Class HardenedObjectInputStream

  • All Implemented Interfaces:
    java.io.Closeable, java.io.DataInput, java.io.ObjectInput, java.io.ObjectStreamConstants, java.lang.AutoCloseable
    Direct Known Subclasses:
    HardenedAccessEventInputStream, HardenedLoggingEventInputStream

    public class HardenedObjectInputStream
    extends java.io.ObjectInputStream
    HardenedObjectInputStream restricts the set of classes that can be deserialized to a set of explicitly whitelisted classes. This prevents certain type of attacks from being successful.

    It is assumed that classes in the "java.lang" and "java.util" packages are always authorized.

    Since:
    1.2.0
    Author:
    Ceki Gülcü
    • Nested Class Summary

      • Nested classes/interfaces inherited from class java.io.ObjectInputStream

        java.io.ObjectInputStream.GetField
    • Field Summary

      • Fields inherited from interface java.io.ObjectStreamConstants

        baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void addToWhitelist​(java.util.List<java.lang.String> additionalAuthorizedClasses)  
      protected java.lang.Class<?> resolveClass​(java.io.ObjectStreamClass anObjectStreamClass)  
      • Methods inherited from class java.io.ObjectInputStream

        available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes
      • Methods inherited from class java.io.InputStream

        mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, transferTo
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
      • Methods inherited from interface java.io.ObjectInput

        read, skip
    • Constructor Detail

      • HardenedObjectInputStream

        public HardenedObjectInputStream​(java.io.InputStream in,
                                         java.lang.String[] whilelist)
                                  throws java.io.IOException
        Throws:
        java.io.IOException
      • HardenedObjectInputStream

        public HardenedObjectInputStream​(java.io.InputStream in,
                                         java.util.List<java.lang.String> whitelist)
                                  throws java.io.IOException
        Throws:
        java.io.IOException
    • Method Detail

      • resolveClass

        protected java.lang.Class<?> resolveClass​(java.io.ObjectStreamClass anObjectStreamClass)
                                           throws java.io.IOException,
                                                  java.lang.ClassNotFoundException
        Overrides:
        resolveClass in class java.io.ObjectInputStream
        Throws:
        java.io.IOException
        java.lang.ClassNotFoundException
      • addToWhitelist

        protected void addToWhitelist​(java.util.List<java.lang.String> additionalAuthorizedClasses)