Package org.apache.commons.io.serialization

Class ValidatingObjectInputStream

java.lang.Object

java.io.InputStream

java.io.ObjectInputStream

org.apache.commons.io.serialization.ValidatingObjectInputStream

public class ValidatingObjectInputStream
extends java.io.ObjectInputStream

An ObjectInputStream that's restricted to deserialize a limited set of classes.

Various accept/reject methods allow for specifying which classes can be deserialized.

Design inspired by IBM DeveloperWorks Article.

Nested Class Summary

Nested classes/interfaces inherited from class java.io.ObjectInputStream

java.io.ObjectInputStream.GetField

Field Summary

Fields inherited from interface java.io.ObjectStreamConstants

baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING

Constructor Summary

Constructors

Constructor	Description
ValidatingObjectInputStream(java.io.InputStream input)	Constructs an object to deserialize the specified input stream.

Method Summary

Modifier and Type	Method	Description
ValidatingObjectInputStream	accept(java.lang.Class<?>... classes)	Accept the specified classes for deserialization, unless they are otherwise rejected.
ValidatingObjectInputStream	accept(java.lang.String... patterns)	Accept the wildcard specified classes for deserialization, unless they are otherwise rejected.
ValidatingObjectInputStream	accept(java.util.regex.Pattern pattern)	Accept class names that match the supplied pattern for deserialization, unless they are otherwise rejected.
ValidatingObjectInputStream	accept(ClassNameMatcher m)	Accept class names where the supplied ClassNameMatcher matches for deserialization, unless they are otherwise rejected.
protected void	invalidClassNameFound(java.lang.String className)	Called to throw InvalidClassException if an invalid class name is found during deserialization.
ValidatingObjectInputStream	reject(java.lang.Class<?>... classes)	Reject the specified classes for deserialization, even if they are otherwise accepted.
ValidatingObjectInputStream	reject(java.lang.String... patterns)	Reject the wildcard specified classes for deserialization, even if they are otherwise accepted.
ValidatingObjectInputStream	reject(java.util.regex.Pattern pattern)	Reject class names that match the supplied pattern for deserialization, even if they are otherwise accepted.
ValidatingObjectInputStream	reject(ClassNameMatcher m)	Reject class names where the supplied ClassNameMatcher matches for deserialization, even if they are otherwise accepted.
protected java.lang.Class<?>	resolveClass(java.io.ObjectStreamClass osc)

Methods inherited from class java.io.InputStream

mark, markSupported, read, readAllBytes, readNBytes, reset, skip, transferTo

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.io.ObjectInput

read, skip

Methods inherited from class java.io.ObjectInputStream

available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes

Constructor Detail

ValidatingObjectInputStream

public ValidatingObjectInputStream(java.io.InputStream input)
                            throws java.io.IOException

Constructs an object to deserialize the specified input stream. At least one accept method needs to be called to specify which classes can be deserialized, as by default no classes are accepted.

Parameters:

input - an input stream

Throws:

java.io.IOException - if an I/O error occurs while reading stream header

Method Detail

invalidClassNameFound

protected void invalidClassNameFound(java.lang.String className)
                              throws java.io.InvalidClassException

Called to throw InvalidClassException if an invalid class name is found during deserialization. Can be overridden, for example to log those class names.

Parameters:

className - name of the invalid class

Throws:

java.io.InvalidClassException - if the specified class is not allowed

resolveClass

protected java.lang.Class<?> resolveClass(java.io.ObjectStreamClass osc)
                                   throws java.io.IOException,
                                          java.lang.ClassNotFoundException

Overrides:

resolveClass in class java.io.ObjectInputStream

Throws:

java.io.IOException

java.lang.ClassNotFoundException

accept

public ValidatingObjectInputStream accept(java.lang.Class<?>... classes)

Accept the specified classes for deserialization, unless they are otherwise rejected.

Parameters:

classes - Classes to accept

Returns:

this object

reject

public ValidatingObjectInputStream reject(java.lang.Class<?>... classes)

Reject the specified classes for deserialization, even if they are otherwise accepted.

Parameters:

classes - Classes to reject

Returns:

this object

accept

public ValidatingObjectInputStream accept(java.lang.String... patterns)

Accept the wildcard specified classes for deserialization, unless they are otherwise rejected.

Parameters:

patterns - Wildcard filename patterns as defined by FilenameUtils.wildcardMatch

Returns:

this object

reject

public ValidatingObjectInputStream reject(java.lang.String... patterns)

Reject the wildcard specified classes for deserialization, even if they are otherwise accepted.

Parameters:

patterns - Wildcard filename patterns as defined by FilenameUtils.wildcardMatch

Returns:

this object

accept

public ValidatingObjectInputStream accept(java.util.regex.Pattern pattern)

Accept class names that match the supplied pattern for deserialization, unless they are otherwise rejected.

Parameters:

pattern - standard Java regexp

Returns:

this object

reject

public ValidatingObjectInputStream reject(java.util.regex.Pattern pattern)

Reject class names that match the supplied pattern for deserialization, even if they are otherwise accepted.

Parameters:

pattern - standard Java regexp

Returns:

this object

accept

public ValidatingObjectInputStream accept(ClassNameMatcher m)

Accept class names where the supplied ClassNameMatcher matches for deserialization, unless they are otherwise rejected.

Parameters:

m - the matcher to use

Returns:

this object

reject

public ValidatingObjectInputStream reject(ClassNameMatcher m)

Reject class names where the supplied ClassNameMatcher matches for deserialization, even if they are otherwise accepted.

Parameters:

m - the matcher to use

Returns:

this object