adding whitelist to BlacklistClassResolver
diff --git a/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java b/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
index e93e7bc..1f020a8 100755
--- a/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
+++ b/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
@@ -1,13 +1,13 @@
/**
* Copyright 2012 International Business Machines Corp.
- *
+ * <p/>
* See the NOTICE file distributed with this work for additional information
* regarding copyright ownership. Licensed under the Apache License,
* Version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p/>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p/>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -23,9 +23,11 @@
import java.lang.reflect.Proxy;
public class TCCLObjectInputStream extends ObjectInputStream {
- private static final BlacklistClassResolver BLACKLIST_CLASSES = new BlacklistClassResolver(System.getProperty(
- "batchee.BlacklistClassResolver",
- "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan").split(" *, *"));
+ private static final BlacklistClassResolver BLACKLIST_CLASSES = new BlacklistClassResolver(
+ toArray(System.getProperty(
+ "batchee.serialization.class.blacklist",
+ "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan")),
+ toArray(System.getProperty("batchee.serialization.class.whitelist")));
private final ClassLoader tccl;
@@ -53,22 +55,43 @@
}
}
- private static final class BlacklistClassResolver {
- private final String[] blacklist;
+ private static String[] toArray(final String property) {
+ return property == null ? null : property.split(" *, *");
+ }
- protected BlacklistClassResolver(final String[] blacklist) {
+ private static class BlacklistClassResolver {
+ private final String[] blacklist;
+ private final String[] whitelist;
+
+ protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist) {
+ this.whitelist = whitelist;
this.blacklist = blacklist;
}
+ protected boolean isBlacklisted(final String name) {
+ return (whitelist != null && !contains(whitelist, name)) || contains(blacklist, name);
+ }
+
public final String check(final String name) {
- if (blacklist != null) {
- for (final String white : blacklist) {
+ if (isBlacklisted(name)) {
+ throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+ }
+ return name;
+ }
+
+ private static String[] toArray(final String property) {
+ return property == null ? null : property.split(" *, *");
+ }
+
+ private static boolean contains(final String[] list, String name) {
+ if (list != null) {
+ for (final String white : list) {
if (name.startsWith(white)) {
- throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+ return true;
}
}
}
- return name;
+ return false;
}
}
}
