diff --git a/common/source/java/ch/systemsx/cisd/common/spring/WhiteListCodebaseAwareObjectInputStream.java b/common/source/java/ch/systemsx/cisd/common/spring/WhiteListCodebaseAwareObjectInputStream.java
new file mode 100644
index 0000000000000000000000000000000000000000..6287c585f129b6754ef53be104a9611f73285fe4
--- /dev/null
+++ b/common/source/java/ch/systemsx/cisd/common/spring/WhiteListCodebaseAwareObjectInputStream.java
@@ -0,0 +1,92 @@
+/*
+ * Copyright 2015 ETH Zuerich, SIS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.common.spring;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectStreamClass;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.regex.Pattern;
+
+import org.apache.log4j.Logger;
+import org.springframework.remoting.rmi.CodebaseAwareObjectInputStream;
+
+import ch.systemsx.cisd.common.logging.LogCategory;
+import ch.systemsx.cisd.common.logging.LogFactory;
+
+/**
+ * @author Franz-Josef Elmer
+ */
+public class WhiteListCodebaseAwareObjectInputStream extends CodebaseAwareObjectInputStream
+{
+    private static final Logger operationLog = LogFactory.getLogger(LogCategory.OPERATION, 
+            WhiteListCodebaseAwareObjectInputStream.class);
+
+    private static final List<Pattern> whiteListPatterns = new LinkedList<>();
+
+    {
+        addToWhiteListPatterns("byte");
+        addToWhiteListPatterns("short");
+        addToWhiteListPatterns("int");
+        addToWhiteListPatterns("long");
+        addToWhiteListPatterns("float");
+        addToWhiteListPatterns("double");
+        addToWhiteListPatterns("boolean");
+        addToWhiteListPatterns("org\\.springframework\\.remoting\\.support\\.RemoteInvocation");
+        addToWhiteListPatterns("java\\..*");
+        addToWhiteListPatterns("ch\\.ethz\\.sis\\..*");
+        addToWhiteListPatterns("ch\\.systemsx\\.cisd\\..*");
+    }
+
+    private static void addToWhiteListPatterns(String regex)
+    {
+        whiteListPatterns.add(Pattern.compile(regex));
+    }
+
+    public WhiteListCodebaseAwareObjectInputStream(InputStream in, ClassLoader classLoader, boolean acceptProxyClasses) throws IOException
+    {
+        super(in, classLoader, acceptProxyClasses);
+    }
+
+    @Override
+    protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException
+    {
+        String className = classDesc.getName();
+        assertMatchingClassName(className);
+        return super.resolveClass(classDesc);
+    }
+    
+    private void assertMatchingClassName(String className) throws ClassNotFoundException
+    {
+        if (className.startsWith("[L") && className.endsWith(";"))
+        {
+            assertMatchingClassName(className.substring(2, className.length() - 1));
+        } else
+        {
+            for (Pattern pattern : whiteListPatterns)
+            {
+                if (pattern.matcher(className).matches())
+                {
+                    return;
+                }
+            }
+            operationLog.error("Attempt to load class " + className);
+            throw new IllegalArgumentException("Class not allowed to load: " + className);
+        }
+    }
+}
diff --git a/openbis-common/source/java/ch/systemsx/cisd/openbis/common/api/server/AbstractApiServiceExporter.java b/openbis-common/source/java/ch/systemsx/cisd/openbis/common/api/server/AbstractApiServiceExporter.java
index ee358ebd2775d33114a9785b643a60f841fe9afc..ab5eebfd7d66656c66cd8f866b4046af09f48d38 100644
--- a/openbis-common/source/java/ch/systemsx/cisd/openbis/common/api/server/AbstractApiServiceExporter.java
+++ b/openbis-common/source/java/ch/systemsx/cisd/openbis/common/api/server/AbstractApiServiceExporter.java
@@ -30,7 +30,7 @@ import ch.systemsx.cisd.common.spring.ServiceExceptionTranslator;
  *
  * @author Franz-Josef Elmer
  */
-public abstract class AbstractApiServiceExporter extends HttpInvokerServiceExporter
+public abstract class AbstractApiServiceExporter extends WhiteListHttpInvokerServiceExporter
 {
     @Resource(name = IRpcServiceNameServer.PREFFERED_BEAN_NAME)
     private RpcServiceNameServer nameServer;
diff --git a/openbis-common/source/java/ch/systemsx/cisd/openbis/common/api/server/WhiteListHttpInvokerServiceExporter.java b/openbis-common/source/java/ch/systemsx/cisd/openbis/common/api/server/WhiteListHttpInvokerServiceExporter.java
new file mode 100644
index 0000000000000000000000000000000000000000..282dcff88d14ca0dabb60dfa3e68a8ae6e1da62e
--- /dev/null
+++ b/openbis-common/source/java/ch/systemsx/cisd/openbis/common/api/server/WhiteListHttpInvokerServiceExporter.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2015 ETH Zuerich, SIS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.common.api.server;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+
+import org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter;
+
+import ch.systemsx.cisd.common.spring.WhiteListCodebaseAwareObjectInputStream;
+
+/**
+ * 
+ *
+ * @author Franz-Josef Elmer
+ */
+public abstract class WhiteListHttpInvokerServiceExporter extends HttpInvokerServiceExporter
+{
+    @Override
+    protected ObjectInputStream createObjectInputStream(InputStream is) throws IOException
+    {
+        return new WhiteListCodebaseAwareObjectInputStream(is, getBeanClassLoader(), isAcceptProxyClasses());
+    }
+
+}
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/CommonServiceServer.java b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/CommonServiceServer.java
index 74d1932c26c71293e03a41c159836b484bb2567b..a5a1cfd47aeae187a4034268fa59ce8cf9f1c49f 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/CommonServiceServer.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/CommonServiceServer.java
@@ -23,10 +23,10 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 
+import ch.systemsx.cisd.openbis.common.api.server.WhiteListHttpInvokerServiceExporter;
 import ch.systemsx.cisd.openbis.generic.shared.ICommonServer;
 import ch.systemsx.cisd.openbis.generic.shared.ResourceNames;
 
