Class AllowListDeserializingConverter
java.lang.Object
org.springframework.integration.support.converter.AllowListDeserializingConverter
- All Implemented Interfaces:
org.springframework.core.convert.converter.Converter<byte[],java.lang.Object>
public class AllowListDeserializingConverter
extends java.lang.Object
implements org.springframework.core.convert.converter.Converter<byte[],java.lang.Object>
A
Converter that delegates to a
Deserializer to convert data in a byte
array to an object. By default, if using a DefaultDeserializer all
classes/packages are deserialized. If you receive data from untrusted sources, consider
adding trusted classes/packages using setAllowedPatterns(String...) or
addAllowedPatterns(String...).- Since:
- 5.4
-
Constructor Summary
Constructors Constructor Description AllowListDeserializingConverter()Create aAllowListDeserializingConverterwith defaultObjectInputStreamconfiguration, using the "latest user-defined ClassLoader".AllowListDeserializingConverter(java.lang.ClassLoader classLoader)AllowListDeserializingConverter(org.springframework.core.serializer.Deserializer<java.lang.Object> deserializer)Create aAllowListDeserializingConverterthat delegates to the providedDeserializer. -
Method Summary
Modifier and Type Method Description voidaddAllowedPatterns(java.lang.String... patterns)Add package/class patterns to the allow list.protected voidcheckAllowList(java.lang.Class<?> clazz)java.lang.Objectconvert(byte[] source)protected java.lang.Objectdeserialize(java.io.ByteArrayInputStream inputStream)voidsetAllowedPatterns(java.lang.String... allowedPatterns)Set simple patterns for allowable packages/classes for deserialization.
-
Constructor Details
-
AllowListDeserializingConverter
public AllowListDeserializingConverter()Create aAllowListDeserializingConverterwith defaultObjectInputStreamconfiguration, using the "latest user-defined ClassLoader". -
AllowListDeserializingConverter
public AllowListDeserializingConverter(java.lang.ClassLoader classLoader)- Parameters:
classLoader- the class loader to use for deserialization.
-
AllowListDeserializingConverter
public AllowListDeserializingConverter(org.springframework.core.serializer.Deserializer<java.lang.Object> deserializer)Create aAllowListDeserializingConverterthat delegates to the providedDeserializer.- Parameters:
deserializer- the deserializer to use.
-
-
Method Details
-
setAllowedPatterns
public void setAllowedPatterns(java.lang.String... allowedPatterns)Set simple patterns for allowable packages/classes for deserialization. The patterns will be applied in order until a match is found. A class can be fully qualified or a wildcard '*' is allowed at the beginning or end of the class name. Examples:com.foo.*,*.MyClass.- Parameters:
allowedPatterns- the patterns.
-
addAllowedPatterns
public void addAllowedPatterns(java.lang.String... patterns)Add package/class patterns to the allow list.- Parameters:
patterns- the patterns to add.- See Also:
setAllowedPatterns(String...)
-
convert
public java.lang.Object convert(byte[] source)- Specified by:
convertin interfaceorg.springframework.core.convert.converter.Converter<byte[],java.lang.Object>
-
deserialize
protected java.lang.Object deserialize(java.io.ByteArrayInputStream inputStream) throws java.io.IOException- Throws:
java.io.IOException
-
checkAllowList
protected void checkAllowList(java.lang.Class<?> clazz)
-