added "acceptProxyClasses" flag to RemoteInvocationSerializingExporter

This commit is contained in:
Juergen Hoeller
2011-07-21 09:05:59 +00:00
parent d4be29e661
commit 070a723ef2
3 changed files with 62 additions and 8 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2008 the original author or authors.
* Copyright 2002-2011 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -57,7 +57,7 @@ public class CodebaseAwareObjectInputStream extends ConfigurableObjectInputStrea
/**
* Create a new CodebaseAwareObjectInputStream for the given InputStream and codebase.
* @param in the InputStream to read from
* @param in the InputStream to read from
* @param codebaseUrl the codebase URL to load classes from if not found locally
* (can consist of multiple URLs, separated by spaces)
* @see java.io.ObjectInputStream#ObjectInputStream(java.io.InputStream)
@@ -68,7 +68,7 @@ public class CodebaseAwareObjectInputStream extends ConfigurableObjectInputStrea
/**
* Create a new CodebaseAwareObjectInputStream for the given InputStream and codebase.
* @param in the InputStream to read from
* @param in the InputStream to read from
* @param classLoader the ClassLoader to use for loading local classes
* (may be <code>null</code> to indicate RMI's default ClassLoader)
* @param codebaseUrl the codebase URL to load classes from if not found locally
@@ -82,6 +82,22 @@ public class CodebaseAwareObjectInputStream extends ConfigurableObjectInputStrea
this.codebaseUrl = codebaseUrl;
}
/**
* Create a new CodebaseAwareObjectInputStream for the given InputStream and codebase.
* @param in the InputStream to read from
* @param classLoader the ClassLoader to use for loading local classes
* (may be <code>null</code> to indicate RMI's default ClassLoader)
* @param acceptProxyClasses whether to accept deserialization of proxy classes
* (may be deactivated as a security measure)
* @see java.io.ObjectInputStream#ObjectInputStream(java.io.InputStream)
*/
public CodebaseAwareObjectInputStream(
InputStream in, ClassLoader classLoader, boolean acceptProxyClasses) throws IOException {
super(in, classLoader, acceptProxyClasses);
this.codebaseUrl = null;
}
@Override
protected Class resolveFallbackIfPossible(String className, ClassNotFoundException ex)

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2008 the original author or authors.
* Copyright 2002-2011 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -57,6 +57,8 @@ public abstract class RemoteInvocationSerializingExporter extends RemoteInvocati
private String contentType = CONTENT_TYPE_SERIALIZED_OBJECT;
private boolean acceptProxyClasses = true;
private Object proxy;
@@ -70,12 +72,27 @@ public abstract class RemoteInvocationSerializingExporter extends RemoteInvocati
}
/**
* Return the content type to use for sending remote invocation responses.
* Return the content type to use for sending remote invocation responses.
*/
public String getContentType() {
return this.contentType;
}
/**
* Set whether to accept deserialization of proxy classes.
* <p>Default is "true". May be deactivated as a security measure.
*/
public void setAcceptProxyClasses(boolean acceptProxyClasses) {
this.acceptProxyClasses = acceptProxyClasses;
}
/**
* Return whether to accept deserialization of proxy classes.
*/
public boolean isAcceptProxyClasses() {
return this.acceptProxyClasses;
}
public void afterPropertiesSet() {
prepare();
@@ -102,7 +119,7 @@ public abstract class RemoteInvocationSerializingExporter extends RemoteInvocati
* @throws java.io.IOException if creation of the ObjectInputStream failed
*/
protected ObjectInputStream createObjectInputStream(InputStream is) throws IOException {
return new CodebaseAwareObjectInputStream(is, getBeanClassLoader(), null);
return new CodebaseAwareObjectInputStream(is, getBeanClassLoader(), isAcceptProxyClasses());
}
/**