Class ValidatingObjectInputStream
- java.lang.Object
-
- java.io.InputStream
-
- java.io.ObjectInputStream
-
- org.apache.commons.io.serialization.ValidatingObjectInputStream
-
- All Implemented Interfaces:
java.io.Closeable
,java.io.DataInput
,java.io.ObjectInput
,java.io.ObjectStreamConstants
,java.lang.AutoCloseable
public class ValidatingObjectInputStream extends java.io.ObjectInputStream
AnObjectInputStream
that's restricted to deserialize a limited set of classes.Various accept/reject methods allow for specifying which classes can be deserialized.
Design inspired by IBM DeveloperWorks Article.
-
-
Field Summary
-
Fields inherited from interface java.io.ObjectStreamConstants
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
-
-
Constructor Summary
Constructors Constructor Description ValidatingObjectInputStream(java.io.InputStream input)
Constructs an object to deserialize the specified input stream.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description ValidatingObjectInputStream
accept(java.lang.Class<?>... classes)
Accept the specified classes for deserialization, unless they are otherwise rejected.ValidatingObjectInputStream
accept(java.lang.String... patterns)
Accept the wildcard specified classes for deserialization, unless they are otherwise rejected.ValidatingObjectInputStream
accept(java.util.regex.Pattern pattern)
Accept class names that match the supplied pattern for deserialization, unless they are otherwise rejected.ValidatingObjectInputStream
accept(ClassNameMatcher m)
Accept class names where the supplied ClassNameMatcher matches for deserialization, unless they are otherwise rejected.protected void
invalidClassNameFound(java.lang.String className)
Called to throwInvalidClassException
if an invalid class name is found during deserialization.ValidatingObjectInputStream
reject(java.lang.Class<?>... classes)
Reject the specified classes for deserialization, even if they are otherwise accepted.ValidatingObjectInputStream
reject(java.lang.String... patterns)
Reject the wildcard specified classes for deserialization, even if they are otherwise accepted.ValidatingObjectInputStream
reject(java.util.regex.Pattern pattern)
Reject class names that match the supplied pattern for deserialization, even if they are otherwise accepted.ValidatingObjectInputStream
reject(ClassNameMatcher m)
Reject class names where the supplied ClassNameMatcher matches for deserialization, even if they are otherwise accepted.protected java.lang.Class<?>
resolveClass(java.io.ObjectStreamClass osc)
-
Methods inherited from class java.io.ObjectInputStream
available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes
-
Methods inherited from class java.io.InputStream
mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, transferTo
-
-
-
-
Constructor Detail
-
ValidatingObjectInputStream
public ValidatingObjectInputStream(java.io.InputStream input) throws java.io.IOException
Constructs an object to deserialize the specified input stream. At least one accept method needs to be called to specify which classes can be deserialized, as by default no classes are accepted.- Parameters:
input
- an input stream- Throws:
java.io.IOException
- if an I/O error occurs while reading stream header
-
-
Method Detail
-
invalidClassNameFound
protected void invalidClassNameFound(java.lang.String className) throws java.io.InvalidClassException
Called to throwInvalidClassException
if an invalid class name is found during deserialization. Can be overridden, for example to log those class names.- Parameters:
className
- name of the invalid class- Throws:
java.io.InvalidClassException
- if the specified class is not allowed
-
resolveClass
protected java.lang.Class<?> resolveClass(java.io.ObjectStreamClass osc) throws java.io.IOException, java.lang.ClassNotFoundException
- Overrides:
resolveClass
in classjava.io.ObjectInputStream
- Throws:
java.io.IOException
java.lang.ClassNotFoundException
-
accept
public ValidatingObjectInputStream accept(java.lang.Class<?>... classes)
Accept the specified classes for deserialization, unless they are otherwise rejected.- Parameters:
classes
- Classes to accept- Returns:
- this object
-
reject
public ValidatingObjectInputStream reject(java.lang.Class<?>... classes)
Reject the specified classes for deserialization, even if they are otherwise accepted.- Parameters:
classes
- Classes to reject- Returns:
- this object
-
accept
public ValidatingObjectInputStream accept(java.lang.String... patterns)
Accept the wildcard specified classes for deserialization, unless they are otherwise rejected.- Parameters:
patterns
- Wildcard file name patterns as defined byFilenameUtils.wildcardMatch
- Returns:
- this object
-
reject
public ValidatingObjectInputStream reject(java.lang.String... patterns)
Reject the wildcard specified classes for deserialization, even if they are otherwise accepted.- Parameters:
patterns
- Wildcard file name patterns as defined byFilenameUtils.wildcardMatch
- Returns:
- this object
-
accept
public ValidatingObjectInputStream accept(java.util.regex.Pattern pattern)
Accept class names that match the supplied pattern for deserialization, unless they are otherwise rejected.- Parameters:
pattern
- standard Java regexp- Returns:
- this object
-
reject
public ValidatingObjectInputStream reject(java.util.regex.Pattern pattern)
Reject class names that match the supplied pattern for deserialization, even if they are otherwise accepted.- Parameters:
pattern
- standard Java regexp- Returns:
- this object
-
accept
public ValidatingObjectInputStream accept(ClassNameMatcher m)
Accept class names where the supplied ClassNameMatcher matches for deserialization, unless they are otherwise rejected.- Parameters:
m
- the matcher to use- Returns:
- this object
-
reject
public ValidatingObjectInputStream reject(ClassNameMatcher m)
Reject class names where the supplied ClassNameMatcher matches for deserialization, even if they are otherwise accepted.- Parameters:
m
- the matcher to use- Returns:
- this object
-
-