- Enclosing interface:
ObjectInputFilter
ObjectInputFilter
.
The JVM-wide deserialization filter factory and the static JVM-wide filter
can be configured from system properties during the initialization of the
ObjectInputFilter.Config
class.
If the Java virtual machine is started with the system property
jdk.serialFilter
, its value is used to configure the filter.
If the system property is not defined, and the Security
property
jdk.serialFilter
is defined then it is used to configure the filter.
The filter is created as if createFilter
is called,
if the filter string is invalid the initialization fails and subsequent attempts to
get the filter, set a filter,
or create an ObjectInputStream
throw IllegalStateException
. Deserialization is not possible with an
invalid serial filter.
If the system property jdk.serialFilter
or the Security
property jdk.serialFilter
is not set the filter can be set with
Config.setSerialFilter
.
Setting the jdk.serialFilter
with System.setProperty
does not set the filter.
The syntax for the property value is the same as for the
createFilter
method.
If the Java virtual machine is started with the system property
jdk.serialFilterFactory
or the Security
property
of the same name, its value names the class to configure the JVM-wide deserialization
filter factory.
If the system property is not defined, and the Security
property
jdk.serialFilterFactory
is defined then it is used to configure the filter factory.
If it remains unset, the filter factory is a builtin filter factory compatible
with previous versions.
The class must be public, must have a public zero-argument constructor, implement the
BinaryOperator<ObjectInputFilter>
interface, provide its implementation and
be accessible via the application class loader.
If the filter factory constructor is not invoked successfully subsequent attempts to
get the factory,
set the factory, or create an
ObjectInputStream
throw IllegalStateException
. Deserialization is not possible with an
invalid serial filter factory.
The filter factory configured using the system or security property during initialization
can NOT be replaced with Config.setSerialFilterFactory
.
This ensures that a filter factory set on the command line is not overridden accidentally
or intentionally by the application.
Setting the jdk.serialFilterFactory
with System.setProperty
does not set the filter factory.
The syntax for the system property value and security property value is the
fully qualified class name of the deserialization filter factory.
- Since:
- 9
-
Method Summary
Modifier and TypeMethodDescriptionstatic ObjectInputFilter
createFilter
(String pattern) Returns an ObjectInputFilter from a string of patterns.static ObjectInputFilter
Returns the static JVM-wide deserialization filter ornull
if not configured.static BinaryOperator
<ObjectInputFilter> Returns the JVM-wide deserialization filter factory.static void
setSerialFilter
(ObjectInputFilter filter) Set the static JVM-wide filter if it has not already been configured or set.static void
setSerialFilterFactory
(BinaryOperator<ObjectInputFilter> filterFactory)
-
Method Details
-
getSerialFilter
Returns the static JVM-wide deserialization filter ornull
if not configured.- Returns:
- the static JVM-wide deserialization filter or
null
if not configured - Throws:
IllegalStateException
- if the initialization of the filter from the system propertyjdk.serialFilter
or the security propertyjdk.serialFilter
fails.
-
setSerialFilter
Set the static JVM-wide filter if it has not already been configured or set.- Parameters:
filter
- the deserialization filter to set as the JVM-wide filter; not null- Throws:
SecurityException
- if there is security manager and theSerializablePermission("serialFilter")
is not grantedIllegalStateException
- if the filter has already been set or the initialization of the filter from the system propertyjdk.serialFilter
or the security propertyjdk.serialFilter
fails.
-
getSerialFilterFactory
Returns the JVM-wide deserialization filter factory. If the filter factory has been set it is returned, otherwise, a builtin deserialization filter factory is returned. The filter factory provides a filter for every ObjectInputStream when invoked from ObjectInputStream constructors and when a stream-specific filter is set withsetObjectInputFilter
.- Implementation Requirements:
- The builtin deserialization filter factory provides the
static JVM-wide filter when invoked from
ObjectInputStream constructors.
