The recent Foxglove Security article on Java deserialization attacks with links to example code for targeting major app servers, as well as Spring and Groovy apps, is raising lots of consternation. The article states that these exploits bypass authentication because the object payload is deserialized before authentication checks are done. It doesn't specifically name or discuss Spring HttpInvoker, though, and I haven't been able to find a clear statement on this elsewhere.
For remote services exposed via Spring HttpInvoker, using Spring Security with Basic authentication, would the authentication check be performed before the (potentially malicious) object payload is deserialized? Or does the article's assertion that "authentication won't protect you from this attack" apply to HttpInvoker services as well?