Class ValidatingObjectInputStream
java.lang.Object
java.io.InputStream
java.io.ObjectInputStream
org.apache.commons.io.serialization.ValidatingObjectInputStream
- All Implemented Interfaces:
- Closeable,- DataInput,- ObjectInput,- ObjectStreamConstants,- AutoCloseable
An 
ObjectInputStream that's restricted to deserialize a limited set of classes.
 Various accept/reject methods allow for specifying which classes can be deserialized.
Reading safely
Here is the only way to safely read a HashMap of String keys and Integer values:
 // Defining Object fixture
 final HashMap<String, Integer> map1 = new HashMap<>();
 map1.put("1", 1);
 // Writing serialized fixture
 final byte[] byteArray;
 try (ByteArrayOutputStream baos = new ByteArrayOutputStream();
         final ObjectOutputStream oos = new ObjectOutputStream(baos)) {
     oos.writeObject(map1);
     oos.flush();
     byteArray = baos.toByteArray();
 }
 // Reading
 try (ByteArrayInputStream bais = new ByteArrayInputStream(byteArray);
         ValidatingObjectInputStream vois = ValidatingObjectInputStream.builder()
             .accept(HashMap.class, Number.class, Integer.class)
             .setInputStream(bais)
             .get()) {
     // String.class is automatically accepted
     final HashMap<String, Integer> map2 = (HashMap<String, Integer>) vois.readObject();
     assertEquals(map1, map2);
 }
 // Reusing a configuration
 final ObjectStreamClassPredicate predicate = new ObjectStreamClassPredicate()
     .accept(HashMap.class, Number.class, Integer.class);
 try (ByteArrayInputStream bais = new ByteArrayInputStream(byteArray);
         ValidatingObjectInputStream vois = ValidatingObjectInputStream.builder()
             .setPredicate(predicate)
             .setInputStream(bais)
             .get()) {
     // String.class is automatically accepted
     final HashMap<String, Integer> map2 = (HashMap<String, Integer>) vois.readObject();
     assertEquals(map1, map2);
 }
 Design inspired by a IBM DeveloperWorks Article.
- Since:
- 2.5
- 
Nested Class SummaryNested ClassesNested classes/interfaces inherited from class java.io.ObjectInputStreamObjectInputStream.GetField
- 
Field SummaryFields inherited from interface java.io.ObjectStreamConstantsbaseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
- 
Constructor SummaryConstructors
- 
Method SummaryModifier and TypeMethodDescriptionAccepts the specified classes for deserialization, unless they are otherwise rejected.Accepts the wildcard specified classes for deserialization, unless they are otherwise rejected.Accepts class names that match the supplied pattern for deserialization, unless they are otherwise rejected.accept(ClassNameMatcher matcher) Accepts class names where the supplied ClassNameMatcher matches for deserialization, unless they are otherwise rejected.builder()Constructs a newValidatingObjectInputStream.Builder.protected voidinvalidClassNameFound(String className) Called to throwInvalidClassExceptionif an invalid class name is found during deserialization.<T> TDelegates toObjectInputStream.readObject()and casts to the genericT.Rejects the specified classes for deserialization, even if they are otherwise accepted.Rejects the wildcard specified classes for deserialization, even if they are otherwise accepted.Rejects class names that match the supplied pattern for deserialization, even if they are otherwise accepted.reject(ClassNameMatcher matcher) Rejects class names where the supplied ClassNameMatcher matches for deserialization, even if they are otherwise accepted.protected Class<?> Methods inherited from class java.io.ObjectInputStreamavailable, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytesMethods inherited from class java.io.InputStreammark, markSupported, read, reset, skipMethods inherited from class java.lang.Objectclone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface java.io.ObjectInputread, skip
- 
Constructor Details- 
ValidatingObjectInputStreamDeprecated.Usebuilder().Constructs an instance to deserialize the specified input stream. At least one accept method needs to be called to specify which classes can be deserialized, as by default no classes are accepted.- Parameters:
- input- an input stream
- Throws:
- IOException- if an I/O error occurs while reading stream header
 
 
- 
- 
Method Details- 
builderConstructs a newValidatingObjectInputStream.Builder.- Returns:
- a new ValidatingObjectInputStream.Builder.
- Since:
- 2.18.0
 
- 
acceptAccepts the specified classes for deserialization, unless they are otherwise rejected.The reject list takes precedence over the accept list. - Parameters:
- classes- Classes to accept
- Returns:
- this instance.
 
- 
acceptAccepts class names where the supplied ClassNameMatcher matches for deserialization, unless they are otherwise rejected.The reject list takes precedence over the accept list. - Parameters:
- matcher- a class name matcher to accept objects.
- Returns:
- this instance.
 
- 
acceptAccepts class names that match the supplied pattern for deserialization, unless they are otherwise rejected.The reject list takes precedence over the accept list. - Parameters:
- pattern- a Pattern for compiled regular expression.
- Returns:
- this instance.
 
- 
acceptAccepts the wildcard specified classes for deserialization, unless they are otherwise rejected.The reject list takes precedence over the accept list. - Parameters:
- patterns- Wildcard file name patterns as defined by- FilenameUtils.wildcardMatch.
- Returns:
- this instance.
 
- 
invalidClassNameFoundCalled to throwInvalidClassExceptionif an invalid class name is found during deserialization. Can be overridden, for example to log those class names.- Parameters:
- className- name of the invalid class.
- Throws:
- InvalidClassException- Thrown with a message containing the class name.
 
- 
readObjectCastDelegates toObjectInputStream.readObject()and casts to the genericT.- Type Parameters:
- T- The return type.
- Returns:
- Result from ObjectInputStream.readObject().
- Throws:
- ClassNotFoundException- Thrown by- ObjectInputStream.readObject().
- IOException- Thrown by- ObjectInputStream.readObject().
- ClassCastException- Thrown when- ObjectInputStream.readObject()does not match- T.
- Since:
- 2.18.0
 
- 
rejectRejects the specified classes for deserialization, even if they are otherwise accepted.The reject list takes precedence over the accept list. - Parameters:
- classes- Classes to reject.
- Returns:
- this instance.
 
- 
rejectRejects class names where the supplied ClassNameMatcher matches for deserialization, even if they are otherwise accepted.The reject list takes precedence over the accept list. - Parameters:
- matcher- a class name matcher to reject objects.
- Returns:
- this instance.
 
- 
rejectRejects class names that match the supplied pattern for deserialization, even if they are otherwise accepted.The reject list takes precedence over the accept list. - Parameters:
- pattern- a Pattern for compiled regular expression.
- Returns:
- this instance.
 
- 
rejectRejects the wildcard specified classes for deserialization, even if they are otherwise accepted.The reject list takes precedence over the accept list. - Parameters:
- patterns- An array of wildcard file name patterns as defined by- FilenameUtils.wildcardMatch
- Returns:
- this instance.
 
- 
resolveClass- Overrides:
- resolveClassin class- ObjectInputStream
- Throws:
- IOException
- ClassNotFoundException
 
 
- 
builder().