And we can construct the whitelists by loading all of AttachmentsClassLoader's

META-INF/services/net.corda.core.serialization.SerializationWhitelist
resources.

Assignee

Alexey Chernikov

Reporter

Chris Rankin

Labels

Sprint

None

Epic Link

None

Priority

Medium

Engineering Teams

Kernel

Fix versions

Affects versions

Ported to...

None

Story Points / Dev Days

None

Build cut

None

Feature Team

Kernel Group
Configure