Class AllowListDeserializingConverter
java.lang.Object
org.springframework.integration.support.converter.AllowListDeserializingConverter
public class AllowListDeserializingConverter extends Object implements Converter<byte[],Object>
A
Converter
that delegates to a
Deserializer
to convert data in a byte
array to an object. By default, if using a DefaultDeserializer
all
classes/packages are deserialized. If you receive data from untrusted sources, consider
adding trusted classes/packages using setAllowedPatterns(String...)
or
addAllowedPatterns(String...)
.- Since:
- 5.4
- Author:
- Gary Russell, Mark Fisher, Juergen Hoeller, Artem Bilan
-
Constructor Summary
Constructors Constructor Description AllowListDeserializingConverter()
Create aAllowListDeserializingConverter
with defaultObjectInputStream
configuration, using the "latest user-defined ClassLoader".AllowListDeserializingConverter(ClassLoader classLoader)
AllowListDeserializingConverter(Deserializer<Object> deserializer)
Create aAllowListDeserializingConverter
that delegates to the providedDeserializer
. -
Method Summary
Modifier and Type Method Description void
addAllowedPatterns(String... patterns)
Add package/class patterns to the allow list.protected void
checkAllowList(Class<?> clazz)
Object
convert(byte[] source)
protected Object
deserialize(ByteArrayInputStream inputStream)
void
setAllowedPatterns(String... allowedPatterns)
Set simple patterns for allowable packages/classes for deserialization.
-
Constructor Details
-
AllowListDeserializingConverter
public AllowListDeserializingConverter()Create aAllowListDeserializingConverter
with defaultObjectInputStream
configuration, using the "latest user-defined ClassLoader". -
AllowListDeserializingConverter
- Parameters:
classLoader
- the class loader to use for deserialization.
-
AllowListDeserializingConverter
Create aAllowListDeserializingConverter
that delegates to the providedDeserializer
.- Parameters:
deserializer
- the deserializer to use.
-
-
Method Details
-
setAllowedPatterns
Set simple patterns for allowable packages/classes for deserialization. The patterns will be applied in order until a match is found. A class can be fully qualified or a wildcard '*' is allowed at the beginning or end of the class name. Examples:com.foo.*
,*.MyClass
.- Parameters:
allowedPatterns
- the patterns.
-
addAllowedPatterns
Add package/class patterns to the allow list.- Parameters:
patterns
- the patterns to add.- See Also:
setAllowedPatterns(String...)
-
convert
-
deserialize
- Throws:
IOException
-
checkAllowList
-