RichFaces Core Implementation 4.3.5.Final

org.richfaces.util
Class LookAheadObjectInputStream

java.lang.Object
  extended by java.io.InputStream
      extended by java.io.ObjectInputStream
          extended by org.richfaces.util.LookAheadObjectInputStream
All Implemented Interfaces:
Closeable, DataInput, ObjectInput, ObjectStreamConstants

public class LookAheadObjectInputStream
extends ObjectInputStream

When deserializing objects, first check that the class being deserialized is in the allowed whitelist.

Author:
Brian Leathem

Nested Class Summary
 
Nested classes/interfaces inherited from class java.io.ObjectInputStream
ObjectInputStream.GetField
 
Field Summary
 
Fields inherited from interface java.io.ObjectStreamConstants
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
 
Constructor Summary
LookAheadObjectInputStream(InputStream in)
           
 
Method Summary
protected  Class<?> resolveClass(ObjectStreamClass desc)
          Only deserialize primitive or whitelisted classes
 
Methods inherited from class java.io.ObjectInputStream
available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytes
 
Methods inherited from class java.io.InputStream
mark, markSupported, read, reset, skip
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface java.io.ObjectInput
read, skip
 

Constructor Detail

LookAheadObjectInputStream

public LookAheadObjectInputStream(InputStream in)
                           throws IOException
Throws:
IOException
Method Detail

resolveClass

protected Class<?> resolveClass(ObjectStreamClass desc)
                         throws IOException,
                                ClassNotFoundException
Only deserialize primitive or whitelisted classes

Overrides:
resolveClass in class ObjectInputStream
Throws:
IOException
ClassNotFoundException

RichFaces Core Implementation 4.3.5.Final

Copyright © 2014 JBoss by Red Hat. All Rights Reserved.