public class ValidatingObjectInputStream
extends java.io.ObjectInputStream
ObjectInputStream
that's restricted to deserialize
a limited set of classes.
Various accept/reject methods allow for specifying which classes can be deserialized.
Design inspired by IBM DeveloperWorks Article.
Modifier and Type | Field and Description |
---|---|
private java.util.List<ClassNameMatcher> |
acceptMatchers |
private java.util.List<ClassNameMatcher> |
rejectMatchers |
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
Constructor and Description |
---|
ValidatingObjectInputStream(java.io.InputStream input)
Constructs an object to deserialize the specified input stream.
|
Modifier and Type | Method and Description |
---|---|
ValidatingObjectInputStream |
accept(java.lang.Class<?>... classes)
Accept the specified classes for deserialization, unless they
are otherwise rejected.
|
ValidatingObjectInputStream |
accept(ClassNameMatcher m)
Accept class names where the supplied ClassNameMatcher matches for
deserialization, unless they are otherwise rejected.
|
ValidatingObjectInputStream |
accept(java.util.regex.Pattern pattern)
Accept class names that match the supplied pattern for
deserialization, unless they are otherwise rejected.
|
ValidatingObjectInputStream |
accept(java.lang.String... patterns)
Accept the wildcard specified classes for deserialization,
unless they are otherwise rejected.
|
protected void |
invalidClassNameFound(java.lang.String className)
Called to throw
InvalidClassException if an invalid
class name is found during deserialization. |
ValidatingObjectInputStream |
reject(java.lang.Class<?>... classes)
Reject the specified classes for deserialization, even if they
are otherwise accepted.
|
ValidatingObjectInputStream |
reject(ClassNameMatcher m)
Reject class names where the supplied ClassNameMatcher matches for
deserialization, even if they are otherwise accepted.
|
ValidatingObjectInputStream |
reject(java.util.regex.Pattern pattern)
Reject class names that match the supplied pattern for
deserialization, even if they are otherwise accepted.
|
ValidatingObjectInputStream |
reject(java.lang.String... patterns)
Reject the wildcard specified classes for deserialization,
even if they are otherwise accepted.
|
protected java.lang.Class<?> |
resolveClass(java.io.ObjectStreamClass osc) |
private void |
validateClassName(java.lang.String name)
Check that the classname conforms to requirements.
|
available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytes
private final java.util.List<ClassNameMatcher> acceptMatchers
private final java.util.List<ClassNameMatcher> rejectMatchers
public ValidatingObjectInputStream(java.io.InputStream input) throws java.io.IOException
input
- an input streamjava.io.IOException
- if an I/O error occurs while reading stream headerprivate void validateClassName(java.lang.String name) throws java.io.InvalidClassException
name
- The class namejava.io.InvalidClassException
- when a non-accepted class is encounteredprotected void invalidClassNameFound(java.lang.String className) throws java.io.InvalidClassException
InvalidClassException
if an invalid
class name is found during deserialization. Can be overridden, for example
to log those class names.className
- name of the invalid classjava.io.InvalidClassException
- if the specified class is not allowedprotected java.lang.Class<?> resolveClass(java.io.ObjectStreamClass osc) throws java.io.IOException, java.lang.ClassNotFoundException
resolveClass
in class java.io.ObjectInputStream
java.io.IOException
java.lang.ClassNotFoundException
public ValidatingObjectInputStream accept(java.lang.Class<?>... classes)
classes
- Classes to acceptpublic ValidatingObjectInputStream reject(java.lang.Class<?>... classes)
classes
- Classes to rejectpublic ValidatingObjectInputStream accept(java.lang.String... patterns)
patterns
- Wildcard filename patterns as defined by
FilenameUtils.wildcardMatch
public ValidatingObjectInputStream reject(java.lang.String... patterns)
patterns
- Wildcard filename patterns as defined by
FilenameUtils.wildcardMatch
public ValidatingObjectInputStream accept(java.util.regex.Pattern pattern)
pattern
- standard Java regexppublic ValidatingObjectInputStream reject(java.util.regex.Pattern pattern)
pattern
- standard Java regexppublic ValidatingObjectInputStream accept(ClassNameMatcher m)
m
- the matcher to usepublic ValidatingObjectInputStream reject(ClassNameMatcher m)
m
- the matcher to use