com.thoughtworks.xstream.security.PrimitiveTypePermission Java Examples

The following examples show how to use com.thoughtworks.xstream.security.PrimitiveTypePermission. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: AnalysisFraction.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #2
Source File: TransportFormat.java    From javamelody with Apache License 2.0 6 votes vote down vote up
static Object readFromXml(InputStream bufferedInput) throws IOException {
	final XStream xstream = createXStream(false);
	// see http://x-stream.github.io/security.html
	// clear out existing permissions and set own ones
	xstream.addPermission(NoTypePermission.NONE);
	// allow some basics
	xstream.addPermission(NullPermission.NULL);
	xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
	xstream.allowTypesByWildcard(
			new String[] { "java.lang.*", "java.util.*", "java.util.concurrent.*" });
	// allow any type from the same package
	xstream.allowTypesByWildcard(new String[] { PACKAGE_NAME + ".*" });
	final InputStreamReader reader = new InputStreamReader(bufferedInput, XML_CHARSET_NAME);
	try {
		return xstream.fromXML(reader);
	} finally {
		reader.close();
	}
}
 
Example #3
Source File: SesarSample.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 * gets an <code>XStream</code> reader. Creates, customizes, and returns
 * <code>XStream</code> for XML serialization
 *
 * @pre <code>XStream</code> package is available @post <code>XStream</code>
 * for XML decoding is returned
 *
 * @return <code>XStream</code> - for XML serialization decoding
 */
public static XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #4
Source File: ReportSettingsInterface.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
public default XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #5
Source File: AbstractRatiosDataModel.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
protected XStream getXStream() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);
    

    return xstream;
}
 
Example #6
Source File: SESARSampleMetadata.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 * gets an <code>XStream</code> reader. Creates, customizes, and returns
 * <code>XStream</code> for XML serialization
 *
 * @pre     <code>XStream</code> package is available
 * @post    <code>XStream</code> for XML decoding is returned
 * @return  <code>XStream</code> - for XML serialization decoding
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #7
Source File: SampleMetaData.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 * gets an <code>XStream</code> reader. Creates, customizes, and returns
 * <code>XStream</code> for XML serialization
 *
 * @pre     <code>XStream</code> package is available
 * @post    <code>XStream</code> for XML decoding is returned
 * @return  <code>XStream</code> - for XML serialization decoding
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #8
Source File: UPbReduxAliquot.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);
    
    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #9
Source File: UPbFraction.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
private XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #10
Source File: ValueModel.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 * gets an <code>XStream</code> reader. Creates, customizes, and returns
 * <code>XStream</code> for XML serialization
 *
 * @pre <code>XStream</code> package is available @post <code>XStream</code>
 * for XML decoding is returned
 *
 * @return <code>XStream</code> - for XML serialization decoding
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #11
Source File: MineralStandardModel.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
private XStream getXStreamReader() {
    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #12
Source File: PbBlank.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 * gets an <code>XStream</code> reader. Creates, customizes, and returns
 * <code>XStream</code> for XML serialization
 *
 * @pre <code>XStream</code> package is available @post <code>XStream</code>
 * for XML decoding is returned
 *
 * @return <code>XStream</code> - for XML serialization decoding
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #13
Source File: UThReduxAliquot.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #14
Source File: PhysicalConstants.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
private XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #15
Source File: WbConverter.java    From openmeetings with Apache License 2.0 6 votes vote down vote up
public static List<?> loadWmlFile(String hash) {
	String name = OmFileHelper.getName(hash, EXTENSION_WML);
	File file = new File(OmFileHelper.getUploadWmlDir(), name);
	log.debug("filepathComplete: {}", file);

	XStream xstream = new XStream(new XppDriver());
	xstream.setMode(XStream.NO_REFERENCES);
	xstream.addPermission(NoTypePermission.NONE);
	xstream.addPermission(NullPermission.NULL);
	xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
	xstream.allowTypeHierarchy(List.class);
	xstream.allowTypeHierarchy(String.class);
	xstream.ignoreUnknownElements();
	try (InputStream is = new FileInputStream(file); BufferedReader reader = new BufferedReader(new InputStreamReader(is, UTF_8))) {
		return (List<?>) xstream.fromXML(reader);
	} catch (Exception err) {
		log.error("loadWmlFile", err);
	}
	return new ArrayList<>();
}
 
