Class ValidatingObjectInputStream

  • All Implemented Interfaces:
    java.io.Closeable, java.io.DataInput, java.io.ObjectInput, java.io.ObjectStreamConstants, java.lang.AutoCloseable

    public class ValidatingObjectInputStream
    extends java.io.ObjectInputStream
    An ObjectInputStream that's restricted to deserialize a limited set of classes.

    Various accept/reject methods allow for specifying which classes can be deserialized.

    Design inspired by IBM DeveloperWorks Article.

    • Nested Class Summary

      • Nested classes/interfaces inherited from class java.io.ObjectInputStream

        java.io.ObjectInputStream.GetField
    • Field Summary

      • Fields inherited from interface java.io.ObjectStreamConstants

        baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
    • Constructor Summary

      Constructors 
      Constructor Description
      ValidatingObjectInputStream​(java.io.InputStream input)
      Constructs an object to deserialize the specified input stream.
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      ValidatingObjectInputStream accept​(java.lang.Class<?>... classes)
      Accept the specified classes for deserialization, unless they are otherwise rejected.
      ValidatingObjectInputStream accept​(java.lang.String... patterns)
      Accept the wildcard specified classes for deserialization, unless they are otherwise rejected.
      ValidatingObjectInputStream accept​(java.util.regex.Pattern pattern)
      Accept class names that match the supplied pattern for deserialization, unless they are otherwise rejected.
      ValidatingObjectInputStream accept​(ClassNameMatcher m)
      Accept class names where the supplied ClassNameMatcher matches for deserialization, unless they are otherwise rejected.
      protected void invalidClassNameFound​(java.lang.String className)
      Called to throw InvalidClassException if an invalid class name is found during deserialization.
      ValidatingObjectInputStream reject​(java.lang.Class<?>... classes)
      Reject the specified classes for deserialization, even if they are otherwise accepted.
      ValidatingObjectInputStream reject​(java.lang.String... patterns)
      Reject the wildcard specified classes for deserialization, even if they are otherwise accepted.
      ValidatingObjectInputStream reject​(java.util.regex.Pattern pattern)
      Reject class names that match the supplied pattern for deserialization, even if they are otherwise accepted.
      ValidatingObjectInputStream reject​(ClassNameMatcher m)
      Reject class names where the supplied ClassNameMatcher matches for deserialization, even if they are otherwise accepted.
      protected java.lang.Class<?> resolveClass​(java.io.ObjectStreamClass osc)  
      • Methods inherited from class java.io.ObjectInputStream

        available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes
      • Methods inherited from class java.io.InputStream

        mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, transferTo
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
      • Methods inherited from interface java.io.ObjectInput

        read, skip
    • Constructor Detail

      • ValidatingObjectInputStream

        public ValidatingObjectInputStream​(java.io.InputStream input)
                                    throws java.io.IOException
        Constructs an object to deserialize the specified input stream. At least one accept method needs to be called to specify which classes can be deserialized, as by default no classes are accepted.
        Parameters:
        input - an input stream
        Throws:
        java.io.IOException - if an I/O error occurs while reading stream header
    • Method Detail

      • invalidClassNameFound

        protected void invalidClassNameFound​(java.lang.String className)
                                      throws java.io.InvalidClassException
        Called to throw InvalidClassException if an invalid class name is found during deserialization. Can be overridden, for example to log those class names.
        Parameters:
        className - name of the invalid class
        Throws:
        java.io.InvalidClassException - if the specified class is not allowed
      • resolveClass

        protected java.lang.Class<?> resolveClass​(java.io.ObjectStreamClass osc)
                                           throws java.io.IOException,
                                                  java.lang.ClassNotFoundException
        Overrides:
        resolveClass in class java.io.ObjectInputStream
        Throws:
        java.io.IOException
        java.lang.ClassNotFoundException
      • accept

        public ValidatingObjectInputStream accept​(java.lang.Class<?>... classes)
        Accept the specified classes for deserialization, unless they are otherwise rejected.
        Parameters:
        classes - Classes to accept
        Returns:
        this object
      • reject

        public ValidatingObjectInputStream reject​(java.lang.Class<?>... classes)
        Reject the specified classes for deserialization, even if they are otherwise accepted.
        Parameters:
        classes - Classes to reject
        Returns:
        this object
      • accept

        public ValidatingObjectInputStream accept​(java.lang.String... patterns)
        Accept the wildcard specified classes for deserialization, unless they are otherwise rejected.
        Parameters:
        patterns - Wildcard file name patterns as defined by FilenameUtils.wildcardMatch
        Returns:
        this object
      • reject

        public ValidatingObjectInputStream reject​(java.lang.String... patterns)
        Reject the wildcard specified classes for deserialization, even if they are otherwise accepted.
        Parameters:
        patterns - Wildcard file name patterns as defined by FilenameUtils.wildcardMatch
        Returns:
        this object
      • accept

        public ValidatingObjectInputStream accept​(java.util.regex.Pattern pattern)
        Accept class names that match the supplied pattern for deserialization, unless they are otherwise rejected.
        Parameters:
        pattern - standard Java regexp
        Returns:
        this object
      • reject

        public ValidatingObjectInputStream reject​(java.util.regex.Pattern pattern)
        Reject class names that match the supplied pattern for deserialization, even if they are otherwise accepted.
        Parameters:
        pattern - standard Java regexp
        Returns:
        this object
      • accept

        public ValidatingObjectInputStream accept​(ClassNameMatcher m)
        Accept class names where the supplied ClassNameMatcher matches for deserialization, unless they are otherwise rejected.
        Parameters:
        m - the matcher to use
        Returns:
        this object
      • reject

        public ValidatingObjectInputStream reject​(ClassNameMatcher m)
        Reject class names where the supplied ClassNameMatcher matches for deserialization, even if they are otherwise accepted.
        Parameters:
        m - the matcher to use
        Returns:
        this object