@Override @Before public void setup() throws IOException { original = new MoreComplexObject(); final ByteArrayOutputStream bos = willClose(new ByteArrayOutputStream()); final ObjectOutputStream oos = willClose(new ObjectOutputStream(bos)); oos.writeObject(original); inputStream = willClose(new ByteArrayInputStream(bos.toByteArray())); }
/** Trusting java.lang.* and the array variants of that means we have * to define a number of accept classes explicitly. Quite safe but * might become a bit verbose. */ @Test public void trustJavaLang() throws IOException, ClassNotFoundException { assertSerialization(willClose( new ValidatingObjectInputStream(inputStream) .accept(MoreComplexObject.class, ArrayList.class, Random.class) .accept("java.lang.*","[Ljava.lang.*") )); }
/** Trusting java.* is probably reasonable and avoids having to be too * detailed in the accepts. */ @Test public void trustJavaIncludingArrays() throws IOException, ClassNotFoundException { assertSerialization(willClose( new ValidatingObjectInputStream(inputStream) .accept(MoreComplexObject.class) .accept("java.*","[Ljava.*") )); }
/** Here we accept everything but reject specific classes, using a pure * blacklist mode. * * That's not as safe as it's hard to get an exhaustive blacklist, but * might be ok in controlled environments. */ @Test public void useBlacklist() throws IOException, ClassNotFoundException { final String [] blacklist = { "org.apache.commons.collections.functors.InvokerTransformer", "org.codehaus.groovy.runtime.ConvertedClosure", "org.codehaus.groovy.runtime.MethodClosure", "org.springframework.beans.factory.ObjectFactory" }; assertSerialization(willClose( new ValidatingObjectInputStream(inputStream) .accept("*") .reject(blacklist) )); } }