Example #16
Source File: App.java    From tutorials with MIT License 5 votes vote down vote up
public static App createHardened(int port) {
    final XStream xstream = new XStream();
    xstream.addPermission(NoTypePermission.NONE);
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypes(new Class<?>[] { Person.class });
    return new App(port, xstream);
}
 
Example #17
Source File: XStreamFactory.java    From saros with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Sets up the security framework for the passed <code>XStream</code> object.
 *
 * @param xStream the <code>XStream</code> object to set the security framework up for
 * @see <a
 *     href="https://x-stream.github.io/security.html">https://x-stream.github.io/security.html</a>
 */
private static void setUpSecurityFramework(XStream xStream) {
  // forbid all classes by default
  xStream.addPermission(NoTypePermission.NONE);

  // allow default java stuff
  xStream.addPermission(NullPermission.NULL);
  xStream.addPermission(PrimitiveTypePermission.PRIMITIVES);
  xStream.allowTypeHierarchy(Collection.class);
  xStream.allowTypeHierarchy(Map.class);
  xStream.allowTypes(new Class[] {String.class});

  // allow all saros classes
  xStream.allowTypesByWildcard(new String[] {"saros.**"});
}
 
Example #18
Source File: XStreamInitializer.java    From weixin-java-tools with Apache License 2.0 5 votes vote down vote up
public static XStream getInstance() {
  XStream xstream = new XStream(new PureJavaReflectionProvider(), new XppDriver() {

    @Override
    public HierarchicalStreamWriter createWriter(Writer out) {
      return new PrettyPrintWriter(out, getNameCoder()) {
        protected String PREFIX_CDATA = "<![CDATA[";
        protected String SUFFIX_CDATA = "]]>";
        protected String PREFIX_MEDIA_ID = "<MediaId>";
        protected String SUFFIX_MEDIA_ID = "</MediaId>";

        @Override
        protected void writeText(QuickWriter writer, String text) {
          if (text.startsWith(this.PREFIX_CDATA) && text.endsWith(this.SUFFIX_CDATA)) {
            writer.write(text);
          } else if (text.startsWith(this.PREFIX_MEDIA_ID) && text.endsWith(this.SUFFIX_MEDIA_ID)) {
            writer.write(text);
          } else {
            super.writeText(writer, text);
          }

        }

        @Override
        public String encodeNode(String name) {
          //防止将_转换成__
          return name;
        }
      };
    }
  });

  xstream.ignoreUnknownElements();
  xstream.setMode(XStream.NO_REFERENCES);
  xstream.addPermission(NullPermission.NULL);
  xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
  xstream.setClassLoader(Thread.currentThread().getContextClassLoader());
  return xstream;
}
 
Example #19
Source File: XStreamInitializer.java    From weixin-java-tools with Apache License 2.0 5 votes vote down vote up
public static XStream getInstance() {
  XStream xstream = new XStream(new XppDriver() {

    @Override
    public HierarchicalStreamWriter createWriter(Writer out) {
      return new PrettyPrintWriter(out, getNameCoder()) {
        protected String PREFIX_CDATA = "<![CDATA[";
        protected String SUFFIX_CDATA = "]]>";
        protected String PREFIX_MEDIA_ID = "<MediaId>";
        protected String SUFFIX_MEDIA_ID = "</MediaId>";
        @Override
        protected void writeText(QuickWriter writer, String text) {
          if (text.startsWith(PREFIX_CDATA) && text.endsWith(SUFFIX_CDATA)) {
            writer.write(text);
          } else if (text.startsWith(PREFIX_MEDIA_ID) && text.endsWith(SUFFIX_MEDIA_ID)) {
            writer.write(text);
          } else {
            super.writeText(writer, text);
          }

        }
      };
    }
  });
  xstream.ignoreUnknownElements();
  xstream.setMode(XStream.NO_REFERENCES);
  xstream.addPermission(NullPermission.NULL);
  xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
  return xstream;
}
 
Example #20
Source File: UserDashboardPersister.java    From openmeetings with Apache License 2.0 5 votes vote down vote up
public XStreamDashboardPersister() {
	this.file = getUserDashboard(getUserId());

	xstream = new XStream(new DomDriver(UTF_8.name()));
	xstream.setMode(XStream.NO_REFERENCES);
	xstream.addPermission(NoTypePermission.NONE);
	xstream.addPermission(NullPermission.NULL);
	xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
	xstream.allowTypesByWildcard(new String[] {"org.apache.openmeetings.web.**"});
	xstream.allowTypeHierarchy(ArrayList.class);
	xstream.alias("dashboard", UserDashboard.class);
}
 
