sun.misc.ObjectInputFilter Java Examples
The following examples show how to use
sun.misc.ObjectInputFilter.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: RegistryImpl.java From jdk8u_jdk with GNU General Public License v2.0 | 7 votes |
|
/**
* Initialize the registryFilter from the security properties or system property; if any
* @return an ObjectInputFilter, or null
*/
private static ObjectInputFilter initRegistryFilter() {
ObjectInputFilter filter = null;
String props = System.getProperty(REGISTRY_FILTER_PROPNAME);
if (props == null) {
props = Security.getProperty(REGISTRY_FILTER_PROPNAME);
}
if (props != null) {
filter = ObjectInputFilter.Config.createFilter2(props);
Log regLog = Log.getLog("sun.rmi.registry", "registry", -1);
if (regLog.isLoggable(Log.BRIEF)) {
regLog.log(Log.BRIEF, "registryFilter = " + filter);
}
}
return filter;
}
Example #2
| Source File: SerialFilterTest.java From jdk8u-jdk with GNU General Public License v2.0 | 7 votes |
|
@Override
public ObjectInputFilter.Status checkInput(FilterInfo filter) {
count++;
if (filter.serialClass() != null) {
if (filter.serialClass().getName().contains("$$Lambda$")) {
// TBD: proper identification of serialized Lambdas?
// Fold the serialized Lambda into the SerializedLambda type
classes.add(SerializedLambda.class);
} else if (Proxy.isProxyClass(filter.serialClass())) {
classes.add(Proxy.class);
} else {
classes.add(filter.serialClass());
}
}
this.maxArray = Math.max(this.maxArray, filter.arrayLength());
this.maxRefs = Math.max(this.maxRefs, filter.references());
this.maxDepth = Math.max(this.maxDepth, filter.depth());
this.maxBytes = Math.max(this.maxBytes, filter.streamBytes());
return ObjectInputFilter.Status.UNDECIDED;
}
Example #3
| Source File: JceKeyStore.java From TencentKona-8 with GNU General Public License v2.0 | 6 votes |
|
@Override
public ObjectInputFilter.Status
checkInput(ObjectInputFilter.FilterInfo info) {
// First run a custom filter
long nestedDepth = info.depth();
if ((nestedDepth == 1 &&
info.serialClass() != SealedObjectForKeyProtector.class) ||
(nestedDepth > MAX_NESTED_DEPTH &&
info.serialClass() != null &&
info.serialClass() != Object.class)) {
return Status.REJECTED;
}
// Next run the default filter, if available
ObjectInputFilter defaultFilter =
ObjectInputFilter.Config.getSerialFilter();
if (defaultFilter != null) {
return defaultFilter.checkInput(info);
}
return Status.UNDECIDED;
}
Example #4
| Source File: FilterWithSecurityManagerTest.java From TencentKona-8 with GNU General Public License v2.0 | 6 votes |
|
/**
* Test that setting process-wide filter is checked by security manager.
*/
@Test
public void testGlobalFilter() throws Exception {
if (ObjectInputFilter.Config.getSerialFilter() == null) {
return;
}
try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
ObjectInputStream ois = new ObjectInputStream(bais)) {
ObjectInputFilter.Config.setSerialFilter(filter);
assertFalse(setSecurityManager,
"When SecurityManager exists, without "
+ "java.security.SerializablePermission(serialFilter) Exception should be thrown");
Object o = ois.readObject();
} catch (AccessControlException ex) {
assertTrue(setSecurityManager);
assertTrue(ex.getMessage().contains("java.io.SerializablePermission"));
assertTrue(ex.getMessage().contains("serialFilter"));
}
}
Example #5
| Source File: UnicastServerRef.java From jdk8u-jdk with GNU General Public License v2.0 | 6 votes |
|
/**
* Sets a filter for invocation arguments, if a filter has been set.
* Called by dispatch before the arguments are read.
*/
protected void unmarshalCustomCallData(ObjectInput in)
throws IOException, ClassNotFoundException {
if (filter != null &&
in instanceof ObjectInputStream) {
// Set the filter on the stream
ObjectInputStream ois = (ObjectInputStream) in;
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
ObjectInputFilter.Config.setObjectInputFilter(ois, filter);
return null;
}
});
}
}
Example #6
| Source File: UnicastServerRef.java From TencentKona-8 with GNU General Public License v2.0 | 6 votes |
|
/**
* Sets a filter for invocation arguments, if a filter has been set.
