Package org.apache.commons.io.serialization

Class ValidatingObjectInputStream

java.lang.Object

java.io.InputStream

java.io.ObjectInputStream

org.apache.commons.io.serialization.ValidatingObjectInputStream

All Implemented Interfaces:

Closeable, DataInput, ObjectInput, ObjectStreamConstants, AutoCloseable

public class ValidatingObjectInputStream
extends ObjectInputStream

An ObjectInputStream that's restricted to deserialize a limited set of classes.

Various accept/reject methods allow for specifying which classes can be deserialized.

Design inspired by IBM DeveloperWorks Article.

Nested Class Summary

Nested classes/interfaces inherited from class java.io.ObjectInputStream

ObjectInputStream.GetField

Field Summary

Fields inherited from interface java.io.ObjectStreamConstants

baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING

Constructor Summary

Constructors

Constructor	Description
ValidatingObjectInputStream(InputStream input)	Constructs an object to deserialize the specified input stream.

Method Summary

Modifier and Type	Method	Description
ValidatingObjectInputStream	accept(Class<?>... classes)	Accept the specified classes for deserialization, unless they are otherwise rejected.
ValidatingObjectInputStream	accept(String... patterns)	Accept the wildcard specified classes for deserialization, unless they are otherwise rejected.
ValidatingObjectInputStream	accept(Pattern pattern)	Accept class names that match the supplied pattern for deserialization, unless they are otherwise rejected.
ValidatingObjectInputStream	accept(ClassNameMatcher m)	Accept class names where the supplied ClassNameMatcher matches for deserialization, unless they are otherwise rejected.
protected void	invalidClassNameFound(String className)	Called to throw InvalidClassException if an invalid class name is found during deserialization.
ValidatingObjectInputStream	reject(Class<?>... classes)	Reject the specified classes for deserialization, even if they are otherwise accepted.
ValidatingObjectInputStream	reject(String... patterns)	Reject the wildcard specified classes for deserialization, even if they are otherwise accepted.
ValidatingObjectInputStream	reject(Pattern pattern)	Reject class names that match the supplied pattern for deserialization, even if they are otherwise accepted.
ValidatingObjectInputStream	reject(ClassNameMatcher m)	Reject class names where the supplied ClassNameMatcher matches for deserialization, even if they are otherwise accepted.
protected Class<?>	resolveClass(ObjectStreamClass osc)

Methods inherited from class java.io.ObjectInputStream

available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytes

Methods inherited from class java.io.InputStream

mark, markSupported, read, reset, skip

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.io.ObjectInput

read, skip

Constructor Details

ValidatingObjectInputStream

public ValidatingObjectInputStream(InputStream input)
                            throws IOException

Constructs an object to deserialize the specified input stream. At least one accept method needs to be called to specify which classes can be deserialized, as by default no classes are accepted.

Parameters:

input - an input stream

Throws:

IOException - if an I/O error occurs while reading stream header

Method Details

accept

public ValidatingObjectInputStream accept(Class<?>... classes)

Accept the specified classes for deserialization, unless they are otherwise rejected.

Parameters:

classes - Classes to accept

Returns:

this object

accept

public ValidatingObjectInputStream accept(ClassNameMatcher m)

Accept class names where the supplied ClassNameMatcher matches for deserialization, unless they are otherwise rejected.

Parameters:

m - the matcher to use

Returns:

this object

accept

public ValidatingObjectInputStream accept(Pattern pattern)

Accept class names that match the supplied pattern for deserialization, unless they are otherwise rejected.

Parameters:

pattern - standard Java regexp

Returns:

this object

accept

public ValidatingObjectInputStream accept(String... patterns)

Accept the wildcard specified classes for deserialization, unless they are otherwise rejected.

Parameters:

patterns - Wildcard file name patterns as defined by FilenameUtils.wildcardMatch

Returns:

this object

invalidClassNameFound

protected void invalidClassNameFound(String className)
                              throws InvalidClassException

Called to throw InvalidClassException if an invalid class name is found during deserialization. Can be overridden, for example to log those class names.

Parameters:

className - name of the invalid class

Throws:

InvalidClassException - if the specified class is not allowed

reject

public ValidatingObjectInputStream reject(Class<?>... classes)

Reject the specified classes for deserialization, even if they are otherwise accepted.

Parameters:

classes - Classes to reject

Returns:

this object

reject

public ValidatingObjectInputStream reject(ClassNameMatcher m)

Reject class names where the supplied ClassNameMatcher matches for deserialization, even if they are otherwise accepted.

Parameters:

m - the matcher to use

Returns:

this object

reject

public ValidatingObjectInputStream reject(Pattern pattern)

Reject class names that match the supplied pattern for deserialization, even if they are otherwise accepted.

Parameters:

pattern - standard Java regexp

Returns:

this object

reject

public ValidatingObjectInputStream reject(String... patterns)

Reject the wildcard specified classes for deserialization, even if they are otherwise accepted.

Parameters:

patterns - Wildcard file name patterns as defined by FilenameUtils.wildcardMatch

Returns:

this object

resolveClass

protected Class<?> resolveClass(ObjectStreamClass osc)
                         throws IOException,
ClassNotFoundException

Overrides:

resolveClass in class ObjectInputStream

Throws:

IOException

ClassNotFoundException