Class ValidatingObjectInputStream
java.lang.Object
java.io.InputStream
java.io.ObjectInputStream
org.apache.commons.io.serialization.ValidatingObjectInputStream
- All Implemented Interfaces:
Closeable,DataInput,ObjectInput,ObjectStreamConstants,AutoCloseable
An
ObjectInputStream that's restricted to deserialize
a limited set of classes.
Various accept/reject methods allow for specifying which classes can be deserialized.
Design inspired by IBM DeveloperWorks Article.
-
Nested Class Summary
Nested classes/interfaces inherited from class java.io.ObjectInputStream
ObjectInputStream.GetField -
Field Summary
Fields inherited from interface java.io.ObjectStreamConstants
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING -
Constructor Summary
ConstructorsConstructorDescriptionConstructs an object to deserialize the specified input stream. -
Method Summary
Modifier and TypeMethodDescriptionAccept the specified classes for deserialization, unless they are otherwise rejected.Accept the wildcard specified classes for deserialization, unless they are otherwise rejected.Accept class names that match the supplied pattern for deserialization, unless they are otherwise rejected.Accept class names where the supplied ClassNameMatcher matches for deserialization, unless they are otherwise rejected.protected voidinvalidClassNameFound(String className) Called to throwInvalidClassExceptionif an invalid class name is found during deserialization.Reject the specified classes for deserialization, even if they are otherwise accepted.Reject the wildcard specified classes for deserialization, even if they are otherwise accepted.Reject class names that match the supplied pattern for deserialization, even if they are otherwise accepted.Reject class names where the supplied ClassNameMatcher matches for deserialization, even if they are otherwise accepted.protected Class<?>Methods inherited from class java.io.ObjectInputStream
available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytesMethods inherited from class java.io.InputStream
mark, markSupported, read, reset, skipMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface java.io.ObjectInput
read, skip
-
Constructor Details
-
ValidatingObjectInputStream
Constructs an object to deserialize the specified input stream. At least one accept method needs to be called to specify which classes can be deserialized, as by default no classes are accepted.- Parameters:
input- an input stream- Throws:
IOException- if an I/O error occurs while reading stream header
-
-
Method Details
-
accept
Accept the specified classes for deserialization, unless they are otherwise rejected.- Parameters:
classes- Classes to accept- Returns:
- this object
-
accept
Accept class names where the supplied ClassNameMatcher matches for deserialization, unless they are otherwise rejected.- Parameters:
m- the matcher to use- Returns:
- this object
-
accept
Accept class names that match the supplied pattern for deserialization, unless they are otherwise rejected.- Parameters:
pattern- standard Java regexp- Returns:
- this object
-
accept
Accept the wildcard specified classes for deserialization, unless they are otherwise rejected.- Parameters:
patterns- Wildcard file name patterns as defined byFilenameUtils.wildcardMatch- Returns:
- this object
-
invalidClassNameFound
Called to throwInvalidClassExceptionif an invalid class name is found during deserialization. Can be overridden, for example to log those class names.- Parameters:
className- name of the invalid class- Throws:
InvalidClassException- if the specified class is not allowed
-
reject
Reject the specified classes for deserialization, even if they are otherwise accepted.- Parameters:
classes- Classes to reject- Returns:
- this object
-
reject
Reject class names where the supplied ClassNameMatcher matches for deserialization, even if they are otherwise accepted.- Parameters:
m- the matcher to use- Returns:
- this object
-
reject
Reject class names that match the supplied pattern for deserialization, even if they are otherwise accepted.- Parameters:
pattern- standard Java regexp- Returns:
- this object
-
reject
Reject the wildcard specified classes for deserialization, even if they are otherwise accepted.- Parameters:
patterns- Wildcard file name patterns as defined byFilenameUtils.wildcardMatch- Returns:
- this object
-
resolveClass
- Overrides:
resolveClassin classObjectInputStream- Throws:
IOExceptionClassNotFoundException
-