Class HardenedObjectInputStream

  • All Implemented Interfaces:
    java.io.Closeable, java.io.DataInput, java.io.ObjectInput, java.io.ObjectStreamConstants, java.lang.AutoCloseable
    Direct Known Subclasses:
    HardenedAccessEventInputStream, HardenedLoggingEventInputStream

    public class HardenedObjectInputStream
    extends java.io.ObjectInputStream
    HardenedObjectInputStream restricts the set of classes that can be deserialized to a set of explicitly whitelisted classes. This prevents certain type of attacks from being successful.

    It is assumed that classes in the "java.lang" and "java.util" packages are always authorized.

    Since:
    1.2.0
    • Nested Class Summary

      • Nested classes/interfaces inherited from class java.io.ObjectInputStream

        java.io.ObjectInputStream.GetField
    • Field Summary

      Fields 
      Modifier and Type Field Description
      (package private) static java.lang.String[] JAVA_PACKAGES  
      (package private) java.util.List<java.lang.String> whitelistedClassNames  
      • Fields inherited from interface java.io.ObjectStreamConstants

        baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void addToWhitelist​(java.util.List<java.lang.String> additionalAuthorizedClasses)  
      private boolean isWhitelisted​(java.lang.String incomingClassName)  
      protected java.lang.Class<?> resolveClass​(java.io.ObjectStreamClass anObjectStreamClass)  
      • Methods inherited from class java.io.ObjectInputStream

        available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytes
      • Methods inherited from class java.io.InputStream

        mark, markSupported, read, reset, skip
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
      • Methods inherited from interface java.io.ObjectInput

        read, skip
    • Field Detail

      • whitelistedClassNames

        final java.util.List<java.lang.String> whitelistedClassNames
      • JAVA_PACKAGES

        static final java.lang.String[] JAVA_PACKAGES
    • Constructor Detail

      • HardenedObjectInputStream

        public HardenedObjectInputStream​(java.io.InputStream in,
                                         java.lang.String[] whilelist)
                                  throws java.io.IOException
        Throws:
        java.io.IOException
      • HardenedObjectInputStream

        public HardenedObjectInputStream​(java.io.InputStream in,
                                         java.util.List<java.lang.String> whitelist)
                                  throws java.io.IOException
        Throws:
        java.io.IOException
    • Method Detail

      • resolveClass

        protected java.lang.Class<?> resolveClass​(java.io.ObjectStreamClass anObjectStreamClass)
                                           throws java.io.IOException,
                                                  java.lang.ClassNotFoundException
        Overrides:
        resolveClass in class java.io.ObjectInputStream
        Throws:
        java.io.IOException
        java.lang.ClassNotFoundException
      • isWhitelisted

        private boolean isWhitelisted​(java.lang.String incomingClassName)
      • addToWhitelist

        protected void addToWhitelist​(java.util.List<java.lang.String> additionalAuthorizedClasses)