Class AllowListDeserializingConverter

java.lang.Object
org.springframework.integration.support.converter.AllowListDeserializingConverter
All Implemented Interfaces:
org.springframework.core.convert.converter.Converter<byte[],​java.lang.Object>

public class AllowListDeserializingConverter
extends java.lang.Object
implements org.springframework.core.convert.converter.Converter<byte[],​java.lang.Object>
A Converter that delegates to a Deserializer to convert data in a byte array to an object. By default, if using a DefaultDeserializer all classes/packages are deserialized. If you receive data from untrusted sources, consider adding trusted classes/packages using setAllowedPatterns(String...) or addAllowedPatterns(String...).
Since:
5.4
  • Constructor Summary

    Constructors 
    Constructor Description
    AllowListDeserializingConverter()
    Create a AllowListDeserializingConverter with default ObjectInputStream configuration, using the "latest user-defined ClassLoader".
    AllowListDeserializingConverter​(java.lang.ClassLoader classLoader)
    Create a AllowListDeserializingConverter for using an ObjectInputStream with the given ClassLoader.
    AllowListDeserializingConverter​(org.springframework.core.serializer.Deserializer<java.lang.Object> deserializer)
    Create a AllowListDeserializingConverter that delegates to the provided Deserializer.
  • Method Summary

    Modifier and Type Method Description
    void addAllowedPatterns​(java.lang.String... patterns)
    Add package/class patterns to the allow list.
    protected void checkAllowList​(java.lang.Class<?> clazz)  
    java.lang.Object convert​(byte[] source)  
    protected java.lang.Object deserialize​(java.io.ByteArrayInputStream inputStream)  
    void setAllowedPatterns​(java.lang.String... allowedPatterns)
    Set simple patterns for allowable packages/classes for deserialization.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    Methods inherited from interface org.springframework.core.convert.converter.Converter

    andThen
  • Constructor Details

  • Method Details

    • setAllowedPatterns

      public void setAllowedPatterns​(java.lang.String... allowedPatterns)
      Set simple patterns for allowable packages/classes for deserialization. The patterns will be applied in order until a match is found. A class can be fully qualified or a wildcard '*' is allowed at the beginning or end of the class name. Examples: com.foo.*, *.MyClass.
      Parameters:
      allowedPatterns - the patterns.
    • addAllowedPatterns

      public void addAllowedPatterns​(java.lang.String... patterns)
      Add package/class patterns to the allow list.
      Parameters:
      patterns - the patterns to add.
      See Also:
      setAllowedPatterns(String...)
    • convert

      public java.lang.Object convert​(byte[] source)
      Specified by:
      convert in interface org.springframework.core.convert.converter.Converter<byte[],​java.lang.Object>
    • deserialize

      protected java.lang.Object deserialize​(java.io.ByteArrayInputStream inputStream) throws java.io.IOException
      Throws:
      java.io.IOException
    • checkAllowList

      protected void checkAllowList​(java.lang.Class<?> clazz)