* Called by dispatch before the arguments are read.
*/
protected void unmarshalCustomCallData(ObjectInput in)
throws IOException, ClassNotFoundException {
if (filter != null &&
in instanceof ObjectInputStream) {
// Set the filter on the stream
ObjectInputStream ois = (ObjectInputStream) in;
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
ObjectInputFilter.Config.setObjectInputFilter(ois, filter);
return null;
}
});
}
}
Example #7
| Source File: FilterWithSecurityManagerTest.java From openjdk-jdk8u with GNU General Public License v2.0 | 6 votes |
|
/**
* Test that setting process-wide filter is checked by security manager.
*/
@Test
public void testGlobalFilter() throws Exception {
if (ObjectInputFilter.Config.getSerialFilter() == null) {
return;
}
try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
ObjectInputStream ois = new ObjectInputStream(bais)) {
ObjectInputFilter.Config.setSerialFilter(filter);
assertFalse(setSecurityManager,
"When SecurityManager exists, without "
+ "java.security.SerializablePermission(serialFilter) Exception should be thrown");
Object o = ois.readObject();
} catch (AccessControlException ex) {
assertTrue(setSecurityManager);
assertTrue(ex.getMessage().contains("java.io.SerializablePermission"));
assertTrue(ex.getMessage().contains("serialFilter"));
}
}
Example #8
| Source File: CheckArrayTest.java From openjdk-jdk8u with GNU General Public License v2.0 | 6 votes |
|
/**
* Test SharedSecrets checkArray with unmodified ObjectInputStream.
*/
@Test(dataProvider = "Patterns")
public void normalOIS(String pattern, int arraySize, Object[] array) throws IOException {
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(pattern);
byte[] bytes = SerialFilterTest.writeObjects(array);
try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
ObjectInputStream ois = new ObjectInputStream(bais)) {
// Check the arraysize against the filter
try {
ObjectInputFilter.Config.setObjectInputFilter(ois, filter);
SharedSecrets.getJavaOISAccess()
.checkArray(ois, array.getClass(), arraySize);
Assert.assertTrue(array.length >= arraySize,
"Should have thrown InvalidClassException due to array size");
} catch (InvalidClassException ice) {
Assert.assertFalse(array.length > arraySize,
"Should NOT have thrown InvalidClassException due to array size");
}
}
}
Example #9
| Source File: SerialFilterTest.java From dragonwell8_jdk with GNU General Public License v2.0 | 6 votes |
|
/**
* Read objects from the serialized stream, validated with the filter.
*
* @param bytes a byte array to read objects from
* @param filter the ObjectInputFilter
* @return the object deserialized if any
* @throws IOException can be thrown
*/
static Object validate(byte[] bytes,
ObjectInputFilter filter) throws IOException {
try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
ObjectInputStream ois = new ObjectInputStream(bais)) {
ObjectInputFilter.Config.setObjectInputFilter(ois, filter);
Object o = ois.readObject();
return o;
} catch (EOFException eof) {
// normal completion
} catch (ClassNotFoundException cnf) {
Assert.fail("Deserializing", cnf);
}
return null;
}
Example #10
| Source File: MarshalledObject.java From JDKSourceCode1.8 with MIT License | 6 votes |
|
/**
* Creates a new <code>MarshalledObjectInputStream</code> that
* reads its objects from <code>objIn</code> and annotations
* from <code>locIn</code>. If <code>locIn</code> is
* <code>null</code>, then all annotations will be
* <code>null</code>.
*/
MarshalledObjectInputStream(InputStream objIn, InputStream locIn,
ObjectInputFilter filter)
throws IOException
{
super(objIn);
this.locIn = (locIn == null ? null : new ObjectInputStream(locIn));
if (filter != null) {
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
ObjectInputFilter.Config.setObjectInputFilter(MarshalledObjectInputStream.this, filter);
if (MarshalledObjectInputStream.this.locIn != null) {
ObjectInputFilter.Config.setObjectInputFilter(MarshalledObjectInputStream.this.locIn, filter);
}
return null;
}
});
}
}
Example #11
| Source File: CheckArrayTest.java From jdk8u_jdk with GNU General Public License v2.0 | 6 votes |
|
/**
* Test SharedSecrets checkArray with an ObjectInputStream subclassed to
* handle all input stream functions.
