public class AllowListDeserializingConverter extends Object implements Converter<byte[],Object>
Converter that delegates to a
Deserializer to convert data in a byte
array to an object. By default, if using a DefaultDeserializer all
classes/packages are deserialized. If you receive data from untrusted sources, consider
adding trusted classes/packages using setAllowedPatterns(String...) or
addAllowedPatterns(String...).| Constructor and Description |
|---|
AllowListDeserializingConverter()
Create a
AllowListDeserializingConverter with default
ObjectInputStream configuration, using the "latest user-defined
ClassLoader". |
AllowListDeserializingConverter(ClassLoader classLoader)
|
AllowListDeserializingConverter(Deserializer<Object> deserializer)
Create a
AllowListDeserializingConverter that delegates to the provided
Deserializer. |
| Modifier and Type | Method and Description |
|---|---|
void |
addAllowedPatterns(String... patterns)
Add package/class patterns to the allow list.
|
protected void |
checkAllowList(Class<?> clazz) |
Object |
convert(byte[] source) |
protected Object |
deserialize(ByteArrayInputStream inputStream) |
void |
setAllowedPatterns(String... allowedPatterns)
Set simple patterns for allowable packages/classes for deserialization.
|
public AllowListDeserializingConverter()
AllowListDeserializingConverter with default
ObjectInputStream configuration, using the "latest user-defined
ClassLoader".public AllowListDeserializingConverter(ClassLoader classLoader)
classLoader - the class loader to use for deserialization.public AllowListDeserializingConverter(Deserializer<Object> deserializer)
AllowListDeserializingConverter that delegates to the provided
Deserializer.deserializer - the deserializer to use.public void setAllowedPatterns(String... allowedPatterns)
com.foo.*, *.MyClass.allowedPatterns - the patterns.public void addAllowedPatterns(String... patterns)
patterns - the patterns to add.setAllowedPatterns(String...)public Object convert(byte[] source)
protected Object deserialize(ByteArrayInputStream inputStream) throws IOException
IOExceptionprotected void checkAllowList(Class<?> clazz)