Source code

001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *   http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing,
013 * software distributed under the License is distributed on an
014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 * KIND, either express or implied.  See the License for the
016 * specific language governing permissions and limitations
017 * under the License.
018 */
019package org.apache.commons.jcs3.io;
020
021import java.io.IOException;
022import java.io.InputStream;
023import java.io.ObjectInputStream;
024import java.io.ObjectStreamClass;
025import java.lang.reflect.Proxy;
026
027public class ObjectInputStreamClassLoaderAware extends ObjectInputStream {
028    private final ClassLoader classLoader;
029
030    public ObjectInputStreamClassLoaderAware(final InputStream in, final ClassLoader classLoader) throws IOException {
031        super(in);
032        this.classLoader = classLoader != null ? classLoader : Thread.currentThread().getContextClassLoader();
033    }
034
035    @Override
036    protected Class<?> resolveClass(final ObjectStreamClass desc) throws ClassNotFoundException {
037        return Class.forName(BlacklistClassResolver.DEFAULT.check(desc.getName()), false, classLoader);
038    }
039
040    @Override
041    protected Class<?> resolveProxyClass(final String[] interfaces) throws IOException, ClassNotFoundException {
042        final Class<?>[] cinterfaces = new Class[interfaces.length];
043        for (int i = 0; i < interfaces.length; i++) {
044            cinterfaces[i] = Class.forName(interfaces[i], false, classLoader);
045        }
046
047        try {
048            return Proxy.getProxyClass(classLoader, cinterfaces);
049        } catch (final IllegalArgumentException e) {
050            throw new ClassNotFoundException(null, e);
051        }
052    }
053
054    private static class BlacklistClassResolver {
055        private static final BlacklistClassResolver DEFAULT = new BlacklistClassResolver(
056            toArray(System.getProperty(
057                "jcs.serialization.class.blacklist",
058                "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan")),
059            toArray(System.getProperty("jcs.serialization.class.whitelist")));
060
061        private final String[] blacklist;
062        private final String[] whitelist;
063
064        protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist) {
065            this.whitelist = whitelist;
066            this.blacklist = blacklist;
067        }
068
069        protected boolean isBlacklisted(final String name) {
070            return whitelist != null && !contains(whitelist, name) || contains(blacklist, name);
071        }
072
073        public final String check(final String name) {
074            if (isBlacklisted(name)) {
075                throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
076            }
077            return name;
078        }
079
080        private static String[] toArray(final String property) {
081            return property == null ? null : property.split(" *, *");
082        }
083
084        private static boolean contains(final String[] list, final String name) {
085            if (list != null) {
086                for (final String white : list) {
087                    if (name.startsWith(white)) {
088                        return true;
089                    }
090                }
091            }
092            return false;
093        }
094    }
095}