public class WhiteListDeserializingConverter
extends java.lang.Object
implements org.springframework.core.convert.converter.Converter<byte[],java.lang.Object>
Converter
that delegates to a
Deserializer
to convert data in a byte
array to an object. By default, if using a DefaultDeserializer
all
classes/packages are deserialized. If you receive data from untrusted sources, consider
adding trusted classes/packages using setWhiteListPatterns(String...)
or
addWhiteListPatterns(String...)
.Constructor and Description |
---|
WhiteListDeserializingConverter()
Create a
WhiteListDeserializingConverter with default
ObjectInputStream configuration, using the "latest user-defined
ClassLoader". |
WhiteListDeserializingConverter(java.lang.ClassLoader classLoader)
Create a
WhiteListDeserializingConverter for using an
ObjectInputStream with the given ClassLoader . |
WhiteListDeserializingConverter(org.springframework.core.serializer.Deserializer<java.lang.Object> deserializer)
Create a
WhiteListDeserializingConverter that delegates to the provided
Deserializer . |
Modifier and Type | Method and Description |
---|---|
void |
addWhiteListPatterns(java.lang.String... patterns)
Add package/class patterns to the white list.
|
protected void |
checkWhiteList(java.lang.Class<?> clazz) |
java.lang.Object |
convert(byte[] source) |
protected java.lang.Object |
deserialize(java.io.ByteArrayInputStream inputStream) |
void |
setWhiteListPatterns(java.lang.String... whiteListPatterns)
Set simple patterns for allowable packages/classes for deserialization.
|
public WhiteListDeserializingConverter()
WhiteListDeserializingConverter
with default
ObjectInputStream
configuration, using the "latest user-defined
ClassLoader".public WhiteListDeserializingConverter(java.lang.ClassLoader classLoader)
WhiteListDeserializingConverter
for using an
ObjectInputStream
with the given ClassLoader
.classLoader
- the class loader to use for deserialization.public WhiteListDeserializingConverter(org.springframework.core.serializer.Deserializer<java.lang.Object> deserializer)
WhiteListDeserializingConverter
that delegates to the provided
Deserializer
.deserializer
- the deserializer to use.public void setWhiteListPatterns(java.lang.String... whiteListPatterns)
com.foo.*
, *.MyClass
.whiteListPatterns
- the patterns.public void addWhiteListPatterns(java.lang.String... patterns)
patterns
- the patterns to add.setWhiteListPatterns(String...)
public java.lang.Object convert(byte[] source)
convert
in interface org.springframework.core.convert.converter.Converter<byte[],java.lang.Object>
protected java.lang.Object deserialize(java.io.ByteArrayInputStream inputStream) throws java.io.IOException
java.io.IOException
protected void checkWhiteList(java.lang.Class<?> clazz) throws java.io.IOException
java.io.IOException