Class FilteredObjectInputStream

  • All Implemented Interfaces:
    java.io.Closeable, java.io.DataInput, java.io.ObjectInput, java.io.ObjectStreamConstants, java.lang.AutoCloseable

    public class FilteredObjectInputStream
    extends java.io.ObjectInputStream
    Extends ObjectInputStream to only allow some built-in Log4j classes and caller-specified classes to be deserialized.
    Since:
    2.8.2
    • Nested Class Summary

      • Nested classes/interfaces inherited from class java.io.ObjectInputStream

        java.io.ObjectInputStream.GetField
    • Field Summary

      Fields 
      Modifier and Type Field Description
      private java.util.Collection<java.lang.String> allowedExtraClasses  
      private static java.util.Set<java.lang.String> REQUIRED_JAVA_CLASSES  
      private static java.util.Set<java.lang.String> REQUIRED_JAVA_PACKAGES  
      • Fields inherited from interface java.io.ObjectStreamConstants

        baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      java.util.Collection<java.lang.String> getAllowedClasses()  
      private static boolean isAllowedByDefault​(java.lang.String name)  
      private static boolean isRequiredPackage​(java.lang.String name)  
      protected java.lang.Class<?> resolveClass​(java.io.ObjectStreamClass desc)  
      • Methods inherited from class java.io.ObjectInputStream

        available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes
      • Methods inherited from class java.io.InputStream

        mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, transferTo
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
      • Methods inherited from interface java.io.ObjectInput

        read, skip
    • Field Detail

      • REQUIRED_JAVA_CLASSES

        private static final java.util.Set<java.lang.String> REQUIRED_JAVA_CLASSES
      • REQUIRED_JAVA_PACKAGES

        private static final java.util.Set<java.lang.String> REQUIRED_JAVA_PACKAGES
      • allowedExtraClasses

        private final java.util.Collection<java.lang.String> allowedExtraClasses
    • Constructor Detail

      • FilteredObjectInputStream

        public FilteredObjectInputStream()
                                  throws java.io.IOException,
                                         java.lang.SecurityException
        Throws:
        java.io.IOException
        java.lang.SecurityException
      • FilteredObjectInputStream

        public FilteredObjectInputStream​(java.io.InputStream inputStream)
                                  throws java.io.IOException
        Throws:
        java.io.IOException
      • FilteredObjectInputStream

        public FilteredObjectInputStream​(java.util.Collection<java.lang.String> allowedExtraClasses)
                                  throws java.io.IOException,
                                         java.lang.SecurityException
        Throws:
        java.io.IOException
        java.lang.SecurityException
      • FilteredObjectInputStream

        public FilteredObjectInputStream​(java.io.InputStream inputStream,
                                         java.util.Collection<java.lang.String> allowedExtraClasses)
                                  throws java.io.IOException
        Throws:
        java.io.IOException
    • Method Detail

      • getAllowedClasses

        public java.util.Collection<java.lang.String> getAllowedClasses()
      • resolveClass

        protected java.lang.Class<?> resolveClass​(java.io.ObjectStreamClass desc)
                                           throws java.io.IOException,
                                                  java.lang.ClassNotFoundException
        Overrides:
        resolveClass in class java.io.ObjectInputStream
        Throws:
        java.io.IOException
        java.lang.ClassNotFoundException
      • isAllowedByDefault

        private static boolean isAllowedByDefault​(java.lang.String name)
      • isRequiredPackage

        private static boolean isRequiredPackage​(java.lang.String name)