*/
@Test(dataProvider = "Patterns")
public void subclassedOIS(String pattern, int arraySize, Object[] array) throws IOException {
byte[] bytes = SerialFilterTest.writeObjects(array);
try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
ObjectInputStream ois = new MyInputStream(bais)) {
// Check the arraysize against the filter
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(pattern);
ObjectInputFilter.Config.setObjectInputFilter(ois, filter);
SharedSecrets.getJavaOISAccess()
.checkArray(ois, array.getClass(), arraySize);
Assert.assertTrue(array.length >= arraySize,
"Should have thrown InvalidClassException due to array size");
} catch (InvalidClassException ice) {
Assert.assertFalse(array.length > arraySize,
"Should NOT have thrown InvalidClassException due to array size");
}
}
Example #12
| Source File: SerialFilterTest.java From openjdk-jdk8u with GNU General Public License v2.0 | 6 votes |
|
/**
* Read objects from the serialized stream, validated with the filter.
*
* @param bytes a byte array to read objects from
* @param filter the ObjectInputFilter
* @return the object deserialized if any
* @throws IOException can be thrown
*/
static Object validate(byte[] bytes,
ObjectInputFilter filter) throws IOException {
try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
ObjectInputStream ois = new ObjectInputStream(bais)) {
ObjectInputFilter.Config.setObjectInputFilter(ois, filter);
Object o = ois.readObject();
return o;
} catch (EOFException eof) {
// normal completion
} catch (ClassNotFoundException cnf) {
Assert.fail("Deserializing", cnf);
}
return null;
}
Example #13
| Source File: GlobalFilterTest.java From TencentKona-8 with GNU General Public License v2.0 | 6 votes |
|
/**
* Test that the process-wide filter is set when the properties are set
* and has the toString matching the configured pattern.
*/
@Test()
static void globalFilter() {
ObjectInputFilter filter = ObjectInputFilter.Config.getSerialFilter();
// Check that the System.setProperty(jdk.serialFilter) DOES NOT affect the filter.
String asSetSystemProp = System.getProperty(serialPropName,
Security.getProperty(serialPropName));
Assert.assertNotEquals(Objects.toString(filter, null), asSetSystemProp,
"System.setProperty(\"jdk.serialfilter\", ...) should not change filter: " +
asSetSystemProp);
String pattern =
System.getProperty("expected-" + serialPropName,
Security.getProperty(serialPropName));
System.out.printf("global pattern: %s, filter: %s%n", pattern, filter);
Assert.assertEquals(Objects.toString(filter, null), pattern,
"process-wide filter pattern does not match");
}
Example #14
| Source File: GlobalFilterTest.java From openjdk-jdk8u with GNU General Public License v2.0 | 6 votes |
|
/**
* Test that the process-wide filter is set when the properties are set
* and has the toString matching the configured pattern.
*/
@Test()
static void globalFilter() {
ObjectInputFilter filter = ObjectInputFilter.Config.getSerialFilter();
// Check that the System.setProperty(jdk.serialFilter) DOES NOT affect the filter.
String asSetSystemProp = System.getProperty(serialPropName,
Security.getProperty(serialPropName));
Assert.assertNotEquals(Objects.toString(filter, null), asSetSystemProp,
"System.setProperty(\"jdk.serialfilter\", ...) should not change filter: " +
asSetSystemProp);
String pattern =
System.getProperty("expected-" + serialPropName,
Security.getProperty(serialPropName));
System.out.printf("global pattern: %s, filter: %s%n", pattern, filter);
Assert.assertEquals(Objects.toString(filter, null), pattern,
"process-wide filter pattern does not match");
}
Example #15
| Source File: FilterWithSecurityManagerTest.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 6 votes |
|
/**
* Test that setting process-wide filter is checked by security manager.
*/
@Test
public void testGlobalFilter() throws Exception {
if (ObjectInputFilter.Config.getSerialFilter() == null) {
return;
}
try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
ObjectInputStream ois = new ObjectInputStream(bais)) {
ObjectInputFilter.Config.setSerialFilter(filter);
assertFalse(setSecurityManager,
"When SecurityManager exists, without "
+ "java.security.SerializablePermission(serialFilter) Exception should be thrown");
Object o = ois.readObject();
} catch (AccessControlException ex) {
assertTrue(setSecurityManager);
assertTrue(ex.getMessage().contains("java.io.SerializablePermission"));
assertTrue(ex.getMessage().contains("serialFilter"));
}
}
Example #16
| Source File: CheckArrayTest.java From jdk8u_jdk with GNU General Public License v2.0 | 6 votes |
|
/**
* Test SharedSecrets checkArray with unmodified ObjectInputStream.
