xstream.addPermission(ArrayTypePermission.ARRAYS); xstream.addPermission(InterfaceTypePermission.INTERFACES); xstream.allowTypeHierarchy(Calendar.class); xstream.allowTypeHierarchy(Collection.class); xstream.allowTypeHierarchy(Map.class); xstream.allowTypeHierarchy(Map.Entry.class); xstream.allowTypeHierarchy(Member.class); xstream.allowTypeHierarchy(Number.class); xstream.allowTypeHierarchy(Throwable.class); xstream.allowTypeHierarchy(TimeZone.class); xstream.allowTypeHierarchy(type); xstream.allowTypeHierarchy(type); xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.Clock")); types.add(JVM.loadClassForName("java.time.Duration")); types.add(JVM.loadClassForName("java.time.Instant")); types.add(JVM.loadClassForName("java.time.YearMonth")); types.add(JVM.loadClassForName("java.time.ZonedDateTime")); xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId")); types.add(JVM.loadClassForName("java.time.chrono.HijrahDate")); types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate")); types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate")); types.add(JVM.loadClassForName("java.time.chrono.Ser")); xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology")); types.add(JVM.loadClassForName("java.time.temporal.ValueRange"));
xs.allowTypeHierarchy(Info.class); xs.allowTypeHierarchy(Multimap.class); xs.allowTypeHierarchy(JAIInfo.class); xs.allowTypes(new Class[] {DynamicProxyMapper.DynamicProxy.class}); xs.allowTypes(new String[] {"java.util.Collections$SingletonList"});
@Override public void init(XStreamPersister persister) { persister.registerBreifMapComplexType( "DynamicDefaultValues", DefaultValueConfigurations.class); XStream xs = persister.getXStream(); xs.alias("configuration", DefaultValueConfiguration.class); xs.allowTypeHierarchy(org.geoserver.wms.dimension.DefaultValueConfiguration.class); xs.allowTypeHierarchy(org.geoserver.wms.dimension.DefaultValueConfigurations.class); } }
/** * Sets up aliases and allowed types for the xstream persister * * @param xs */ public static void initXStreamPersister(XStreamPersister xp) { XStream xs = xp.getXStream(); xs.alias("oseo", OSEOInfo.class, OSEOInfoImpl.class); xs.alias("productClass", ProductClass.class, ProductClass.class); xs.allowTypeHierarchy(ProductClass.class); }
DefaultTileLayerCatalog(GeoServerResourceLoader resourceLoader, XStream configuredXstream) throws IOException { this.resourceLoader = resourceLoader; this.baseDirectory = LAYERINFO_DIRECTORY; this.layersByName = new ConcurrentHashMap<>(); this.layersById = new ConcurrentHashMap<>(); this.initialized = false; // setup xstream security for local classes this.serializer = configuredXstream; this.serializer.allowTypeHierarchy(GeoServerTileLayerInfo.class); // have to use a string here because UnmodifiableSet is private this.serializer.allowTypes(new String[] {"java.util.Collections$UnmodifiableSet"}); }
private static XStream getConfiguredXStream(XStream xs) { // Restrict classes that can be serialized/deserialized // Allowing arbitrary classes to be deserialized is a security issue. { // Allow any implementation of these extension points xs.allowTypeHierarchy(org.geowebcache.layer.TileLayer.class); xs.allowTypeHierarchy(org.geowebcache.filter.parameters.ParameterFilter.class); xs.allowTypeHierarchy(org.geowebcache.filter.request.RequestFilter.class); xs.allowTypeHierarchy(org.geowebcache.config.BlobStoreInfo.class); xs.allowTypeHierarchy(TileLayerConfiguration.class); // Allow anything that's part of GWC // TODO: replace this with a more narrow whitelist xs.allowTypesByWildcard(new String[] {"org.geowebcache.**"}); } xs.setMode(XStream.NO_REFERENCES); xs.alias("gwcConfiguration", GeoWebCacheConfiguration.class); xs.useAttributeFor(GeoWebCacheConfiguration.class, "xmlns_xsi"); xs.aliasField("xmlns:xsi", GeoWebCacheConfiguration.class, "xmlns_xsi"); xs.useAttributeFor(GeoWebCacheConfiguration.class, "xmlns"); xs.alias("wmsRasterFilterUpdate", WMSRasterFilterUpdate.class); return xs; }