@@ -34,7 +34,7 @@ import ch.systemsx.cisd.openbis.generic.shared.ResourceNames;
  * @author Izabela Adamczyk
  */
 @Controller
-public class CommonServiceServer extends HttpInvokerServiceExporter
+public class CommonServiceServer extends WhiteListHttpInvokerServiceExporter
 {
     @Resource(name = ResourceNames.COMMON_SERVER)
     private ICommonServer common;
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/ETLServiceServer.java b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/ETLServiceServer.java
index fecb0be3a01205690de411402a5ae58e2df7ad20..1017b1abee156d243b9466972b63b55883e06793 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/ETLServiceServer.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/ETLServiceServer.java
@@ -25,11 +25,11 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 
 import ch.systemsx.cisd.common.spring.ServiceExceptionTranslator;
+import ch.systemsx.cisd.openbis.common.api.server.WhiteListHttpInvokerServiceExporter;
 import ch.systemsx.cisd.openbis.generic.shared.IServiceForDataStoreServer;
 import ch.systemsx.cisd.openbis.generic.shared.ResourceNames;
 
@@ -38,7 +38,7 @@ import ch.systemsx.cisd.openbis.generic.shared.ResourceNames;
  * @author Kaloyan Enimanev
  */
 @Controller
-public class ETLServiceServer extends HttpInvokerServiceExporter
+public class ETLServiceServer extends WhiteListHttpInvokerServiceExporter
 {
     @Resource(name = ResourceNames.ETL_SERVICE)
     private IServiceForDataStoreServer etlService;
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/ServiceConversationClientManagerServer.java b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/ServiceConversationClientManagerServer.java
index 7fb33f916140b8c323fbfce724f2a309d988bd5e..aa3cb3783020c299bfe2ca1db183d8d87155899d 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/ServiceConversationClientManagerServer.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/ServiceConversationClientManagerServer.java
@@ -23,10 +23,10 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 
+import ch.systemsx.cisd.openbis.common.api.server.WhiteListHttpInvokerServiceExporter;
 import ch.systemsx.cisd.openbis.common.conversation.manager.IServiceConversationClientManagerRemote;
 import ch.systemsx.cisd.openbis.generic.shared.ResourceNames;
 