*/
@Test(dataProvider = "Patterns")
public void normalOIS(String pattern, int arraySize, Object[] array) throws IOException {
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(pattern);
byte[] bytes = SerialFilterTest.writeObjects(array);
try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
ObjectInputStream ois = new ObjectInputStream(bais)) {
// Check the arraysize against the filter
try {
ObjectInputFilter.Config.setObjectInputFilter(ois, filter);
SharedSecrets.getJavaOISAccess()
.checkArray(ois, array.getClass(), arraySize);
Assert.assertTrue(array.length >= arraySize,
"Should have thrown InvalidClassException due to array size");
} catch (InvalidClassException ice) {
Assert.assertFalse(array.length > arraySize,
"Should NOT have thrown InvalidClassException due to array size");
}
}
}
Example #17
| Source File: MarshalledObject.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 6 votes |
|
/**
* Creates a new <code>MarshalledObjectInputStream</code> that
* reads its objects from <code>objIn</code> and annotations
* from <code>locIn</code>. If <code>locIn</code> is
* <code>null</code>, then all annotations will be
* <code>null</code>.
*/
MarshalledObjectInputStream(InputStream objIn, InputStream locIn,
ObjectInputFilter filter)
throws IOException
{
super(objIn);
this.locIn = (locIn == null ? null : new ObjectInputStream(locIn));
if (filter != null) {
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
ObjectInputFilter.Config.setObjectInputFilter(MarshalledObjectInputStream.this, filter);
if (MarshalledObjectInputStream.this.locIn != null) {
ObjectInputFilter.Config.setObjectInputFilter(MarshalledObjectInputStream.this.locIn, filter);
}
return null;
}
});
}
}
Example #18
| Source File: SerialFilterTest.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 6 votes |
|
@Override
public ObjectInputFilter.Status checkInput(FilterInfo filter) {
Class<?> serialClass = filter.serialClass();
System.out.printf(" checkInput: class: %s, arrayLen: %d, refs: %d, depth: %d, bytes; %d%n",
serialClass, filter.arrayLength(), filter.references(),
filter.depth(), filter.streamBytes());
count++;
if (serialClass != null) {
if (serialClass.getName().contains("$$Lambda$")) {
// TBD: proper identification of serialized Lambdas?
// Fold the serialized Lambda into the SerializedLambda type
classes.add(SerializedLambda.class);
} else if (Proxy.isProxyClass(serialClass)) {
classes.add(Proxy.class);
} else {
classes.add(serialClass);
}
}
this.maxArray = Math.max(this.maxArray, filter.arrayLength());
this.maxRefs = Math.max(this.maxRefs, filter.references());
this.maxDepth = Math.max(this.maxDepth, filter.depth());
this.maxBytes = Math.max(this.maxBytes, filter.streamBytes());
return ObjectInputFilter.Status.UNDECIDED;
}
Example #19
| Source File: MarshalledObject.java From jdk8u_jdk with GNU General Public License v2.0 | 6 votes |
|
/**
* Creates a new <code>MarshalledObjectInputStream</code> that
* reads its objects from <code>objIn</code> and annotations
* from <code>locIn</code>. If <code>locIn</code> is
* <code>null</code>, then all annotations will be
* <code>null</code>.
*/
MarshalledObjectInputStream(InputStream objIn, InputStream locIn,
ObjectInputFilter filter)
throws IOException
{
super(objIn);
this.locIn = (locIn == null ? null : new ObjectInputStream(locIn));
if (filter != null) {
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
ObjectInputFilter.Config.setObjectInputFilter(MarshalledObjectInputStream.this, filter);
if (MarshalledObjectInputStream.this.locIn != null) {
ObjectInputFilter.Config.setObjectInputFilter(MarshalledObjectInputStream.this.locIn, filter);
}
return null;
}
});
}
}
Example #20
| Source File: SerialFilterTest.java From dragonwell8_jdk with GNU General Public License v2.0 | 6 votes |
|
@Override
public ObjectInputFilter.Status checkInput(FilterInfo filter) {
Class<?> serialClass = filter.serialClass();
System.out.printf(" checkInput: class: %s, arrayLen: %d, refs: %d, depth: %d, bytes; %d%n",
serialClass, filter.arrayLength(), filter.references(),
filter.depth(), filter.streamBytes());
count++;
if (serialClass != null) {
if (serialClass.getName().contains("$$Lambda$")) {
// TBD: proper identification of serialized Lambdas?
