Hazelcast prevents configuration of the Serialization Filter



The ClassFilter (package com.hazelcast.patch) in Alfresco’s hazelcast makes it impossible to configure the serialization filter.

Expected Behavior:

The ClassFilter should allow the serialization filter to allow packages and prefixes to be configured.

Observed Behavior:

The ClassFilter (package com.hazelcast.patch) in Alfresco’s hazelcast-2.4.20200303-alfresco-patched.jar has two bugs. You’re using the packages array to populate the prefixes,and checking if classes is not empty before adding packages. This makes both packages and prefixes impossible to configure in the Serialization Filter.

public ClassFilter (List<String> classes, List<String> packages, List<String> prefixes) {
if(classes != null){
addClasses(classes.toArray(new String[0]));
if(classes != null){
addPackages(packages.toArray(new String[0]));
if(prefixes != null){
addPrefixes(packages.toArray(new String[0]));


Windows, Tomcat

Testcase ID



Alexandru Epure
March 25, 2021, 3:28 PM

Repository has been released containing the new patched version of hazelcast.

Artifacts can be found on :

I have created a new PR to cherry pick this change into 5.2.N → https://github.com/Alfresco/alfresco-legacy-repo/pull/46https://github.com/Alfresco/alfresco-legacy-repo/pull/46

David Almazan
March 12, 2021, 6:36 PM

Customer has provided a video where they reproduce the issue. They show with detail how this part of the code is not working as expected:

if(prefixes != null){
addPrefixes(packages.toArray(new String[0]));

Customer has configured their own prefixes as described in the following screenshot:


But if you notice the addPrefixes method loads packages instead of prefixes as described in the screenshot below. This should load the prefixes.

You will find the full recording of the customer debugging this issue in the following location:


David Almazan
March 9, 2021, 12:13 AM

They are trying to configure their own custom classes. I don’t have any steps to reproduce. They are questioning why is the class written that way. Is there anything else I should get from the customer.

Scott Ashcraft
March 8, 2021, 11:58 PM

Not sure. What packages and prefixes are they trying to configure? Can you provide steps to reproduce the issue?

David Almazan
March 8, 2021, 11:56 PM

I miss adding these details to the Jira, but the customer disabled the filtering that is discussed in REPO-4706.

Setting this to false:

<serialization> <java-serialization-filter defaults-disabled="false"> </java-serialization-filter> </serialization>

Should ClassFilter allow the serialization filter to allow packages and prefixes to be configured?



Alexandru Epure


David Almazan

Hot Fix Version

ACT Numbers


Premier Customer


Delivery Team

Customer Excellence

Bug Priority

Category 2