public class AllowListDeserializingConverter
extends java.lang.Object
implements org.springframework.core.convert.converter.Converter<byte[],java.lang.Object>
Converter that delegates to a
Deserializer to convert data in a byte
array to an object. By default, if using a DefaultDeserializer all
classes/packages are deserialized. If you receive data from untrusted sources, consider
adding trusted classes/packages using setAllowedPatterns(String...) or
addAllowedPatterns(String...).| Constructor and Description |
|---|
AllowListDeserializingConverter()
Create a
AllowListDeserializingConverter with default
ObjectInputStream configuration, using the "latest user-defined
ClassLoader". |
AllowListDeserializingConverter(java.lang.ClassLoader classLoader)
|
AllowListDeserializingConverter(org.springframework.core.serializer.Deserializer<java.lang.Object> deserializer)
Create a
AllowListDeserializingConverter that delegates to the provided
Deserializer. |
| Modifier and Type | Method and Description |
|---|---|
void |
addAllowedPatterns(java.lang.String... patterns)
Add package/class patterns to the allow list.
|
protected void |
checkAllowList(java.lang.Class<?> clazz) |
java.lang.Object |
convert(byte[] source) |
protected java.lang.Object |
deserialize(java.io.ByteArrayInputStream inputStream) |
void |
setAllowedPatterns(java.lang.String... allowedPatterns)
Set simple patterns for allowable packages/classes for deserialization.
|
public AllowListDeserializingConverter()
AllowListDeserializingConverter with default
ObjectInputStream configuration, using the "latest user-defined
ClassLoader".public AllowListDeserializingConverter(java.lang.ClassLoader classLoader)
classLoader - the class loader to use for deserialization.public AllowListDeserializingConverter(org.springframework.core.serializer.Deserializer<java.lang.Object> deserializer)
AllowListDeserializingConverter that delegates to the provided
Deserializer.deserializer - the deserializer to use.public void setAllowedPatterns(java.lang.String... allowedPatterns)
com.foo.*, *.MyClass.allowedPatterns - the patterns.public void addAllowedPatterns(java.lang.String... patterns)
patterns - the patterns to add.setAllowedPatterns(String...)public java.lang.Object convert(byte[] source)
convert in interface org.springframework.core.convert.converter.Converter<byte[],java.lang.Object>protected java.lang.Object deserialize(java.io.ByteArrayInputStream inputStream)
throws java.io.IOException
java.io.IOExceptionprotected void checkAllowList(java.lang.Class<?> clazz)