When invoked
to set the stream-specific filter
the requested filter replaces the static JVM-wide filter, unless it has already been set. The builtin deserialization filter factory implements the behavior of earlier versions of setting the initial filter in theObjectInputStream
constructor andObjectInputStream.setObjectInputFilter(java.io.ObjectInputFilter)
. - Returns:
- the JVM-wide deserialization filter factory; non-null
- Throws:
IllegalStateException
- if the filter factory initialization is incomplete- Since:
- 17
-
setSerialFilterFactory
Set the JVM-wide deserialization filter factory. The filter factory can be configured exactly once with one of: setting thejdk.serialFilterFactory
property on the command line, setting thejdk.serialFilterFactory
property in theSecurity
file, or using thissetSerialFilterFactory
method. The filter factory can be set only before anyObjectInputStream
has been created to avoid any inconsistency in which filter factory is being used.The JVM-wide filter factory is invoked when an ObjectInputStream is constructed and when the stream-specific filter is set. The parameters are the current filter and a requested filter and it returns the filter to be used for the stream. If the current filter is
non-null
, the filter factory must return anon-null
filter; this is to prevent unintentional disabling of filtering after it has been enabled. The factory determines the filter to be used forObjectInputStream
streams based on its inputs, any other filters, context, or state that is available. The factory may throw runtime exceptions to signal incorrect use or invalid parameters. See the filter models for examples of composition and delegation.- Parameters:
filterFactory
- the deserialization filter factory to set as the JVM-wide filter factory; not null- Throws:
IllegalStateException
- if the builtin deserialization filter factory has already been replaced or any instance ofObjectInputStream
has been created.SecurityException
- if there is security manager and theSerializablePermission("serialFilter")
is not granted- Since:
- 17
-
createFilter
Returns an ObjectInputFilter from a string of patterns.Patterns are separated by ";" (semicolon). Whitespace is significant and is considered part of the pattern. If a pattern includes an equals assignment, "
=
" it sets a limit. If a limit appears more than once the last value is used.- maxdepth=
value
- the maximum depth of a graph - maxrefs=
value
- the maximum number of internal references - maxbytes=
value
- the maximum number of bytes in the input stream - maxarray=
value
- the maximum array length allowed
Other patterns match or reject class or package name as returned from
Class.getName()
and if an optional module name is presentclass.getModule().getName()
. Note that for arrays the element type is used in the pattern, not the array type.- If the pattern starts with "!", the class is rejected if the remaining pattern is matched; otherwise the class is allowed if the pattern matches.
- If the pattern contains "/", the non-empty prefix up to the "/" is the module name; if the module name matches the module name of the class then the remaining pattern is matched with the class name. If there is no "/", the module name is not compared.
- If the pattern ends with ".**" it matches any class in the package and all subpackages.
- If the pattern ends with ".*" it matches any class in the package.
- If the pattern ends with "*", it matches any class with the pattern as a prefix.
- If the pattern is equal to the class name, it matches.
- Otherwise, the pattern is not matched.
The resulting filter performs the limit checks and then tries to match the class, if any. If any of the limits are exceeded, the filter returns
Status.REJECTED
. If the class is an array type, the class to be matched is the element type. Arrays of any number of dimensions are treated the same as the element type. For example, a pattern of "!example.Foo
", rejects creation of any instance or array ofexample.Foo
. The first pattern that matches, working from left to right, determines theStatus.ALLOWED
orStatus.REJECTED
result. If the limits are not exceeded and no pattern matches the class, the result isStatus.UNDECIDED
.- Parameters:
pattern
- the pattern string to parse; not null- Returns:
- a filter to check a class being deserialized;
null
if no patterns - Throws:
IllegalArgumentException
- if the pattern string is illegal or malformed and cannot be parsed. In particular, if any of the following is true:- if a limit is missing the name or the name is not one of "maxdepth", "maxrefs", "maxbytes", or "maxarray"
- if the value of the limit can not be parsed by
Long.parseLong
or is negative - if the pattern contains "/" and the module name is missing or the remaining pattern is empty
- if the package is missing for ".*" and ".**"
- maxdepth=
-