diff options
Diffstat (limited to 'eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java')
| -rw-r--r-- | eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java | 60 |
1 files changed, 54 insertions, 6 deletions
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java index e15c6800..efb4c9be 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java @@ -5,10 +5,12 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; -import java.util.List; +import java.util.Set; import org.springframework.lang.Nullable; +import at.gv.egiz.eaaf.core.impl.utils.EaafObjectInputStream.Mode; + public class EaafSerializationUtils { private EaafSerializationUtils() { @@ -42,20 +44,65 @@ public class EaafSerializationUtils { } /** - * Deserialize the byte array into an object. + * Deserialize the byte array into an object with strict allow-list of classes. + * + * <p> + * Allow all classes that exact match to elements in allow-list. + * </p> * - * @param bytes a serialized object - * @param allowedClassName List of classnames that are allowed for deserialization + * @param bytes a serialized object + * @param allowedClassName List of classnames that are explicit allowed for + * deserialization * @return the result of deserializing the bytes */ @Nullable - public static Object deserialize(@Nullable byte[] bytes, List<String> allowedClassName) { + public static Object strictDeserialize(@Nullable byte[] bytes, Set<Class<?>> allowedClassName) { + if (bytes == null) { + return null; + + } + + try (ObjectInputStream ois = new EaafObjectInputStream(new ByteArrayInputStream(bytes), + allowedClassName, null, Mode.STRICT)) { + return ois.readObject(); + + } catch (final IOException ex) { + throw new IllegalArgumentException("Failed to deserialize object", ex); + + } catch (final ClassNotFoundException ex) { + throw new IllegalStateException("Failed to deserialize object type", ex); + + } + } + + /** + * Deserialize the byte array into an object with type-specific allow-list of + * classes. + * + * <p> + * Allow all classes that the same or a super-type of elements in + * allow-list.<br> + * <b>Hint:</b> Do NOT set {@link Object} as allowed class, because any class is + * an super-type of {@link Object}. This method implementation allows + * {@link Object} as explicit type with strict check-mode. + * </p> + * + * @param bytes a serialized object + * @param allowedClassName List of classes that are explicit allowed for + * deserialization + * @param initalClassType First / Initial class type that are required + * @return the result of deserializing the bytes + */ + @Nullable + public static Object typeSpecificDeserialize(@Nullable byte[] bytes, Set<Class<?>> allowedClassName, + Class<?> initalClassType) { if (bytes == null) { return null; } - try (ObjectInputStream ois = new EaafObjectInputStream(new ByteArrayInputStream(bytes), allowedClassName)) { + try (ObjectInputStream ois = new EaafObjectInputStream(new ByteArrayInputStream(bytes), + allowedClassName, initalClassType, Mode.TYPE_SPECIFIC)) { return ois.readObject(); } catch (final IOException ex) { @@ -66,4 +113,5 @@ public class EaafSerializationUtils { } } + } |