I have an application that uses logback classic's SocketAppender to send events to a separate logging process. The separate process is using logback classic's ServerSocketReceiver and then tracks details about the events. With logback 1.2 it stopped working and the receiving process started outputting: "java.io.InvalidClassException: Unauthorized deserialization attempt; [Ljava.lang.Object;". Trying to track it down I finally found that it happened when I had two or more Markers on the event. Specifically with code such as:
Tracing further, the error message comes from logback core's HardenedObjectInputStream.resolveClass(ObjectStreamClass). The related class HardenedLoggingEventInputStream has a whitelist of accepted classnames that includes org.slf4j.helpers.BasicMarker but not Object. When the sending application code calls BasicMarker.add(Marker), the BasicMarker will create a new internal Vector. That Vector has the field elementData of type Object which gets serialized in the sending process. Then the receiving process does not accept Object during deserialization and produces the error above.
In short, I can't have two slf4j Markers on an event and send it across with serialization with logback classic's SocketAppender and ServerSocketReceiver.