java/io/ObjectInputFilter.java

46  * A filter can be set via {@link ObjectInputStream#setObjectInputFilter setObjectInputFilter}
48  * A filter can be set via {@link Config#setSerialFilter(ObjectInputFilter) Config.setSerialFilter}
49  * to affect every {@code ObjectInputStream} that does not otherwise set a filter.
51  * A filter determines whether the arguments are {@link Status#ALLOWED ALLOWED}
53  * If the filter cannot determine the status it should return
56  * A filter designed for a particular use may be passed a class that is outside
57  * of the scope of the filter. If the purpose of the filter is to black-list classes
59  * A filter may be called with class equals {@code null}, {@code arrayLength} equal -1,
62  * This allows a filter to specific about the choice it is reporting and
66  * Typically, a custom filter should check if a process-wide filter
74  *             // The process-wide filter overrides this filter
100      * during deserialization. The filter returns {@link Status#ALLOWED Status.ALLOWED},
126          * created and to give the filter a chance to check the depth, number of
190      * A utility class to set and get the process-wide filter or create a filter
191      * from a pattern string. If a process-wide filter is set, it will be
192      * used for each {@link ObjectInputStream} that does not set its own filter.
194      * When setting the filter, it should be stateless and idempotent,
197      * The filter is configured during the initialization of the {@code ObjectInputFilter.Config}
200      * to configure the filter.
202      * property {@code jdk.serialFilter} is defined then it is used to configure the filter.
203      * Otherwise, the filter is not configured during initialization.
206      * If a filter is not configured, it can be set with
216          * Lock object for process-wide filter.
235          * The name for the process-wide deserialization filter.
241          * The process-wide filter; may be null.
242          * Lookup the filter in java.security.Security or
258                                     "Creating serialization filter from {0}", props);
263                                         "Error configuring filter: {0}", re);
275          * Current configured filter.
280          * Returns the process-wide serialization filter or {@code null} if not configured.
282          * @return the process-wide serialization filter or {@code null} if not configured
291          * Set the process-wide filter if it has not already been configured or set.
293          * @param filter the serialization filter to set as the process-wide filter; not null
296          * @throws IllegalStateException if the filter has already been set {@code non-null}
298         public static void setSerialFilter(ObjectInputFilter filter) {
299             Objects.requireNonNull(filter, "filter");
306                     throw new IllegalStateException("Serial filter can only be set once");
308                 serialFilter = filter;
346          * The resulting filter performs the limit checks and then
348          * the filter returns {@link Status#REJECTED Status.REJECTED}.
360          * @return a filter to check a class being deserialized;
385          * @return a filter to check a class being deserialized;
395          * the process-wide serialization filter. If configured, it will be
401              * The pattern used to create the filter.
433              * @param checkComponentType true if the filter should check
435              * @return a filter to check a class being deserialized;
451              * Construct a new filter from the pattern String.
454              * @param checkComponentType true if the filter should check
638                         // Find any filter that allowed or rejected the class
642                                 .filter(p -> p != Status.UNDECIDED)
664              * Returns the pattern used to create this filter.
665              * @return the pattern used to create this filter