Class AllowListDeserializingConverter

java.lang.Object
org.springframework.integration.support.converter.AllowListDeserializingConverter
All Implemented Interfaces:
org.springframework.core.convert.converter.Converter<byte[],Object>

public class AllowListDeserializingConverter extends Object implements org.springframework.core.convert.converter.Converter<byte[],Object>
A Converter that delegates to a Deserializer to convert data in a byte array to an object. By default, if using a DefaultDeserializer all classes/packages are deserialized. If you receive data from untrusted sources, consider adding trusted classes/packages using setAllowedPatterns(String...) or addAllowedPatterns(String...).

If a delegate deserializer is a DefaultDeserializer, only its ClassLoader is used for a ConfigurableObjectInputStream logic.

Since:
5.4
  • Constructor Details

    • AllowListDeserializingConverter

      public AllowListDeserializingConverter()
      Create a AllowListDeserializingConverter with default ObjectInputStream configuration, using the "latest user-defined ClassLoader".
    • AllowListDeserializingConverter

      public AllowListDeserializingConverter(ClassLoader classLoader)
      Create a AllowListDeserializingConverter for using an ObjectInputStream with the given ClassLoader.
      Parameters:
      classLoader - the class loader to use for deserialization.
    • AllowListDeserializingConverter

      public AllowListDeserializingConverter(org.springframework.core.serializer.Deserializer<Object> deserializer)
      Create a AllowListDeserializingConverter that delegates to the provided Deserializer.
      Parameters:
      deserializer - the deserializer to use.
  • Method Details

    • setAllowedPatterns

      public void setAllowedPatterns(String... allowedPatterns)
      Set simple patterns for allowable packages/classes for deserialization. The patterns will be applied in order until a match is found. A class can be fully qualified or a wildcard '*' is allowed at the beginning or end of the class name. Examples: com.foo.*, *.MyClass.
      Parameters:
      allowedPatterns - the patterns.
    • addAllowedPatterns

      public void addAllowedPatterns(String... patterns)
      Add package/class patterns to the allowed list.
      Parameters:
      patterns - the patterns to add.
      See Also:
    • convert

      public Object convert(byte[] source)
      Specified by:
      convert in interface org.springframework.core.convert.converter.Converter<byte[],Object>
    • deserialize

      protected Object deserialize(ByteArrayInputStream inputStream) throws IOException
      Throws:
      IOException
    • checkAllowList

      protected void checkAllowList(Class<?> clazz)