Package org.springframework.integration.support.converter

Class AllowListDeserializingConverter

java.lang.Object

org.springframework.integration.support.converter.AllowListDeserializingConverter

All Implemented Interfaces:

Converter<byte[],Object>

public class AllowListDeserializingConverter
extends Object
implements Converter<byte[],Object>

A Converter that delegates to a Deserializer to convert data in a byte array to an object. By default, if using a DefaultDeserializer all classes/packages are deserialized. If you receive data from untrusted sources, consider adding trusted classes/packages using setAllowedPatterns(String...) or addAllowedPatterns(String...).

If a delegate deserializer is a DefaultDeserializer, only its ClassLoader is used for a ConfigurableObjectInputStream logic.

Since:

5.4

Author:

Gary Russell, Mark Fisher, Juergen Hoeller, Artem Bilan

Constructor Summary

Constructors

Constructor	Description
AllowListDeserializingConverter()	Create a AllowListDeserializingConverter with default ObjectInputStream configuration, using the "latest user-defined ClassLoader".
AllowListDeserializingConverter(ClassLoader classLoader)	Create a AllowListDeserializingConverter for using an ObjectInputStream with the given ClassLoader.
AllowListDeserializingConverter(Deserializer<Object> deserializer)	Create a AllowListDeserializingConverter that delegates to the provided Deserializer.

Method Summary

Modifier and Type	Method	Description
void	addAllowedPatterns(String... patterns)	Add package/class patterns to the allowed list.
protected void	checkAllowList(Class<?> clazz)
Object	convert(byte[] source)
protected Object	deserialize(ByteArrayInputStream inputStream)
void	setAllowedPatterns(String... allowedPatterns)	Set simple patterns for allowable packages/classes for deserialization.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.springframework.core.convert.converter.Converter

andThen

Constructor Details

AllowListDeserializingConverter

public AllowListDeserializingConverter()

Create a AllowListDeserializingConverter with default ObjectInputStream configuration, using the "latest user-defined ClassLoader".

AllowListDeserializingConverter

public AllowListDeserializingConverter(ClassLoader classLoader)

Create a AllowListDeserializingConverter for using an ObjectInputStream with the given ClassLoader.

Parameters:

classLoader - the class loader to use for deserialization.

AllowListDeserializingConverter

public AllowListDeserializingConverter(Deserializer<Object> deserializer)

Create a AllowListDeserializingConverter that delegates to the provided Deserializer.

Parameters:

deserializer - the deserializer to use.

Method Details

setAllowedPatterns

public void setAllowedPatterns(String... allowedPatterns)

Set simple patterns for allowable packages/classes for deserialization. The patterns will be applied in order until a match is found. A class can be fully qualified or a wildcard '*' is allowed at the beginning or end of the class name. Examples: com.foo.*, *.MyClass.

Parameters:

allowedPatterns - the patterns.

addAllowedPatterns

public void addAllowedPatterns(String... patterns)

Add package/class patterns to the allowed list.

Parameters:

patterns - the patterns to add.

See Also:

• setAllowedPatterns(String...)

convert

public Object convert(byte[] source)

Specified by:

convert in interface Converter<byte[],Object>

deserialize

protected Object deserialize(ByteArrayInputStream inputStream)
                      throws IOException

Throws:

IOException

checkAllowList

protected void checkAllowList(Class<?> clazz)