@Test(expected = InvalidClassException.class) public void rejectPattern() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class) .reject(Pattern.compile("org.*")) ); }
@Test(expected = InvalidClassException.class) public void rejectOnly() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .reject(Integer.class) ); }
@Test(expected = InvalidClassException.class) public void rejectPrecedence() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class) .reject(MockSerializedClass.class, Integer.class) ); }
@Test(expected = InvalidClassException.class) public void reject() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(Long.class) .reject(MockSerializedClass.class, Integer.class) ); }
@Test(expected = InvalidClassException.class) public void rejectCustomMatcher() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class) .reject(ALWAYS_TRUE) ); }
@Test(expected = InvalidClassException.class) public void rejectWildcard() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class) .reject("org.*") ); }
/** Here we accept everything but reject specific classes, using a pure * blacklist mode. * * That's not as safe as it's hard to get an exhaustive blacklist, but * might be ok in controlled environments. */ @Test public void useBlacklist() throws IOException, ClassNotFoundException { final String [] blacklist = { "org.apache.commons.collections.functors.InvokerTransformer", "org.codehaus.groovy.runtime.ConvertedClosure", "org.codehaus.groovy.runtime.MethodClosure", "org.springframework.beans.factory.ObjectFactory" }; assertSerialization(willClose( new ValidatingObjectInputStream(inputStream) .accept("*") .reject(blacklist) )); } }