Example #21
Source File: XStream.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Setup the security framework of a XStream instance.
 * <p>
 * This method is a pure helper method for XStream 1.4.x. It initializes an XStream instance with a white list of
 * well-known and simply types of the Java runtime as it is done in XStream 1.5.x by default. This method will do
 * therefore nothing in XStream 1.5.
 * </p>
 * 
 * @param xstream
 * @since 1.4.10
 */
public static void setupDefaultSecurity(final XStream xstream) {
    if (!xstream.securityInitialized) {
        xstream.addPermission(NoTypePermission.NONE);
        xstream.addPermission(NullPermission.NULL);
        xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
        xstream.addPermission(ArrayTypePermission.ARRAYS);
        xstream.addPermission(InterfaceTypePermission.INTERFACES);
        xstream.allowTypeHierarchy(Calendar.class);
        xstream.allowTypeHierarchy(Collection.class);
        xstream.allowTypeHierarchy(Map.class);
        xstream.allowTypeHierarchy(Map.Entry.class);
        xstream.allowTypeHierarchy(Member.class);
        xstream.allowTypeHierarchy(Number.class);
        xstream.allowTypeHierarchy(Throwable.class);
        xstream.allowTypeHierarchy(TimeZone.class);

        Class type = JVM.loadClassForName("java.lang.Enum");
        if (type != null) {
            xstream.allowTypeHierarchy(type);
        }
        type = JVM.loadClassForName("java.nio.file.Path");
        if (type != null) {
            xstream.allowTypeHierarchy(type);
        }

        final Set types = new HashSet();
        types.add(BitSet.class);
        types.add(Charset.class);
        types.add(Class.class);
        types.add(Currency.class);
        types.add(Date.class);
        types.add(DecimalFormatSymbols.class);
        types.add(File.class);
        types.add(Locale.class);
        types.add(Object.class);
        types.add(Pattern.class);
        types.add(StackTraceElement.class);
        types.add(String.class);
        types.add(StringBuffer.class);
        types.add(JVM.loadClassForName("java.lang.StringBuilder"));
        types.add(URL.class);
        types.add(URI.class);
        types.add(JVM.loadClassForName("java.util.UUID"));
        if (JVM.isSQLAvailable()) {
            types.add(JVM.loadClassForName("java.sql.Timestamp"));
            types.add(JVM.loadClassForName("java.sql.Time"));
            types.add(JVM.loadClassForName("java.sql.Date"));
        }
        if (JVM.isVersion(8)) {
            xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.Clock"));
            types.add(JVM.loadClassForName("java.time.Duration"));
            types.add(JVM.loadClassForName("java.time.Instant"));
            types.add(JVM.loadClassForName("java.time.LocalDate"));
            types.add(JVM.loadClassForName("java.time.LocalDateTime"));
            types.add(JVM.loadClassForName("java.time.LocalTime"));
            types.add(JVM.loadClassForName("java.time.MonthDay"));
            types.add(JVM.loadClassForName("java.time.OffsetDateTime"));
            types.add(JVM.loadClassForName("java.time.OffsetTime"));
            types.add(JVM.loadClassForName("java.time.Period"));
            types.add(JVM.loadClassForName("java.time.Ser"));
            types.add(JVM.loadClassForName("java.time.Year"));
            types.add(JVM.loadClassForName("java.time.YearMonth"));
            types.add(JVM.loadClassForName("java.time.ZonedDateTime"));
            xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId"));
            types.add(JVM.loadClassForName("java.time.chrono.HijrahDate"));
            types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate"));
            types.add(JVM.loadClassForName("java.time.chrono.JapaneseEra"));
            types.add(JVM.loadClassForName("java.time.chrono.MinguoDate"));
            types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate"));
            types.add(JVM.loadClassForName("java.time.chrono.Ser"));
            xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology"));
            types.add(JVM.loadClassForName("java.time.temporal.ValueRange"));
            types.add(JVM.loadClassForName("java.time.temporal.WeekFields"));
        }
        types.remove(null);

        final Iterator iter = types.iterator();
        final Class[] classes = new Class[types.size()];
        for (int i = 0; i < classes.length; ++i) {
            classes[i] = (Class)iter.next();
        }
        xstream.allowTypes(classes);
    } else {
        throw new IllegalArgumentException("Security framework of XStream instance already initialized");
    }
}