Weblogic反序列化漏洞修复

Weblogic反序列化在各大论坛的讨论一直是轰轰烈烈的，引发本漏洞其实并不能怪java的反序列化机制.
测试漏洞存在，应朋友的要求帮忙做个补救，翻遍网上大牛们的技术贴，有两种临时补救的方法，但是尝试过之后对应用有影响，放弃！
今天找到某牛写的贴子，里面提到可以自己禁止JVM 执行系统命令，经过一番研究，写了个servlet 放在系统里面跑了一下，成功防御，直接贴出代码：
 

import java.io.FilePermission;
import java.io.IOException;
import java.io.PrintWriter;
import java.security.Permission;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class KriSecurityServlet extends HttpServlet {
	/**
	 * Constructoroftheobject.
	 */
	public KriSecurityServlet() {
		super();
	}

	public void destroy() {
		super.destroy();
		// Justputs"destroy"stringinlog
		// Putyourcodehere
	}

	public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
		this.doPost(request, response);
	}

	public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
		response.setContentType("text/html");
		PrintWriter out = response.getWriter();
		out.println("");
		out.println("");
		out.println(" ");
		out.println(" ");
		out.println("Security denied!!!");
		out.println(" ");
		out.println("");
		out.flush();
		out.close();
	}

	public void init() throws ServletException {
		SecurityManager originalSecurityManager = System.getSecurityManager();
		if (originalSecurityManager == null) {
			// 创建自己SecurityManager
			SecurityManager sm = new SecurityManager() {
				private void check(Permission perm) {
					// 禁止exec
					if (perm instanceof FilePermission) {
						String actions = perm.getActions();
						if (actions != null && actions.contains("execute")) {
							System.out.println("警告：>>检测到 weblogic 反序列化***...");
							throw new SecurityException("execute denied!");
						}
					}
					// 禁止设置新的SecurityManager，保护自己
					if (perm instanceof java.lang.RuntimePermission) {
						String name = perm.getName();
						if (name != null && name.contains("setSecurityManager")) {
							System.out.println("警告：<<检测到 weblogic 反序列化***...");
							throw new SecurityException("System.setSecurityManager denied!");
						}
					}
				}

				public void checkPermission(Permission perm) {
					check(perm);
				}

				public void checkPermission(Permission perm, Object context) {
					check(perm);
				}
			};
			System.setSecurityManager(sm);
		}
	}

}

 

//web.xml 配置文件中添加如下内容：

 MySecurityServlet
 MySecurityServlet
 0


 MySecurityServlet
 /servlet/MySecurityServlet