All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.qpid.jms.util.ClassLoadingAwareObjectInputStream Maven / Gradle / Ivy

The newest version!
/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.qpid.jms.util;

import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.lang.reflect.Proxy;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class ClassLoadingAwareObjectInputStream extends ObjectInputStream {

    private static final Logger LOG = LoggerFactory.getLogger(ClassLoadingAwareObjectInputStream.class);
    private static final ClassLoader FALLBACK_CLASS_LOADER = ClassLoadingAwareObjectInputStream.class.getClassLoader();

    private final ClassLoader inLoader;
    private final TrustedClassFilter securityFilter;

    /**
     * Security Filter used to filter classes that the application deems to be insecure, this filter
     * is not applied to the class instances for the primitive types, and array types are narrowed
     * to the component type of the array before being passed into this filter.
     */
    public interface TrustedClassFilter {
        boolean isTrusted(Class clazz);
    }

    public ClassLoadingAwareObjectInputStream(InputStream in, TrustedClassFilter filter) throws IOException {
        super(in);

        inLoader = in.getClass().getClassLoader();
        securityFilter = filter;
    }

    @Override
    protected Class resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
        ClassLoader cl = Thread.currentThread().getContextClassLoader();
        Class clazz = load(classDesc.getName(), cl, inLoader);
        return checkSecurity(clazz);
    }

    @Override
    protected Class resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
        ClassLoader cl = Thread.currentThread().getContextClassLoader();
        Class[] cinterfaces = new Class[interfaces.length];
        for (int i = 0; i < interfaces.length; i++) {
            cinterfaces[i] = load(interfaces[i], cl);
        }

        Class clazz = null;
        Throwable failureCause = null;

        try {
            clazz = Proxy.getProxyClass(cl, cinterfaces);
        } catch (IllegalArgumentException e) {
            failureCause = e;

            try {
                clazz = Proxy.getProxyClass(inLoader, cinterfaces);
            } catch (IllegalArgumentException e1) {
            }
            try {
                clazz = Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces);
            } catch (IllegalArgumentException e2) {
            }
        }

        if (clazz != null) {
            return checkSecurity(clazz);
        }

        throw new ClassNotFoundException("Failed find class.", failureCause);
    }

    private Class checkSecurity(Class clazz) throws ClassNotFoundException {

        Class target = clazz;

        while (target.isArray()) {
            target = target.getComponentType();
        }

        while (target.isAnonymousClass() || target.isLocalClass()) {
            target = target.getEnclosingClass();
        }

        if (!target.isPrimitive() && securityFilter != null) {
            if (!securityFilter.isTrusted(target)) {
                throw new ClassNotFoundException("Forbidden " + clazz + "! " +
                    "This class is not trusted to be deserialized under the current configuration. " +
                    "Please refer to the documentation for more information on how to configure trusted classes.");
            }
        }

        return clazz;
    }

    private Class load(String className, ClassLoader... cl) throws ClassNotFoundException {
        // check for simple types first
        final Class clazz = loadSimpleType(className);
        if (clazz != null) {
            LOG.trace("Loaded class: {} as simple type -> ", className, clazz);
            return clazz;
        }

        // try the different class loaders
        for (ClassLoader loader : cl) {
            LOG.trace("Attempting to load class: {} using classloader: {}", className, cl);
            try {
                Class answer = Class.forName(className, false, loader);
                if (LOG.isTraceEnabled()) {
                    LOG.trace("Loaded class: {} using classloader: {} -> ", new Object[] { className, cl, answer });
                }
                return answer;
            } catch (ClassNotFoundException e) {
                LOG.trace("Class not found: {} using classloader: {}", className, cl);
            }
        }

        // and then the fallback class loader
        return Class.forName(className, false, FALLBACK_CLASS_LOADER);
    }

    /**
     * Load a simple type
     *
     * @param name
     *        the name of the class to load
     * @return the class or null if it could not be loaded
     */
    public static Class loadSimpleType(String name) {
        if ("java.lang.byte[]".equals(name) || "byte[]".equals(name)) {
            return byte[].class;
        } else if ("java.lang.Byte[]".equals(name) || "Byte[]".equals(name)) {
            return Byte[].class;
        } else if ("java.lang.Object[]".equals(name) || "Object[]".equals(name)) {
            return Object[].class;
        } else if ("java.lang.String[]".equals(name) || "String[]".equals(name)) {
            return String[].class;
        } else if ("java.lang.String".equals(name) || "String".equals(name)) {
            return String.class;
        } else if ("java.lang.Boolean".equals(name) || "Boolean".equals(name)) {
            return Boolean.class;
        } else if ("boolean".equals(name)) {
            return boolean.class;
        } else if ("java.lang.Integer".equals(name) || "Integer".equals(name)) {
            return Integer.class;
        } else if ("int".equals(name)) {
            return int.class;
        } else if ("java.lang.Long".equals(name) || "Long".equals(name)) {
            return Long.class;
        } else if ("long".equals(name)) {
            return long.class;
        } else if ("java.lang.Short".equals(name) || "Short".equals(name)) {
            return Short.class;
        } else if ("short".equals(name)) {
            return short.class;
        } else if ("java.lang.Byte".equals(name) || "Byte".equals(name)) {
            return Byte.class;
        } else if ("byte".equals(name)) {
            return byte.class;
        } else if ("java.lang.Float".equals(name) || "Float".equals(name)) {
            return Float.class;
        } else if ("float".equals(name)) {
            return float.class;
        } else if ("java.lang.Double".equals(name) || "Double".equals(name)) {
            return Double.class;
        } else if ("double".equals(name)) {
            return double.class;
        }

        return null;
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy