[3.3] Update hessian-lite to 4.0.0 & Set hessian serialization back (#…

…13974)

.github/workflows/build-and-test-pr.yml

@@ -199,7 +199,6 @@ jobs:
     env:
       DISABLE_FILE_SYSTEM_TEST: true
       CURRENT_ROLE: ${{ matrix.case-role }}
-      DUBBO_DEFAULT_SERIALIZATION: fastjson2
     steps:
       - uses: actions/checkout@v3
         with:

dubbo-common/src/main/java/org/apache/dubbo/common/CommonScopeModelInitializer.java

@@ -20,6 +20,7 @@
 import org.apache.dubbo.common.config.ConfigurationCache;
 import org.apache.dubbo.common.convert.ConverterUtil;
 import org.apache.dubbo.common.lang.ShutdownHookCallbacks;
+import org.apache.dubbo.common.serialization.ClassHolder;
 import org.apache.dubbo.common.ssl.CertManager;
 import org.apache.dubbo.common.status.reporter.FrameworkStatusReportService;
 import org.apache.dubbo.common.threadpool.manager.FrameworkExecutorRepository;
@@ -40,6 +41,7 @@ public void initializeFrameworkModel(FrameworkModel frameworkModel) {
         beanFactory.registerBean(SerializeSecurityManager.class);
         beanFactory.registerBean(DefaultSerializeClassChecker.class);
         beanFactory.registerBean(CertManager.class);
+        beanFactory.registerBean(ClassHolder.class);
     }
 
     @Override

dubbo-common/src/main/java/org/apache/dubbo/common/serialization/ClassHolder.java

@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.common.serialization;
+
+import org.apache.dubbo.common.utils.ConcurrentHashSet;
+
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class ClassHolder {
+    private final Map<String, Set<Class<?>>> classCache = new ConcurrentHashMap<>();
+
+    public void storeClass(Class<?> clazz) {
+        classCache
+                .computeIfAbsent(clazz.getName(), k -> new ConcurrentHashSet<>())
+                .add(clazz);
+    }
+
+    public Class<?> loadClass(String className, ClassLoader classLoader) {
+        Set<Class<?>> classList = classCache.get(className);
+        if (classList == null) {
+            return null;
+        }
+        for (Class<?> clazz : classList) {
+            if (classLoader.equals(clazz.getClassLoader())) {
+                return clazz;
+            }
+        }
+        return null;
+    }
+}

dubbo-common/src/main/java/org/apache/dubbo/common/utils/DefaultSerializeClassChecker.java

@@ -16,8 +16,10 @@
  */
 package org.apache.dubbo.common.utils;
 
+import org.apache.dubbo.common.aot.NativeDetector;
 import org.apache.dubbo.common.logger.ErrorTypeAwareLogger;
 import org.apache.dubbo.common.logger.LoggerFactory;
+import org.apache.dubbo.common.serialization.ClassHolder;
 import org.apache.dubbo.rpc.model.FrameworkModel;
 
 import java.io.Serializable;
@@ -40,13 +42,16 @@ public class DefaultSerializeClassChecker implements AllowClassNotifyListener {
     private volatile boolean checkSerializable = true;
 
     private final SerializeSecurityManager serializeSecurityManager;
+    private final ClassHolder classHolder;
     private volatile long[] allowPrefixes = new long[0];
 
     private volatile long[] disAllowPrefixes = new long[0];
 
     public DefaultSerializeClassChecker(FrameworkModel frameworkModel) {
         serializeSecurityManager = frameworkModel.getBeanFactory().getOrRegisterBean(SerializeSecurityManager.class);
         serializeSecurityManager.registerListener(this);
+        classHolder =
+                NativeDetector.inNativeImage() ? frameworkModel.getBeanFactory().getBean(ClassHolder.class) : null;
     }
 
