Dubbo 支持通过 QoS 命令实时查看当前的配置信息以及可信/不可信类列表。目前共支持两个命令:serializeCheckStatus 查看当前配置信息,serializeWarnedClasses 查看实时的告警列表。
serializeCheckStatus
serializeWarnedClasses
通过控制台直接访问:
> telnet 127.0.0.1 22222 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ___ __ __ ___ ___ ____ / _ \ / / / // _ ) / _ ) / __ \ / // // /_/ // _ |/ _ |/ /_/ / /____/ \____//____//____/ \____/ dubbo>serializeCheckStatus CheckStatus: WARN CheckSerializable: true AllowedPrefix: ... DisAllowedPrefix: ... dubbo>
通过 http 请求 json 格式结果:
> curl http://127.0.0.1:22222/serializeCheckStatus {"checkStatus":"WARN","allowedPrefix":[...],"checkSerializable":true,"disAllowedPrefix":[...]}
> telnet 127.0.0.1 22222 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ___ __ __ ___ ___ ____ / _ \ / / / // _ ) / _ ) / __ \ / // // /_/ // _ |/ _ |/ /_/ / /____/ \____//____//____/ \____/ dubbo>serializeWarnedClasses WarnedClasses: io.dubbo.test.NotSerializable io.dubbo.test2.NotSerializable io.dubbo.test2.OthersSerializable org.apache.dubbo.samples.NotSerializable dubbo>
> curl http://127.0.0.1:22222/serializeWarnedClasses {"warnedClasses":["io.dubbo.test2.NotSerializable","org.apache.dubbo.samples.NotSerializable","io.dubbo.test.NotSerializable","io.dubbo.test2.OthersSerializable"]}
建议及时关注 serializeWarnedClasses 的结果,通过返回结果是否非空来判断是否受到攻击。
Dubbo 类检查机制。