@FunctionalInterface public interface ObjectInputFilter
ObjectInputStream
, the checkInput(FilterInfo)
method is called to validate classes, the length of each array,
the number of objects being read from the stream, the depth of the graph,
and the total number of bytes read from the stream.
A filter can be set via setObjectInputFilter
for an individual ObjectInputStream.
A filter can be set via Config.setSerialFilter
to affect every ObjectInputStream
that does not otherwise set a filter.
A filter determines whether the arguments are ALLOWED
or REJECTED
and should return the appropriate status.
If the filter cannot determine the status it should return
UNDECIDED
.
Filters should be designed for the specific use case and expected types.
A filter designed for a particular use may be passed a class that is outside
of the scope of the filter. If the purpose of the filter is to black-list classes
then it can reject a candidate class that matches and report UNDECIDED for others.
A filter may be called with class equals null
, arrayLength
equal -1,
the depth, number of references, and stream size and return a status
that reflects only one or only some of the values.
This allows a filter to specific about the choice it is reporting and
to use other filters without forcing either allowed or rejected status.
Typically, a custom filter should check if a process-wide filter is configured and defer to it if so. For example,
ObjectInputFilter.Status checkInput(FilterInfo info) {
ObjectInputFilter serialFilter = ObjectInputFilter.Config.getSerialFilter();
if (serialFilter != null) {
ObjectInputFilter.Status status = serialFilter.checkInput(info);
if (status != ObjectInputFilter.Status.UNDECIDED) {
// The process-wide filter overrides this filter
return status;
}
}
if (info.serialClass() != null &&
Remote.class.isAssignableFrom(info.serialClass())) {
return Status.REJECTED; // Do not allow Remote objects
}
return Status.UNDECIDED;
}
Unless otherwise noted, passing a null
argument to a
method in this interface and its nested classes will cause a
NullPointerException
to be thrown.
ObjectInputStream.setObjectInputFilter(ObjectInputFilter)
Modifier and Type | Interface | Description |
---|---|---|
static class |
ObjectInputFilter.Config |
A utility class to set and get the process-wide filter or create a filter
from a pattern string.
|
static interface |
ObjectInputFilter.FilterInfo |
FilterInfo provides access to information about the current object
being deserialized and the status of the
ObjectInputStream . |
static class |
ObjectInputFilter.Status |
The status of a check on the class, array length, number of references,
depth, and stream size.
|
Modifier and Type | Method | Description |
---|---|---|
ObjectInputFilter.Status |
checkInput(ObjectInputFilter.FilterInfo filterInfo) |
Check the class, array length, number of object references, depth,
stream size, and other available filtering information.
|
ObjectInputFilter.Status checkInput(ObjectInputFilter.FilterInfo filterInfo)
Status.ALLOWED
,
Status.REJECTED
, or Status.UNDECIDED
.filterInfo
- provides information about the current object being deserialized,
if any, and the status of the ObjectInputStream
Status.ALLOWED
if accepted,
Status.REJECTED
if rejected,
Status.UNDECIDED
if undecided. Submit a bug or feature
For further API reference and developer documentation, see Java SE Documentation. That documentation contains more detailed, developer-targeted descriptions, with conceptual overviews, definitions of terms, workarounds, and working code examples.
Copyright © 1993, 2017, Oracle and/or its affiliates. 500 Oracle Parkway
Redwood Shores, CA 94065 USA. All rights reserved.
DRAFT 9-internal+0-adhoc.mlchung.jdk9-jdeps