     @Override
@@ -120,7 +125,7 @@ public Class<?> loadClass(ClassLoader classLoader, String className) throws Clas
 
     private Class<?> loadClass0(ClassLoader classLoader, String className) throws ClassNotFoundException {
         if (checkStatus == SerializeCheckStatus.DISABLE) {
-            return ClassUtils.forName(className, classLoader);
+            return classForName(classLoader, className);
         }
 
         long hash = MAGIC_HASH_CODE;
@@ -133,7 +138,7 @@ private Class<?> loadClass0(ClassLoader classLoader, String className) throws Cl
             hash *= MAGIC_PRIME;
 
             if (Arrays.binarySearch(allowPrefixes, hash) >= 0) {
-                return ClassUtils.forName(className, classLoader);
+                return classForName(classLoader, className);
             }
         }
 
@@ -190,7 +195,7 @@ private Class<?> loadClass0(ClassLoader classLoader, String className) throws Cl
             }
         }
 
-        Class<?> clazz = ClassUtils.forName(className, classLoader);
+        Class<?> clazz = classForName(classLoader, className);
         if (serializeSecurityManager.getWarnedClasses().add(className)) {
             logger.warn(
                     PROTOCOL_UNTRUSTED_SERIALIZE_CLASS,
@@ -204,6 +209,16 @@ private Class<?> loadClass0(ClassLoader classLoader, String className) throws Cl
         return clazz;
     }
 
+    private Class<?> classForName(ClassLoader classLoader, String className) throws ClassNotFoundException {
+        if (classHolder != null) {
+            Class<?> aClass = classHolder.loadClass(className, classLoader);
+            if (aClass != null) {
+                return aClass;
+            }
+        }
+        return ClassUtils.forName(className, classLoader);
+    }
+
     public static DefaultSerializeClassChecker getInstance() {
         return FrameworkModel.defaultModel().getBeanFactory().getBean(DefaultSerializeClassChecker.class);
     }

dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerializeSecurityConfigurator.java

@@ -16,9 +16,11 @@
  */
 package org.apache.dubbo.common.utils;
 
+import org.apache.dubbo.common.aot.NativeDetector;
 import org.apache.dubbo.common.constants.CommonConstants;
 import org.apache.dubbo.common.logger.ErrorTypeAwareLogger;
 import org.apache.dubbo.common.logger.LoggerFactory;
+import org.apache.dubbo.common.serialization.ClassHolder;
 import org.apache.dubbo.config.ApplicationConfig;
 import org.apache.dubbo.rpc.model.FrameworkModel;
 import org.apache.dubbo.rpc.model.ModuleModel;
@@ -52,6 +54,8 @@ public class SerializeSecurityConfigurator implements ScopeClassLoaderListener<M
 
     private final ModuleModel moduleModel;
 
+    private final ClassHolder classHolder;
+
     private volatile boolean autoTrustSerializeClass = true;
 
     private volatile int trustSerializeClassLevel = Integer.MAX_VALUE;
@@ -62,6 +66,8 @@ public SerializeSecurityConfigurator(ModuleModel moduleModel) {
 
         FrameworkModel frameworkModel = moduleModel.getApplicationModel().getFrameworkModel();
         serializeSecurityManager = frameworkModel.getBeanFactory().getBean(SerializeSecurityManager.class);
+        classHolder =
+                NativeDetector.inNativeImage() ? frameworkModel.getBeanFactory().getBean(ClassHolder.class) : null;
 
         refreshStatus();
         refreshCheck();
@@ -210,7 +216,7 @@ public synchronized void registerInterface(Class<?> clazz) {
         Set<Type> markedClass = new HashSet<>();
         checkClass(markedClass, clazz);
 
-        addToAllow(clazz.getName());
+        addToAllow(clazz);
 
         Method[] methodsToExport = clazz.getMethods();
 
@@ -291,7 +297,7 @@ private void checkClass(Set<Type> markedClass, Class<?> clazz) {
             return;
         }
 
-        addToAllow(clazz.getName());
+        addToAllow(clazz);
 
         if (ClassUtils.isSimpleType(clazz) || clazz.isPrimitive() || clazz.isArray()) {
             return;
@@ -337,11 +343,17 @@ private void checkClass(Set<Type> markedClass, Class<?> clazz) {
         }
     }
 