public BaseProjectDescriptorSerializer(boolean postProcess, ObjectVersionConverter<ProjectDescriptor, T> projectDescriptorVersionConverter) { this.postProcess = postProcess; this.projectDescriptorVersionConverter = projectDescriptorVersionConverter; xstream = new XStream(new DomDriver()) { @Override public void aliasType(String name, Class type) { super.aliasType(name, type); allowTypeHierarchy(type); } }; xstream.addPermission(NoTypePermission.NONE); xstream.allowTypeHierarchy(String.class); }
public BaseRulesDeploySerializer(ObjectVersionConverter<RulesDeploy, T> rulesDeployVersionConverter) { xstream = new XStream(new DomDriver()) { @Override public void aliasType(String name, Class type) { super.aliasType(name, type); allowTypeHierarchy(type); } }; xstream.addPermission(NoTypePermission.NONE); xstream.allowTypeHierarchy(String.class); this.rulesDeployVersionConverter = rulesDeployVersionConverter; }
public static XStream createXStream() { XStream xstream = new XStream(new StaxDriver()); XStream.setupDefaultSecurity(xstream); //Setup the default hardening of types disallowed. xstream.setClassLoader(FindBugsFilter.class.getClassLoader()); for (Class modelClass : ALL_XSTREAM_TYPES) { xstream.processAnnotations(modelClass); xstream.allowTypeHierarchy(modelClass); //Build a whitelist of the class allowed } return xstream; }
public static XStream createXStream() { XStream stream = new XStream(); stream.addPermission(NoTypePermission.NONE); stream.addPermission(PrimitiveTypePermission.PRIMITIVES); stream.allowTypeHierarchy(Collection.class); stream.allowTypeHierarchy(Map.class); stream.allowTypes(new Class[]{String.class}); if (ClassLoadingAwareObjectInputStream.isAllAllowed()) { stream.addPermission(AnyTypePermission.ANY); } else { for (String packageName : ClassLoadingAwareObjectInputStream.serializablePackages) { stream.allowTypesByWildcard(new String[]{packageName + ".**"}); } } return stream; }
public BaseRulesDeploySerializer(ObjectVersionConverter<RulesDeploy, T> rulesDeployVersionConverter) { xstream = new XStream(new DomDriver()) { @Override public void aliasType(String name, Class type) { super.aliasType(name, type); allowTypeHierarchy(type); } }; xstream.addPermission(NoTypePermission.NONE); xstream.allowTypeHierarchy(String.class); this.rulesDeployVersionConverter = rulesDeployVersionConverter; }
public BaseProjectDescriptorSerializer(boolean postProcess, ObjectVersionConverter<ProjectDescriptor, T> projectDescriptorVersionConverter) { this.postProcess = postProcess; this.projectDescriptorVersionConverter = projectDescriptorVersionConverter; xstream = new XStream(new DomDriver()) { @Override public void aliasType(String name, Class type) { super.aliasType(name, type); allowTypeHierarchy(type); } }; xstream.addPermission(NoTypePermission.NONE); xstream.allowTypeHierarchy(String.class); }
public static XStream createXStream() { XStream stream = new XStream(); stream.addPermission(NoTypePermission.NONE); stream.addPermission(PrimitiveTypePermission.PRIMITIVES); stream.allowTypeHierarchy(Collection.class); stream.allowTypeHierarchy(Map.class); stream.allowTypes(new Class[]{String.class}); if (ClassLoadingAwareObjectInputStream.isAllAllowed()) { stream.addPermission(AnyTypePermission.ANY); } else { for (String packageName : ClassLoadingAwareObjectInputStream.serializablePackages) { stream.allowTypesByWildcard(new String[]{packageName + ".**"}); } } return stream; }
