summaryrefslogtreecommitdiff
path: root/eaaf_core_utils/src/main/java/at
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2020-07-03 10:46:08 +0200
committerThomas Lenz <thomas.lenz@egiz.gv.at>2020-07-03 10:46:08 +0200
commite5aa912f1d824ba4d3f9d0091a356a0da183dd4d (patch)
treeae3303fb985893dfe7f64767612df0fc6055c700 /eaaf_core_utils/src/main/java/at
parent103338c59196060b64402048b3073cb8132f3dca (diff)
downloadEAAF-Components-e5aa912f1d824ba4d3f9d0091a356a0da183dd4d.tar.gz
EAAF-Components-e5aa912f1d824ba4d3f9d0091a356a0da183dd4d.tar.bz2
EAAF-Components-e5aa912f1d824ba4d3f9d0091a356a0da183dd4d.zip
add EAAF specific serializer that supports whitelisting of classes
Diffstat (limited to 'eaaf_core_utils/src/main/java/at')
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java39
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java69
2 files changed, 108 insertions, 0 deletions
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java
new file mode 100644
index 00000000..e15c7a37
--- /dev/null
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java
@@ -0,0 +1,39 @@
+package at.gv.egiz.eaaf.core.impl.utils;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.util.List;
+
+import javax.annotation.Nonnull;
+
+public class EaafObjectInputStream extends ObjectInputStream {
+
+ private List<String> allowedClassNames;
+
+ /**
+ * Object input-stream with internal class validation.
+ *
+ * @param is Inputstream to deserialize.
+ * @param classNames Whitelisted classnames
+ * @throws IOException In case of an error
+ */
+ public EaafObjectInputStream(@Nonnull InputStream is, @Nonnull List<String> classNames) throws IOException {
+ super(is);
+ this.allowedClassNames = classNames;
+
+ }
+
+ //Only deserialize instances of our expected class
+ @Override
+ protected Class<?> resolveClass(ObjectStreamClass desc)
+ throws IOException, ClassNotFoundException {
+ if (!allowedClassNames.contains(desc.getName())) {
+ throw new InvalidClassException("Unauthorized deserialization attempt: {}",desc.getName());
+
+ }
+ return super.resolveClass(desc);
+ }
+}
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java
new file mode 100644
index 00000000..e15c6800
--- /dev/null
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java
@@ -0,0 +1,69 @@
+package at.gv.egiz.eaaf.core.impl.utils;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.util.List;
+
+import org.springframework.lang.Nullable;
+
+public class EaafSerializationUtils {
+
+ private EaafSerializationUtils() {
+
+ }
+
+ /**
+ * Serialize a given Java object into a byte array.
+ *
+ * @param object Java object to serialize.
+ * @return Serialized Java object
+ */
+ @Nullable
+ public static byte[] serialize(@Nullable Object object) {
+ if (object == null) {
+ return null;
+
+ }
+
+ final ByteArrayOutputStream baos = new ByteArrayOutputStream(1024);
+ try (ObjectOutputStream oos = new ObjectOutputStream(baos)) {
+ oos.writeObject(object);
+ oos.flush();
+
+ } catch (final IOException ex) {
+ throw new IllegalArgumentException("Failed to serialize object of type: " + object.getClass(), ex);
+
+ }
+
+ return baos.toByteArray();
+ }
+
+ /**
+ * Deserialize the byte array into an object.
+ *
+ * @param bytes a serialized object
+ * @param allowedClassName List of classnames that are allowed for deserialization
+ * @return the result of deserializing the bytes
+ */
+ @Nullable
+ public static Object deserialize(@Nullable byte[] bytes, List<String> allowedClassName) {
+ if (bytes == null) {
+ return null;
+
+ }
+
+ try (ObjectInputStream ois = new EaafObjectInputStream(new ByteArrayInputStream(bytes), allowedClassName)) {
+ return ois.readObject();
+
+ } catch (final IOException ex) {
+ throw new IllegalArgumentException("Failed to deserialize object", ex);
+
+ } catch (final ClassNotFoundException ex) {
+ throw new IllegalStateException("Failed to deserialize object type", ex);
+
+ }
+ }
+}