Class DefaultDeserializationTypeValidator
- java.lang.Object
-
- org.camunda.bpm.engine.impl.runtime.DefaultDeserializationTypeValidator
-
- All Implemented Interfaces:
DeserializationTypeValidator
,WhitelistingDeserializationTypeValidator
public class DefaultDeserializationTypeValidator extends Object implements WhitelistingDeserializationTypeValidator
Validate a type against a list of allowed packages and classes. Allows a basic set of packages and classes without known security issues based on Jackson Databind's SubTypeValidator.
-
-
Field Summary
Fields Modifier and Type Field Description protected static Collection<String>
ALLOWED_CLASSES
protected static Collection<String>
ALLOWED_PACKAGES
protected Set<String>
allowedClasses
protected Set<String>
allowedPackages
-
Constructor Summary
Constructors Constructor Description DefaultDeserializationTypeValidator()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
extractElements(String allowedElements, Set<String> set)
protected boolean
isClassNameAllowed(String className)
protected boolean
isPackageAllowed(String className)
protected boolean
isPackageAllowed(String className, Collection<String> allowedPackages)
void
setAllowedClasses(String deserializationAllowedClasses)
Set the allowed class namesvoid
setAllowedPackages(String deserializationAllowedPackages)
Set the allowed package namesboolean
validate(String className)
Validate the class name
-
-
-
Field Detail
-
ALLOWED_PACKAGES
protected static final Collection<String> ALLOWED_PACKAGES
-
ALLOWED_CLASSES
protected static final Collection<String> ALLOWED_CLASSES
-
-
Method Detail
-
setAllowedClasses
public void setAllowedClasses(String deserializationAllowedClasses)
Description copied from interface:WhitelistingDeserializationTypeValidator
Set the allowed class names- Specified by:
setAllowedClasses
in interfaceWhitelistingDeserializationTypeValidator
-
setAllowedPackages
public void setAllowedPackages(String deserializationAllowedPackages)
Description copied from interface:WhitelistingDeserializationTypeValidator
Set the allowed package names- Specified by:
setAllowedPackages
in interfaceWhitelistingDeserializationTypeValidator
-
validate
public boolean validate(String className)
Description copied from interface:DeserializationTypeValidator
Validate the class name- Specified by:
validate
in interfaceDeserializationTypeValidator
-
isPackageAllowed
protected boolean isPackageAllowed(String className)
-
isPackageAllowed
protected boolean isPackageAllowed(String className, Collection<String> allowedPackages)
-
isClassNameAllowed
protected boolean isClassNameAllowed(String className)
-
-