- Enclosing interface:
- ObjectInputFilter
public static final class ObjectInputFilter.Config extends Object
ObjectInputStream
that does not set its own filter.
When setting the filter, it should be stateless and idempotent, reporting the same result when passed the same arguments.
The filter is configured during the initialization of the ObjectInputFilter.Config
class. For example, by calling Config.getSerialFilter
.
If the Java virtual machine is started with the system property
jdk.serialFilter
, its value is used to configure the filter.
If the system property is not defined, and the Security
property
jdk.serialFilter
is defined then it is used to configure the filter.
Otherwise, the filter is not configured during initialization and
can be set with Config.setSerialFilter
.
Setting the jdk.serialFilter
with System.setProperty
does not set the filter.
The syntax for each property is the same as for the
createFilter
method.
- Since:
- 9
-
Method Summary
Modifier and TypeMethodDescriptionstatic ObjectInputFilter
createFilter(String pattern)
Returns an ObjectInputFilter from a string of patterns.static ObjectInputFilter
Returns the system-wide serialization filter ornull
if not configured.static void
setSerialFilter(ObjectInputFilter filter)
Set the system-wide filter if it has not already been configured or set.
-
Method Details
-
getSerialFilter
Returns the system-wide serialization filter ornull
if not configured.- Returns:
- the system-wide serialization filter or
null
if not configured
-
setSerialFilter
Set the system-wide filter if it has not already been configured or set.- Parameters:
filter
- the serialization filter to set as the system-wide filter; not null- Throws:
SecurityException
- if there is security manager and theSerializablePermission("serialFilter")
is not grantedIllegalStateException
- if the filter has already been setnon-null
-
createFilter
Returns an ObjectInputFilter from a string of patterns.Patterns are separated by ";" (semicolon). Whitespace is significant and is considered part of the pattern. If a pattern includes an equals assignment, "
=
" it sets a limit. If a limit appears more than once the last value is used.- maxdepth=
value
- the maximum depth of a graph - maxrefs=
value
- the maximum number of internal references - maxbytes=
value
- the maximum number of bytes in the input stream - maxarray=
value
- the maximum array length allowed
Other patterns match or reject class or package name as returned from
Class.getName()
and if an optional module name is presentclass.getModule().getName()
. Note that for arrays the element type is used in the pattern, not the array type.- If the pattern starts with "!", the class is rejected if the remaining pattern is matched; otherwise the class is allowed if the pattern matches.
- If the pattern contains "/", the non-empty prefix up to the "/" is the module name; if the module name matches the module name of the class then the remaining pattern is matched with the class name. If there is no "/", the module name is not compared.
- If the pattern ends with ".**" it matches any class in the package and all subpackages.
- If the pattern ends with ".*" it matches any class in the package.
- If the pattern ends with "*", it matches any class with the pattern as a prefix.
- If the pattern is equal to the class name, it matches.
- Otherwise, the pattern is not matched.
The resulting filter performs the limit checks and then tries to match the class, if any. If any of the limits are exceeded, the filter returns
Status.REJECTED
. If the class is an array type, the class to be matched is the element type. Arrays of any number of dimensions are treated the same as the element type. For example, a pattern of "!example.Foo
", rejects creation of any instance or array ofexample.Foo
. The first pattern that matches, working from left to right, determines theStatus.ALLOWED
orStatus.REJECTED
result. If the limits are not exceeded and no pattern matches the class, the result isStatus.UNDECIDED
.- Parameters:
pattern
- the pattern string to parse; not null- Returns:
- a filter to check a class being deserialized;
null
if no patterns - Throws:
IllegalArgumentException
- if the pattern string is illegal or malformed and cannot be parsed. In particular, if any of the following is true:- if a limit is missing the name or the name is not one of "maxdepth", "maxrefs", "maxbytes", or "maxarray"
- if the value of the limit can not be parsed by
Long.parseLong
or is negative - if the pattern contains "/" and the module name is missing or the remaining pattern is empty
- if the package is missing for ".*" and ".**"
- maxdepth=
-