-    private void addToAllow(String className) {
+    private void addToAllow(Class<?> clazz) {
+        if (classHolder != null) {
+            classHolder.storeClass(clazz);
+        }
+
+        String className = clazz.getName();
         // ignore jdk
         if (className.startsWith("java.")
                 || className.startsWith("javax.")
                 || className.startsWith("com.sun.")
+                || className.startsWith("jakarta.")
                 || className.startsWith("sun.")
                 || className.startsWith("jdk.")) {
             serializeSecurityManager.addToAllowed(className);

dubbo-common/src/test/java/org/apache/dubbo/config/context/ConfigManagerTest.java

@@ -481,7 +481,7 @@ void testLoadConfig() {
     public static class TestPreferSerializationProvider implements PreferSerializationProvider {
         @Override
         public String getPreferSerialization() {
-            return "fastjson2,hessian2";
+            return "hessian2";
         }
     }
 }

dubbo-config/dubbo-config-api/src/test/java/org/apache/dubbo/config/ProtocolConfigTest.java

@@ -389,7 +389,7 @@ void testPreferSerializationDefault1() throws Exception {
         assertNull(protocolConfig.getPreferSerialization());
 
         protocolConfig.checkDefault();
-        assertThat(protocolConfig.getPreferSerialization(), equalTo("fastjson2,hessian2"));
+        assertThat(protocolConfig.getPreferSerialization(), equalTo("hessian2,fastjson2"));
 
         protocolConfig = new ProtocolConfig();
         protocolConfig.setSerialization("x-serialization");
@@ -405,7 +405,7 @@ void testPreferSerializationDefault2() throws Exception {
         assertNull(protocolConfig.getPreferSerialization());
 
         protocolConfig.refresh();
-        assertThat(protocolConfig.getPreferSerialization(), equalTo("fastjson2,hessian2"));
+        assertThat(protocolConfig.getPreferSerialization(), equalTo("hessian2,fastjson2"));
 
         protocolConfig = new ProtocolConfig();
         protocolConfig.setSerialization("x-serialization");

dubbo-demo/dubbo-demo-native/dubbo-demo-native-consumer/pom.xml

@@ -122,6 +122,11 @@
       <artifactId>dubbo-serialization-fastjson2</artifactId>
       <version>${project.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.apache.dubbo</groupId>
+      <artifactId>dubbo-serialization-hessian2</artifactId>
+      <version>${project.version}</version>
+    </dependency>
 
     <dependency>
       <groupId>org.apache.dubbo</groupId>
@@ -134,11 +139,6 @@
       <version>${project.version}</version>
     </dependency>
 
-    <dependency>
-      <groupId>com.alibaba</groupId>
-      <artifactId>fastjson</artifactId>
-    </dependency>
-
     <dependency>
       <groupId>org.apache.dubbo</groupId>
       <artifactId>dubbo-native</artifactId>

dubbo-demo/dubbo-demo-native/dubbo-demo-native-consumer/src/main/java/org/apache/dubbo/demo/graalvm/consumer/Application.java

@@ -36,7 +36,7 @@ public class Application {
     public static void main(String[] args) {
         SystemPropertyConfigUtils.setSystemProperty(DubboProperty.DUBBO_APPLICATION_LOGGER, "logback");
         System.setProperty("native", "true");
-        SystemPropertyConfigUtils.setSystemProperty(DubboProperty.DUBBO_PREFER_JSON_FRAMEWORK_NAME, "fastjson");
+        SystemPropertyConfigUtils.setSystemProperty(DubboProperty.DUBBO_PREFER_JSON_FRAMEWORK_NAME, "fastjson2");
         runWithBootstrap();
     }
 
@@ -55,7 +55,7 @@ private static void runWithBootstrap() {
         reference.setGeneric("false");
 