public static XStream createXStream() { XStream stream = new XStream(); stream.addPermission(NoTypePermission.NONE); stream.addPermission(PrimitiveTypePermission.PRIMITIVES); stream.allowTypeHierarchy(Collection.class); stream.allowTypeHierarchy(Map.class); stream.allowTypes(new Class[]{String.class}); if (ClassLoadingAwareObjectInputStream.isAllAllowed()) { stream.addPermission(AnyTypePermission.ANY); } else { for (String packageName : ClassLoadingAwareObjectInputStream.serializablePackages) { stream.allowTypesByWildcard(new String[]{packageName + ".**"}); } } return stream; }
public XmlRulesDeploySerializer() { xstream = new XStream(new DomDriver()); xstream.addPermission(NoTypePermission.NONE); xstream.allowTypeHierarchy(String.class); xstream.allowTypeHierarchy(RulesDeploy.PublisherType.class); xstream.allowTypeHierarchy(RulesDeploy.class); xstream.allowTypeHierarchy(RulesDeploy.WildcardPattern.class); xstream.ignoreUnknownElements(); xstream.omitField(RulesDeploy.class, "log"); xstream.setMode(XStream.NO_REFERENCES); xstream.aliasType("publisher", RulesDeploy.PublisherType.class); xstream.aliasType(RULES_DEPLOY_DESCRIPTOR_TAG, RulesDeploy.class); xstream.aliasType(MODULE_NAME, RulesDeploy.WildcardPattern.class); xstream.aliasField(LAZY_MODULES_FOR_COMPILATION, RulesDeploy.class, "lazyModulesForCompilationPatterns"); xstream.aliasField("name", RulesDeploy.WildcardPattern.class, "value"); xstream.useAttributeFor(RulesDeploy.WildcardPattern.class, "value"); }
public XmlRulesDeploySerializer() { xstream = new XStream(new DomDriver()); xstream.addPermission(NoTypePermission.NONE); xstream.allowTypeHierarchy(String.class); xstream.allowTypeHierarchy(RulesDeploy.PublisherType.class); xstream.allowTypeHierarchy(RulesDeploy.class); xstream.allowTypeHierarchy(RulesDeploy.WildcardPattern.class); xstream.ignoreUnknownElements(); xstream.omitField(RulesDeploy.class, "log"); xstream.setMode(XStream.NO_REFERENCES); xstream.aliasType("publisher", RulesDeploy.PublisherType.class); xstream.aliasType(RULES_DEPLOY_DESCRIPTOR_TAG, RulesDeploy.class); xstream.aliasType(MODULE_NAME, RulesDeploy.WildcardPattern.class); xstream.aliasField(LAZY_MODULES_FOR_COMPILATION, RulesDeploy.class, "lazyModulesForCompilationPatterns"); xstream.aliasField("name", RulesDeploy.WildcardPattern.class, "value"); xstream.useAttributeFor(RulesDeploy.WildcardPattern.class, "value"); }
xStream.allowTypeHierarchy(Serializable.class); xStream.omitField(BaseGenericIdEntity.class, "createTs"); xStream.omitField(BaseGenericIdEntity.class, "createdBy");
protected XStream createXStream() { XStream xStream = new CubaXStream(); XStream.setupDefaultSecurity(xStream); xStream.allowTypeHierarchy(Serializable.class); //createTs and createdBy removed from BaseGenericIdEntity, //and import from old versions (platform 6.2) is performed with errors //so omit field processing xStream.omitField(BaseGenericIdEntity.class, "createTs"); xStream.omitField(BaseGenericIdEntity.class, "createdBy"); return xStream; }
xs.allowTypeHierarchy(TransformChain.class); xs.allowTypeHierarchy(DataFormat.class); xs.allowTypeHierarchy(ImportData.class); xs.allowTypeHierarchy(ImportTransform.class);
new NumberRangeConverter(xs.getMapper(), xs.getReflectionProvider())); xs.allowTypeHierarchy(ProcessGroupInfo.class); xs.allowTypeHierarchy(WPSInputValidator.class);