// Fold the serialized Lambda into the SerializedLambda type
classes.add(SerializedLambda.class);
} else if (Proxy.isProxyClass(serialClass)) {
classes.add(Proxy.class);
} else {
classes.add(serialClass);
}
}
this.maxArray = Math.max(this.maxArray, filter.arrayLength());
this.maxRefs = Math.max(this.maxRefs, filter.references());
this.maxDepth = Math.max(this.maxDepth, filter.depth());
this.maxBytes = Math.max(this.maxBytes, filter.streamBytes());
return ObjectInputFilter.Status.UNDECIDED;
}
Example #21
| Source File: FilterUSRTest.java From openjdk-jdk8u with GNU General Public License v2.0 | 5 votes |
|
@Override
public Status checkInput(ObjectInputFilter.FilterInfo info) {
if (info.serialClass() == RejectME.class) {
return Status.REJECTED;
}
count++;
return Status.UNDECIDED;
}
Example #22
| Source File: SerialFilterTest.java From dragonwell8_jdk with GNU General Public License v2.0 | 5 votes |
|
@Override
public ObjectInputFilter.Status checkInput(FilterInfo filter) {
if (ReadResolveToArray.class.isAssignableFrom(filter.serialClass())) {
return ObjectInputFilter.Status.ALLOWED;
}
if (filter.serialClass() != array.getClass() ||
(filter.arrayLength() >= 0 && filter.arrayLength() != length)) {
return ObjectInputFilter.Status.REJECTED;
}
return ObjectInputFilter.Status.UNDECIDED;
}
Example #23
| Source File: SerialFilterTest.java From jdk8u_jdk with GNU General Public License v2.0 | 5 votes |
|
/**
* Create a filter from a pattern and API factory, then serialize and
* deserialize an object and check allowed or reject.
*
* @param pattern the pattern
* @param object the test object
* @param allowed the expected result from ObjectInputStream (exception or not)
*/
static void testPatterns(String pattern, Object object, boolean allowed) {
try {
byte[] bytes = SerialFilterTest.writeObjects(object);
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(pattern);
validate(bytes, filter);
Assert.assertTrue(allowed, "filter should have thrown an exception");
} catch (IllegalArgumentException iae) {
Assert.fail("bad format pattern", iae);
} catch (InvalidClassException ice) {
Assert.assertFalse(allowed, "filter should not have thrown an exception: " + ice);
} catch (IOException ioe) {
Assert.fail("Unexpected IOException", ioe);
}
}
Example #24
| Source File: SerialFilterTest.java From dragonwell8_jdk with GNU General Public License v2.0 | 5 votes |
|
/**
* Create a filter from a pattern and API factory, then serialize and
* deserialize an object and check allowed or reject.
*
* @param pattern the pattern
* @param object the test object
* @param allowed the expected result from ObjectInputStream (exception or not)
*/
static void testPatterns(String pattern, Object object, boolean allowed) {
try {
byte[] bytes = SerialFilterTest.writeObjects(object);
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(pattern);
validate(bytes, filter);
Assert.assertTrue(allowed, "filter should have thrown an exception");
} catch (IllegalArgumentException iae) {
Assert.fail("bad format pattern", iae);
} catch (InvalidClassException ice) {
Assert.assertFalse(allowed, "filter should not have thrown an exception: " + ice);
} catch (IOException ioe) {
Assert.fail("Unexpected IOException", ioe);
}
}
Example #25
| Source File: SerialFilterTest.java From openjdk-jdk8u with GNU General Public License v2.0 | 5 votes |
|
/**
* Create a filter from a pattern and API factory, then serialize and
* deserialize an object and check allowed or reject.
*
* @param pattern the pattern
* @param object the test object
* @param allowed the expected result from ObjectInputStream (exception or not)
*/
static void testPatterns(String pattern, Object object, boolean allowed) {
try {
byte[] bytes = SerialFilterTest.writeObjects(object);
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(pattern);
validate(bytes, filter);
Assert.assertTrue(allowed, "filter should have thrown an exception");
} catch (IllegalArgumentException iae) {
Assert.fail("bad format pattern", iae);
} catch (InvalidClassException ice) {
Assert.assertFalse(allowed, "filter should not have thrown an exception: " + ice);
} catch (IOException ioe) {
Assert.fail("Unexpected IOException", ioe);
}
}
Example #26
| Source File: RegistryImpl.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 5 votes |
|
/**
* ObjectInputFilter to filter Registry input objects.
* The list of acceptable classes is limited to classes normally
* stored in a registry.
*
* @param filterInfo access to the class, array length, etc.
* @return {@link ObjectInputFilter.Status#ALLOWED} if allowed,
* {@link ObjectInputFilter.Status#REJECTED} if rejected,
* otherwise {@link ObjectInputFilter.Status#UNDECIDED}
*/
private static ObjectInputFilter.Status registryFilter(ObjectInputFilter.FilterInfo filterInfo) {
if (registryFilter != null) {
ObjectInputFilter.Status status = registryFilter.checkInput(filterInfo);
if (status != ObjectInputFilter.Status.UNDECIDED) {
// The Registry filter can override the built-in white-list
return status;
}
}
if (filterInfo.depth() > REGISTRY_MAX_DEPTH) {
return ObjectInputFilter.Status.REJECTED;
}
Class<?> clazz = filterInfo.serialClass();
if (clazz != null) {
if (clazz.isArray()) {
// Arrays are REJECTED only if they exceed the limit
return (filterInfo.arrayLength() >= 0 && filterInfo.arrayLength() > REGISTRY_MAX_ARRAY_SIZE)
? ObjectInputFilter.Status.REJECTED
: ObjectInputFilter.Status.UNDECIDED;
}
if (String.class == clazz
|| java.lang.Number.class.isAssignableFrom(clazz)
|| Remote.class.isAssignableFrom(clazz)
|| java.lang.reflect.Proxy.class.isAssignableFrom(clazz)
|| UnicastRef.class.isAssignableFrom(clazz)
|| RMIClientSocketFactory.class.isAssignableFrom(clazz)
|| RMIServerSocketFactory.class.isAssignableFrom(clazz)
|| java.rmi.activation.ActivationID.class.isAssignableFrom(clazz)
|| java.rmi.server.UID.class.isAssignableFrom(clazz)) {
return ObjectInputFilter.Status.ALLOWED;
} else {
return ObjectInputFilter.Status.REJECTED;
}
}
return ObjectInputFilter.Status.UNDECIDED;
}
Example #27
| Source File: FilterWithSecurityManagerTest.java From dragonwell8_jdk with GNU General Public License v2.0 | 5 votes |
|
@BeforeClass
public void setup() throws Exception {
setSecurityManager = System.getSecurityManager() != null;
Object toDeserialized = Long.MAX_VALUE;
bytes = SerialFilterTest.writeObjects(toDeserialized);
filter = ObjectInputFilter.Config.createFilter("java.lang.Long");
}
Example #28
| Source File: SerialFilterTest.java From TencentKona-8 with GNU General Public License v2.0 | 5 votes |
|
/**
* Test that Config.create returns null if the argument does not contain any patterns or limits.
*/
@Test()
static void testEmptyPattern() {
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter("");
Assert.assertNull(filter, "empty pattern did not return null");
filter = ObjectInputFilter.Config.createFilter(";;;;");
Assert.assertNull(filter, "pattern with only delimiters did not return null");
}
Example #29
| Source File: SerialFilterTest.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
|
/**
* Test that Config.create returns null if the argument does not contain any patterns or limits.
*/
@Test()
static void testEmptyPattern() {
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter("");
Assert.assertNull(filter, "empty pattern did not return null");
filter = ObjectInputFilter.Config.createFilter(";;;;");
Assert.assertNull(filter, "pattern with only delimiters did not return null");
}
Example #30
| Source File: CheckInputOrderTest.java From dragonwell8_jdk with GNU General Public License v2.0 | 5 votes |
|
/**
* Test:
* "global filter reject" + "specific ObjectInputStream filter is empty" => should reject
* "global filter reject" + "specific ObjectInputStream filter allow" => should allow
*/
@Test(dataProvider="Patterns")
public void testRejectedInGlobal(Object toDeserialized, String pattern, boolean allowed) throws Exception {
byte[] bytes = SerialFilterTest.writeObjects(toDeserialized);
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(pattern);
try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
ObjectInputStream ois = new ObjectInputStream(bais)) {
ObjectInputFilter.Config.setObjectInputFilter(ois, filter);
Object o = ois.readObject();
assertTrue(allowed, "filter should have thrown an exception");
} catch (InvalidClassException ice) {
assertFalse(allowed, "filter should have thrown an exception");
}
}