         ProtocolConfig protocolConfig = new ProtocolConfig(CommonConstants.DUBBO, -1);
-        protocolConfig.setSerialization("fastjson2");
+        protocolConfig.setSerialization("hessian2");
         bootstrap
                 .application(applicationConfig)
                 .registry(new RegistryConfig(REGISTRY_URL))

dubbo-demo/dubbo-demo-native/dubbo-demo-native-provider/pom.xml

@@ -122,6 +122,11 @@
       <artifactId>dubbo-serialization-fastjson2</artifactId>
       <version>${project.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.apache.dubbo</groupId>
+      <artifactId>dubbo-serialization-hessian2</artifactId>
+      <version>${project.version}</version>
+    </dependency>
 
     <dependency>
       <groupId>org.apache.dubbo</groupId>
@@ -133,10 +138,6 @@
       <artifactId>dubbo-filter-validation</artifactId>
       <version>${project.version}</version>
     </dependency>
-    <dependency>
-      <groupId>com.alibaba</groupId>
-      <artifactId>fastjson</artifactId>
-    </dependency>
 
     <dependency>
       <groupId>org.apache.dubbo</groupId>

dubbo-demo/dubbo-demo-native/dubbo-demo-native-provider/src/main/java/org/apache/dubbo/demo/graalvm/provider/Application.java

@@ -36,7 +36,7 @@ public class Application {
     public static void main(String[] args) throws Exception {
         SystemPropertyConfigUtils.setSystemProperty(DubboProperty.DUBBO_APPLICATION_LOGGER, "logback");
         System.setProperty("native", "true");
-        SystemPropertyConfigUtils.setSystemProperty(DubboProperty.DUBBO_PREFER_JSON_FRAMEWORK_NAME, "fastjson");
+        SystemPropertyConfigUtils.setSystemProperty(DubboProperty.DUBBO_PREFER_JSON_FRAMEWORK_NAME, "fastjson2");
         startWithBootstrap();
         System.in.read();
     }
@@ -60,7 +60,7 @@ private static void startWithBootstrap() {
         service.setRef(new DemoServiceImpl());
 
         ProtocolConfig protocolConfig = new ProtocolConfig(CommonConstants.DUBBO, -1);
-        protocolConfig.setSerialization("fastjson2");
+        protocolConfig.setSerialization("hessian2");
         bootstrap
                 .application(applicationConfig)
                 .registry(new RegistryConfig(REGISTRY_URL))

dubbo-dependencies-bom/pom.xml

@@ -167,7 +167,7 @@
     <jaxb_version>2.2.7</jaxb_version>
     <activation_version>1.2.0</activation_version>
     <test_container_version>1.19.7</test_container_version>
-    <hessian_lite_version>3.2.13</hessian_lite_version>
+    <hessian_lite_version>4.0.0</hessian_lite_version>
     <swagger_version>1.6.14</swagger_version>
 
     <snappy_java_version>1.1.10.5</snappy_java_version>
@@ -364,7 +364,7 @@
         <version>${hessian_version}</version>
       </dependency>
       <dependency>
-        <groupId>com.alibaba</groupId>
+        <groupId>org.apache.dubbo</groupId>
         <artifactId>hessian-lite</artifactId>
         <version>${hessian_lite_version}</version>
       </dependency>

dubbo-distribution/dubbo-all-shaded/pom.xml

@@ -427,7 +427,7 @@
       <artifactId>snakeyaml</artifactId>
     </dependency>
     <dependency>
-      <groupId>com.alibaba</groupId>
+      <groupId>org.apache.dubbo</groupId>
       <artifactId>hessian-lite</artifactId>
     </dependency>
     <dependency>

dubbo-distribution/dubbo-all/pom.xml

@@ -456,7 +456,7 @@
       <artifactId>snakeyaml</artifactId>
     </dependency>
     <dependency>
-      <groupId>com.alibaba</groupId>
+      <groupId>org.apache.dubbo</groupId>
       <artifactId>hessian-lite</artifactId>
     </dependency>
     <dependency>