@@ -35,7 +35,7 @@ import ch.systemsx.cisd.openbis.generic.shared.ResourceNames;
  */
 
 @Controller
-public class ServiceConversationClientManagerServer extends HttpInvokerServiceExporter
+public class ServiceConversationClientManagerServer extends WhiteListHttpInvokerServiceExporter
 {
     @Resource(name = ResourceNames.SERVICE_CONVERSATION_CLIENT_MANAGER)
     private IServiceConversationClientManagerRemote clientManager;
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/ServiceConversationServerManagerServer.java b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/ServiceConversationServerManagerServer.java
index 8961ab01e85c3a0e96411b9529dd02a121a06bfd..1e45aa188d49bc6f6c06817fd15c80eb13fe1821 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/ServiceConversationServerManagerServer.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/ServiceConversationServerManagerServer.java
@@ -23,10 +23,10 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 
+import ch.systemsx.cisd.openbis.common.api.server.WhiteListHttpInvokerServiceExporter;
 import ch.systemsx.cisd.openbis.common.conversation.manager.IServiceConversationServerManagerRemote;
 import ch.systemsx.cisd.openbis.generic.shared.ResourceNames;
 
@@ -35,7 +35,7 @@ import ch.systemsx.cisd.openbis.generic.shared.ResourceNames;
  */
 
 @Controller
-public class ServiceConversationServerManagerServer extends HttpInvokerServiceExporter
+public class ServiceConversationServerManagerServer extends WhiteListHttpInvokerServiceExporter
 {
     @Resource(name = ResourceNames.SERVICE_CONVERSATION_SERVER_MANAGER)
     private IServiceConversationServerManagerRemote serverManager;
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/TrackingServiceServer.java b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/TrackingServiceServer.java
index 2d92fe430527d1e35aa68e43170e1e7e8375699c..94c23280195abc1b80274521398ed84be9866dea 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/TrackingServiceServer.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/TrackingServiceServer.java
@@ -23,10 +23,10 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 
+import ch.systemsx.cisd.openbis.common.api.server.WhiteListHttpInvokerServiceExporter;
 import ch.systemsx.cisd.openbis.generic.shared.ITrackingServer;
 import ch.systemsx.cisd.openbis.generic.shared.ResourceNames;
 
@@ -34,7 +34,7 @@ import ch.systemsx.cisd.openbis.generic.shared.ResourceNames;
  * @author Piotr Buczek
  */
 @Controller
-public class TrackingServiceServer extends HttpInvokerServiceExporter
+public class TrackingServiceServer extends WhiteListHttpInvokerServiceExporter
 {
     @Resource(name = ResourceNames.TRACKING_SERVER)
     private ITrackingServer server;
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/generic/server/GenericServiceServer.java b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/generic/server/GenericServiceServer.java
index db9e528e4a3f06022db8ef3ff132f280b46b4898..d4c19451f974e8afd869f1956b70c12cd7bdb1fc 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/generic/server/GenericServiceServer.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/generic/server/GenericServiceServer.java
@@ -23,10 +23,10 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 
+import ch.systemsx.cisd.openbis.common.api.server.WhiteListHttpInvokerServiceExporter;
 import ch.systemsx.cisd.openbis.plugin.generic.shared.IGenericServer;
 import ch.systemsx.cisd.openbis.plugin.generic.shared.ResourceNames;
 
@@ -34,7 +34,7 @@ import ch.systemsx.cisd.openbis.plugin.generic.shared.ResourceNames;
  * @author Izabela Adamczyk
  */
 @Controller
-public class GenericServiceServer extends HttpInvokerServiceExporter
+public class GenericServiceServer extends WhiteListHttpInvokerServiceExporter
 {
     @Resource(name = ResourceNames.GENERIC_PLUGIN_SERVER)
     private IGenericServer server;