Class DefaultDeserializationTypeValidator
- java.lang.Object
-
- org.camunda.bpm.engine.impl.runtime.DefaultDeserializationTypeValidator
-
- All Implemented Interfaces:
DeserializationTypeValidator
,WhitelistingDeserializationTypeValidator
public class DefaultDeserializationTypeValidator extends java.lang.Object implements WhitelistingDeserializationTypeValidator
Validate a type against a list of allowed packages and classes. Allows a basic set of packages and classes without known security issues based on Jackson Databind's SubTypeValidator.
-
-
Field Summary
Fields Modifier and Type Field Description protected static java.util.Collection<java.lang.String>
ALLOWED_CLASSES
protected static java.util.Collection<java.lang.String>
ALLOWED_PACKAGES
protected java.util.Set<java.lang.String>
allowedClasses
protected java.util.Set<java.lang.String>
allowedPackages
-
Constructor Summary
Constructors Constructor Description DefaultDeserializationTypeValidator()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
extractElements(java.lang.String allowedElements, java.util.Set<java.lang.String> set)
protected boolean
isClassNameAllowed(java.lang.String className)
protected boolean
isPackageAllowed(java.lang.String className)
protected boolean
isPackageAllowed(java.lang.String className, java.util.Collection<java.lang.String> allowedPackages)
void
setAllowedClasses(java.lang.String deserializationAllowedClasses)
Set the allowed class namesvoid
setAllowedPackages(java.lang.String deserializationAllowedPackages)
Set the allowed package namesboolean
validate(java.lang.String className)
Validate the class name
-
-
-
Field Detail
-
ALLOWED_PACKAGES
protected static final java.util.Collection<java.lang.String> ALLOWED_PACKAGES
-
ALLOWED_CLASSES
protected static final java.util.Collection<java.lang.String> ALLOWED_CLASSES
-
allowedClasses
protected java.util.Set<java.lang.String> allowedClasses
-
allowedPackages
protected java.util.Set<java.lang.String> allowedPackages
-
-
Method Detail
-
setAllowedClasses
public void setAllowedClasses(java.lang.String deserializationAllowedClasses)
Description copied from interface:WhitelistingDeserializationTypeValidator
Set the allowed class names- Specified by:
setAllowedClasses
in interfaceWhitelistingDeserializationTypeValidator
-
setAllowedPackages
public void setAllowedPackages(java.lang.String deserializationAllowedPackages)
Description copied from interface:WhitelistingDeserializationTypeValidator
Set the allowed package names- Specified by:
setAllowedPackages
in interfaceWhitelistingDeserializationTypeValidator
-
validate
public boolean validate(java.lang.String className)
Description copied from interface:DeserializationTypeValidator
Validate the class name- Specified by:
validate
in interfaceDeserializationTypeValidator
-
isPackageAllowed
protected boolean isPackageAllowed(java.lang.String className)
-
isPackageAllowed
protected boolean isPackageAllowed(java.lang.String className, java.util.Collection<java.lang.String> allowedPackages)
-
isClassNameAllowed
protected boolean isClassNameAllowed(java.lang.String className)
-
extractElements
protected void extractElements(java.lang.String allowedElements, java.util.Set<java.lang.String> set)
-
-