public class ValidatingObjectInputStream extends ObjectInputStream
ObjectInputStream
that's restricted to deserialize
a limited set of classes.
Various accept/reject methods allow for specifying which classes can be deserialized.
Design inspired by IBM DeveloperWorks Article.
ObjectInputStream.GetField
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
Constructor and Description |
---|
ValidatingObjectInputStream(InputStream input)
Constructs an object to deserialize the specified input stream.
|
Modifier and Type | Method and Description |
---|---|
ValidatingObjectInputStream |
accept(Class<?>... classes)
Accept the specified classes for deserialization, unless they
are otherwise rejected.
|
ValidatingObjectInputStream |
accept(ClassNameMatcher m)
Accept class names where the supplied ClassNameMatcher matches for
deserialization, unless they are otherwise rejected.
|
ValidatingObjectInputStream |
accept(Pattern pattern)
Accept class names that match the supplied pattern for
deserialization, unless they are otherwise rejected.
|
ValidatingObjectInputStream |
accept(String... patterns)
Accept the wildcard specified classes for deserialization,
unless they are otherwise rejected.
|
protected void |
invalidClassNameFound(String className)
Called to throw
InvalidClassException if an invalid
class name is found during deserialization. |
ValidatingObjectInputStream |
reject(Class<?>... classes)
Reject the specified classes for deserialization, even if they
are otherwise accepted.
|
ValidatingObjectInputStream |
reject(ClassNameMatcher m)
Reject class names where the supplied ClassNameMatcher matches for
deserialization, even if they are otherwise accepted.
|
ValidatingObjectInputStream |
reject(Pattern pattern)
Reject class names that match the supplied pattern for
deserialization, even if they are otherwise accepted.
|
ValidatingObjectInputStream |
reject(String... patterns)
Reject the wildcard specified classes for deserialization,
even if they are otherwise accepted.
|
protected Class<?> |
resolveClass(ObjectStreamClass osc) |
available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytes
mark, markSupported, read, reset, skip
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
read, skip
public ValidatingObjectInputStream(InputStream input) throws IOException
input
- an input streamIOException
- if an I/O error occurs while reading stream headerprotected void invalidClassNameFound(String className) throws InvalidClassException
InvalidClassException
if an invalid
class name is found during deserialization. Can be overridden, for example
to log those class names.className
- name of the invalid classInvalidClassException
- if the specified class is not allowedprotected Class<?> resolveClass(ObjectStreamClass osc) throws IOException, ClassNotFoundException
resolveClass
in class ObjectInputStream
IOException
ClassNotFoundException
public ValidatingObjectInputStream accept(Class<?>... classes)
classes
- Classes to acceptpublic ValidatingObjectInputStream reject(Class<?>... classes)
classes
- Classes to rejectpublic ValidatingObjectInputStream accept(String... patterns)
patterns
- Wildcard file name patterns as defined by
FilenameUtils.wildcardMatch
public ValidatingObjectInputStream reject(String... patterns)
patterns
- Wildcard file name patterns as defined by
FilenameUtils.wildcardMatch
public ValidatingObjectInputStream accept(Pattern pattern)
pattern
- standard Java regexppublic ValidatingObjectInputStream reject(Pattern pattern)
pattern
- standard Java regexppublic ValidatingObjectInputStream accept(ClassNameMatcher m)
m
- the matcher to usepublic ValidatingObjectInputStream reject(ClassNameMatcher m)
m
- the matcher to useCopyright © 2002–2020 The Apache Software Foundation. All rights reserved.