Package org.camunda.bpm.engine.impl.runtime

Class DefaultDeserializationTypeValidator

java.lang.Object

org.camunda.bpm.engine.impl.runtime.DefaultDeserializationTypeValidator

All Implemented Interfaces:

DeserializationTypeValidator, WhitelistingDeserializationTypeValidator

public class DefaultDeserializationTypeValidator
extends Object
implements WhitelistingDeserializationTypeValidator

Validate a type against a list of allowed packages and classes. Allows a basic set of packages and classes without known security issues based on Jackson Databind's SubTypeValidator.

Field Summary

Fields

Modifier and Type	Field	Description
protected static final Collection<String>	ALLOWED_CLASSES
protected static final Collection<String>	ALLOWED_PACKAGES
protected Set<String>	allowedClasses
protected Set<String>	allowedPackages

Constructor Summary

Constructors

Constructor	Description
DefaultDeserializationTypeValidator()

Method Summary

Modifier and Type	Method	Description
protected void	extractElements(String allowedElements, Set<String> set)
protected boolean	isClassNameAllowed(String className)
protected boolean	isPackageAllowed(String className)
protected boolean	isPackageAllowed(String className, Collection<String> allowedPackages)
void	setAllowedClasses(String deserializationAllowedClasses)	Set the allowed class names
void	setAllowedPackages(String deserializationAllowedPackages)	Set the allowed package names
boolean	validate(String className)	Validate the class name

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

ALLOWED_PACKAGES

protected static final Collection<String> ALLOWED_PACKAGES

ALLOWED_CLASSES

protected static final Collection<String> ALLOWED_CLASSES

allowedClasses

protected Set<String> allowedClasses

allowedPackages

protected Set<String> allowedPackages

Constructor Details

DefaultDeserializationTypeValidator

public DefaultDeserializationTypeValidator()

Method Details

setAllowedClasses

public void setAllowedClasses(String deserializationAllowedClasses)

Description copied from interface: WhitelistingDeserializationTypeValidator

Set the allowed class names

Specified by:

setAllowedClasses in interface WhitelistingDeserializationTypeValidator

setAllowedPackages

public void setAllowedPackages(String deserializationAllowedPackages)

Description copied from interface: WhitelistingDeserializationTypeValidator

Set the allowed package names

Specified by:

setAllowedPackages in interface WhitelistingDeserializationTypeValidator

validate

public boolean validate(String className)

Description copied from interface: DeserializationTypeValidator

Validate the class name

Specified by:

validate in interface DeserializationTypeValidator

isPackageAllowed

protected boolean isPackageAllowed(String className)

isPackageAllowed

protected boolean isPackageAllowed(String className,
 Collection<String> allowedPackages)

isClassNameAllowed

protected boolean isClassNameAllowed(String className)

extractElements

protected void extractElements(String allowedElements,
 Set<String> set)