| /** |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.camel.dataformat.xstream; |
| |
| import com.thoughtworks.xstream.XStream; |
| import com.thoughtworks.xstream.security.ForbiddenClassException; |
| import org.apache.camel.test.junit4.CamelTestSupport; |
| import org.junit.Test; |
| |
| public class XStreamDataFormatPermissionsTest extends CamelTestSupport { |
| protected static final String XML_PURCHASE_ORDER = |
| "<org.apache.camel.dataformat.xstream.PurchaseOrder>" |
| + "<name>foo</name>" |
| + "<price>10.0</price>" |
| + "<amount>1.0</amount>" |
| + "</org.apache.camel.dataformat.xstream.PurchaseOrder>"; |
| protected static final String XML_PURCHASE_ORDERS_LIST = |
| "<list>" |
| + "<org.apache.camel.dataformat.xstream.PurchaseOrder>" |
| + "<name>foo</name>" |
| + "<price>10.0</price>" |
| + "<amount>1.0</amount>" |
| + "</org.apache.camel.dataformat.xstream.PurchaseOrder>" |
| + "<org.apache.camel.dataformat.xstream.PurchaseOrder>" |
| + "<name>bar</name>" |
| + "<price>9.0</price>" |
| + "<amount>2.0</amount>" |
| + "</org.apache.camel.dataformat.xstream.PurchaseOrder>" |
| + "</list>"; |
| |
| @Test |
| public void testNone() { |
| XStreamDataFormat xStreamDataFormat = new XStreamDataFormat(); |
| XStream xStream = xStreamDataFormat.createXStream(context.getClassResolver(), context.getApplicationContextClassLoader()); |
| |
| try { |
| xStream.fromXML(XML_PURCHASE_ORDER); |
| fail("should fail to unmarshall"); |
| } catch (ForbiddenClassException e) { |
| // OK |
| } |
| } |
| |
| |
| @Test |
| public void testDeny() { |
| XStreamDataFormat xStreamDataFormat = new XStreamDataFormat(); |
| xStreamDataFormat.setPermissions("-org.apache.camel.dataformat.xstream.PurchaseOrder"); |
| |
| XStream xStream = xStreamDataFormat.createXStream(context.getClassResolver(), context.getApplicationContextClassLoader()); |
| |
| try { |
| xStream.fromXML(XML_PURCHASE_ORDER); |
| fail("should fail to unmarshall"); |
| } catch (ForbiddenClassException e) { |
| // OK |
| } |
| } |
| |
| @Test |
| public void testAllow() { |
| XStreamDataFormat xStreamDataFormat = new XStreamDataFormat(); |
| xStreamDataFormat.setPermissions("org.apache.camel.dataformat.xstream.PurchaseOrder"); |
| |
| XStream xStream = xStreamDataFormat.createXStream(context.getClassResolver(), context.getApplicationContextClassLoader()); |
| |
| Object po = xStream.fromXML(XML_PURCHASE_ORDER); |
| assertNotNull(po); |
| |
| po = xStream.fromXML(XML_PURCHASE_ORDERS_LIST); |
| assertNotNull(po); |
| } |
| |
| @Test |
| public void testAllowAndDeny() { |
| XStreamDataFormat xStreamDataFormat = new XStreamDataFormat(); |
| xStreamDataFormat.setPermissions("org.apache.camel.dataformat.xstream.PurchaseOrder,-org.apache.camel.dataformat.xstream.*"); |
| |
| XStream xStream = xStreamDataFormat.createXStream(context.getClassResolver(), context.getApplicationContextClassLoader()); |
| |
| try { |
| xStream.fromXML(XML_PURCHASE_ORDER); |
| fail("should fail to unmarshall"); |
| } catch (ForbiddenClassException e) { |
| // OK |
| } |
| } |
| |
| @Test |
| public void testDenyAndAllowDeny() { |
| XStreamDataFormat xStreamDataFormat = new XStreamDataFormat(); |
| xStreamDataFormat.setPermissions("-org.apache.camel.dataformat.xstream.*,org.apache.camel.dataformat.xstream.PurchaseOrder"); |
| |
| XStream xStream = xStreamDataFormat.createXStream(context.getClassResolver(), context.getApplicationContextClassLoader()); |
| |
| Object po = xStream.fromXML(XML_PURCHASE_ORDER); |
| assertNotNull(po); |
| |
| po = xStream.fromXML(XML_PURCHASE_ORDERS_LIST); |
| assertNotNull(po); |
| } |
| |
| @Test |
| public void testAllowAny() { |
| XStreamDataFormat xStreamDataFormat = new XStreamDataFormat(); |
| xStreamDataFormat.setPermissions("*"); |
| |
| XStream xStream = xStreamDataFormat.createXStream(context.getClassResolver(), context.getApplicationContextClassLoader()); |
| |
| Object po = xStream.fromXML(XML_PURCHASE_ORDER); |
| assertNotNull(po); |
| |
| po = xStream.fromXML(XML_PURCHASE_ORDERS_LIST); |
| assertNotNull(po); |
| } |
| |
| @Test |
| public void testAllowAnyAndDeny() { |
| XStreamDataFormat xStreamDataFormat = new XStreamDataFormat(); |
| xStreamDataFormat.setPermissions("*,-org.apache.camel.dataformat.xstream.PurchaseOrder"); |
| |
| XStream xStream = xStreamDataFormat.createXStream(context.getClassResolver(), context.getApplicationContextClassLoader()); |
| |
| try { |
| xStream.fromXML(XML_PURCHASE_ORDER); |
| fail("should fail to unmarshall"); |
| } catch (ForbiddenClassException e) { |
| // OK |
| } |
| } |
| |
| @Test |
| public void testDenyAny() { |
| XStreamDataFormat xStreamDataFormat = new XStreamDataFormat(); |
| xStreamDataFormat.setPermissions("-*"); |
| |
| XStream xStream = xStreamDataFormat.createXStream(context.getClassResolver(), context.getApplicationContextClassLoader()); |
| |
| try { |
| xStream.fromXML(XML_PURCHASE_ORDER); |
| fail("should fail to unmarshall"); |
| } catch (ForbiddenClassException e) { |
| // OK |
| } |
| } |
| |
| @Test |
| public void testDenyAnyAndAllow() { |
| XStreamDataFormat xStreamDataFormat = new XStreamDataFormat(); |
| xStreamDataFormat.setPermissions("-*,org.apache.camel.dataformat.xstream.PurchaseOrder"); |
| |
| XStream xStream = xStreamDataFormat.createXStream(context.getClassResolver(), context.getApplicationContextClassLoader()); |
| |
| Object po = xStream.fromXML(XML_PURCHASE_ORDER); |
| assertNotNull(po); |
| |
| try { |
| xStream.fromXML(XML_PURCHASE_ORDERS_LIST); |
| fail("should fail to unmarshall"); |
| } catch (ForbiddenClassException e) { |
| // OK |
| } |
| } |
| } |