1 /* |
1 /* |
2 * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
186 * If a {@linkplain #setObjectInputFilter(ObjectInputFilter) filter is set} |
186 * If a {@linkplain #setObjectInputFilter(ObjectInputFilter) filter is set} |
187 * on an ObjectInputStream, the {@link ObjectInputFilter} can check that |
187 * on an ObjectInputStream, the {@link ObjectInputFilter} can check that |
188 * the classes, array lengths, number of references in the stream, depth, and |
188 * the classes, array lengths, number of references in the stream, depth, and |
189 * number of bytes consumed from the input stream are allowed and |
189 * number of bytes consumed from the input stream are allowed and |
190 * if not, can terminate deserialization. |
190 * if not, can terminate deserialization. |
191 * A {@linkplain ObjectInputFilter.Config#setSerialFilter(ObjectInputFilter) process-wide filter} |
191 * A {@linkplain ObjectInputFilter.Config#setSerialFilter(ObjectInputFilter) system-wide filter} |
192 * can be configured that is applied to each {@code ObjectInputStream} unless replaced |
192 * can be configured that is applied to each {@code ObjectInputStream} unless replaced |
193 * using {@link #setObjectInputFilter(ObjectInputFilter) setObjectInputFilter}. |
193 * using {@link #setObjectInputFilter(ObjectInputFilter) setObjectInputFilter}. |
194 * |
194 * |
195 * <p>Any exception that occurs while deserializing an object will be caught by |
195 * <p>Any exception that occurs while deserializing an object will be caught by |
196 * the ObjectInputStream and abort the reading process. |
196 * the ObjectInputStream and abort the reading process. |
320 * A serialization stream header is read from the stream and verified. |
320 * A serialization stream header is read from the stream and verified. |
321 * This constructor will block until the corresponding ObjectOutputStream |
321 * This constructor will block until the corresponding ObjectOutputStream |
322 * has written and flushed the header. |
322 * has written and flushed the header. |
323 * |
323 * |
324 * <p>The serialization filter is initialized to the value of |
324 * <p>The serialization filter is initialized to the value of |
325 * {@linkplain ObjectInputFilter.Config#getSerialFilter() the process-wide filter}. |
325 * {@linkplain ObjectInputFilter.Config#getSerialFilter() the system-wide filter}. |
326 * |
326 * |
327 * <p>If a security manager is installed, this constructor will check for |
327 * <p>If a security manager is installed, this constructor will check for |
328 * the "enableSubclassImplementation" SerializablePermission when invoked |
328 * the "enableSubclassImplementation" SerializablePermission when invoked |
329 * directly or indirectly by the constructor of a subclass which overrides |
329 * directly or indirectly by the constructor of a subclass which overrides |
330 * the ObjectInputStream.readFields or ObjectInputStream.readUnshared |
330 * the ObjectInputStream.readFields or ObjectInputStream.readUnshared |
355 * Provide a way for subclasses that are completely reimplementing |
355 * Provide a way for subclasses that are completely reimplementing |
356 * ObjectInputStream to not have to allocate private data just used by this |
356 * ObjectInputStream to not have to allocate private data just used by this |
357 * implementation of ObjectInputStream. |
357 * implementation of ObjectInputStream. |
358 * |
358 * |
359 * <p>The serialization filter is initialized to the value of |
359 * <p>The serialization filter is initialized to the value of |
360 * {@linkplain ObjectInputFilter.Config#getSerialFilter() the process-wide filter}. |
360 * {@linkplain ObjectInputFilter.Config#getSerialFilter() the system-wide filter}. |
361 * |
361 * |
362 * <p>If there is a security manager installed, this method first calls the |
362 * <p>If there is a security manager installed, this method first calls the |
363 * security manager's <code>checkPermission</code> method with the |
363 * security manager's <code>checkPermission</code> method with the |
364 * <code>SerializablePermission("enableSubclassImplementation")</code> |
364 * <code>SerializablePermission("enableSubclassImplementation")</code> |
365 * permission to ensure it's ok to enable subclassing. |
365 * permission to ensure it's ok to enable subclassing. |
1155 |
1155 |
1156 /** |
1156 /** |
1157 * Returns the serialization filter for this stream. |
1157 * Returns the serialization filter for this stream. |
1158 * The serialization filter is the most recent filter set in |
1158 * The serialization filter is the most recent filter set in |
1159 * {@link #setObjectInputFilter setObjectInputFilter} or |
1159 * {@link #setObjectInputFilter setObjectInputFilter} or |
1160 * the initial process-wide filter from |
1160 * the initial system-wide filter from |
1161 * {@link ObjectInputFilter.Config#getSerialFilter() ObjectInputFilter.Config.getSerialFilter}. |
1161 * {@link ObjectInputFilter.Config#getSerialFilter() ObjectInputFilter.Config.getSerialFilter}. |
1162 * |
1162 * |
1163 * @return the serialization filter for the stream; may be null |
1163 * @return the serialization filter for the stream; may be null |
1164 * @since 9 |
1164 * @since 9 |
1165 */ |
1165 */ |
1231 * |
1231 * |
1232 * @param filter the filter, may be null |
1232 * @param filter the filter, may be null |
1233 * @throws SecurityException if there is security manager and the |
1233 * @throws SecurityException if there is security manager and the |
1234 * {@code SerializablePermission("serialFilter")} is not granted |
1234 * {@code SerializablePermission("serialFilter")} is not granted |
1235 * @throws IllegalStateException if the {@linkplain #getObjectInputFilter() current filter} |
1235 * @throws IllegalStateException if the {@linkplain #getObjectInputFilter() current filter} |
1236 * is not {@code null} and is not the process-wide filter |
1236 * is not {@code null} and is not the system-wide filter |
1237 * @since 9 |
1237 * @since 9 |
1238 */ |
1238 */ |
1239 public final void setObjectInputFilter(ObjectInputFilter filter) { |
1239 public final void setObjectInputFilter(ObjectInputFilter filter) { |
1240 SecurityManager sm = System.getSecurityManager(); |
1240 SecurityManager sm = System.getSecurityManager(); |
1241 if (sm != null) { |
1241 if (sm != null) { |
1242 sm.checkPermission(ObjectStreamConstants.SERIAL_FILTER_PERMISSION); |
1242 sm.checkPermission(ObjectStreamConstants.SERIAL_FILTER_PERMISSION); |
1243 } |
1243 } |
1244 // Allow replacement of the process-wide filter if not already set |
1244 // Allow replacement of the system-wide filter if not already set |
1245 if (serialFilter != null && |
1245 if (serialFilter != null && |
1246 serialFilter != ObjectInputFilter.Config.getSerialFilter()) { |
1246 serialFilter != ObjectInputFilter.Config.getSerialFilter()) { |
1247 throw new IllegalStateException("filter can not be set more than once"); |
1247 throw new IllegalStateException("filter can not be set more than once"); |
1248 } |
1248 } |
1249 this.serialFilter = filter; |
1249 this.serialFilter = filter; |