From 736f2b936ad44c9cdda2a8b3dcc5884b3e0ff285 Mon Sep 17 00:00:00 2001
From: jimin <slievrly@163.com>
Date: Mon, 5 Feb 2024 10:36:07 +0800
Subject: [PATCH] optimize: optimize Hessian Serialize (#6254)

---
 changes/en-us/2.x.md                           |  2 +-
 changes/zh-cn/2.x.md                           |  1 +
 .../serializer/SerializerSecurityRegistry.java |  2 +-
 .../serializer/hessian/HessianSerializer.java  | 18 +++++++++---------
 4 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/changes/en-us/2.x.md b/changes/en-us/2.x.md
index 5c741aaae51..ff55d2be6e4 100644
--- a/changes/en-us/2.x.md
+++ b/changes/en-us/2.x.md
@@ -81,7 +81,7 @@ Add changes here for all PR submitted to the 2.x branch.
 - [[#6301](https://github.com/apache/incubator-seata/pull/6301)] upgrade console frontend dependencies and supported nodejs versions
 - [[#6301](https://github.com/apache/incubator-seata/pull/6312)] add saga related io.seata compatible api
 - [[#6313](https://github.com/apache/incubator-seata/pull/6313)] console display the version number
-
+- [[#6254](https://github.com/apache/incubator-seata/pull/6254)] optimize Hessian Serialize
 
 ### security:
 - [[#6069](https://github.com/apache/incubator-seata/pull/6069)] Upgrade Guava dependencies to fix security vulnerabilities
diff --git a/changes/zh-cn/2.x.md b/changes/zh-cn/2.x.md
index d915a242547..40807862771 100644
--- a/changes/zh-cn/2.x.md
+++ b/changes/zh-cn/2.x.md
@@ -79,6 +79,7 @@
 - [[#6301](https://github.com/apache/incubator-seata/pull/6301)] 升级console前端依赖及支持的nodejs版本
 - [[#6301](https://github.com/apache/incubator-seata/pull/6312)] 添加saga相关的io.seata兼容性API
 - [[#6313](https://github.com/apache/incubator-seata/pull/6313)] console展示版本号
+- [[#6254](https://github.com/apache/incubator-seata/pull/6254)] 优化Hessian 序列化
 
 
 ### security:
diff --git a/core/src/main/java/org/apache/seata/core/serializer/SerializerSecurityRegistry.java b/core/src/main/java/org/apache/seata/core/serializer/SerializerSecurityRegistry.java
index 9cfda827594..3ab82fb4bfc 100644
--- a/core/src/main/java/org/apache/seata/core/serializer/SerializerSecurityRegistry.java
+++ b/core/src/main/java/org/apache/seata/core/serializer/SerializerSecurityRegistry.java
@@ -129,7 +129,7 @@ private static String getSeataClassPattern() {
     }
 
     private static String[] getDenyClassPatternList() {
-        return new String[] {"javax.naming.InitialContext", "javax.net.ssl.*", "com.unboundid.ldap.*"};
+        return new String[] {"javax.naming.InitialContext", "javax.net.ssl.*", "com.unboundid.ldap.*", "java.lang.Runtime"};
     }
 
     private static Set<Class<?>> getProtocolType() {
diff --git a/serializer/seata-serializer-hessian/src/main/java/org/apache/seata/serializer/hessian/HessianSerializer.java b/serializer/seata-serializer-hessian/src/main/java/org/apache/seata/serializer/hessian/HessianSerializer.java
index 97f5bce2907..0bc4ded989f 100644
--- a/serializer/seata-serializer-hessian/src/main/java/org/apache/seata/serializer/hessian/HessianSerializer.java
+++ b/serializer/seata-serializer-hessian/src/main/java/org/apache/seata/serializer/hessian/HessianSerializer.java
@@ -16,32 +16,31 @@
  */
 package org.apache.seata.serializer.hessian;
 
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+
 import com.caucho.hessian.io.Hessian2Input;
 import com.caucho.hessian.io.Hessian2Output;
-import com.caucho.hessian.io.SerializerFactory;
 import org.apache.seata.common.loader.LoadLevel;
 import org.apache.seata.core.serializer.Serializer;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-
 
 @LoadLevel(name = "HESSIAN")
+@Deprecated
 public class HessianSerializer implements Serializer {
     private static final Logger LOGGER = LoggerFactory.getLogger(HessianSerializer.class);
 
     @Override
     public <T> byte[] serialize(T t) {
         byte[] stream = null;
-        SerializerFactory hessian = HessianSerializerFactory.getInstance();
         try {
-            com.caucho.hessian.io.Serializer serializer = hessian.getSerializer(t.getClass());
             ByteArrayOutputStream baos = new ByteArrayOutputStream();
             Hessian2Output output = new Hessian2Output(baos);
-            serializer.writeObject(t, output);
+            output.setSerializerFactory(HessianSerializerFactory.getInstance());
+            output.writeObject(t);
             output.close();
             stream = baos.toByteArray();
         } catch (IOException e) {
@@ -55,7 +54,8 @@ public <T> T deserialize(byte[] bytes) {
         T obj = null;
         try (ByteArrayInputStream is = new ByteArrayInputStream(bytes)) {
             Hessian2Input input = new Hessian2Input(is);
-            obj = (T) input.readObject();
+            input.setSerializerFactory(HessianSerializerFactory.getInstance());
+            obj = (T)input.readObject();
             input.close();
         } catch (IOException e) {
             LOGGER.error("Hessian decode error:{}", e.getMessage(), e);