ObjectInputFilterpublic static final class ObjectInputFilter.Config extends Object
ObjectInputFilter. The JVM-wide deserialization filter factory and the static JVM-wide filter can be configured from system properties during the initialization of the ObjectInputFilter.Config class.
If the Java virtual machine is started with the system property jdk.serialFilter, its value is used to configure the filter. If the system property is not defined, and the Security property jdk.serialFilter is defined then it is used to configure the filter. The filter is created as if createFilter is called, if the filter string is invalid the initialization fails and subsequent attempts to get the filter, set a filter, or create an ObjectInputStream throw IllegalStateException. Deserialization is not possible with an invalid serial filter. If the system property jdk.serialFilter or the Security property jdk.serialFilter is not set the filter can be set with Config.setSerialFilter. Setting the jdk.serialFilter with System.setProperty does not set the filter. The syntax for the property value is the same as for the createFilter method.
If the Java virtual machine is started with the system property jdk.serialFilterFactory or the Security property of the same name, its value names the class to configure the JVM-wide deserialization filter factory. If the system property is not defined, and the Security property jdk.serialFilterFactory is defined then it is used to configure the filter factory. If it remains unset, the filter factory is a builtin filter factory compatible with previous versions.
The class must be public, must have a public zero-argument constructor, implement the BinaryOperator<ObjectInputFilter> interface, provide its implementation and be accessible via the application class loader. If the filter factory constructor is not invoked successfully subsequent attempts to get the factory, set the factory, or create an ObjectInputStream throw IllegalStateException. Deserialization is not possible with an invalid serial filter factory. The filter factory configured using the system or security property during initialization can NOT be replaced with Config.setSerialFilterFactory. This ensures that a filter factory set on the command line is not overridden accidentally or intentionally by the application.
Setting the jdk.serialFilterFactory with System.setProperty does not set the filter factory. The syntax for the system property value and security property value is the fully qualified class name of the deserialization filter factory.
| Modifier and Type | Method | Description |
|---|---|---|
static ObjectInputFilter |
createFilter |
Returns an ObjectInputFilter from a string of patterns. |
static ObjectInputFilter |
getSerialFilter() |
Returns the static JVM-wide deserialization filter or null if not configured. |
static BinaryOperator |
getSerialFilterFactory() |
Returns the JVM-wide deserialization filter factory. |
static void |
setSerialFilter |
Set the static JVM-wide filter if it has not already been configured or set. |
static void |
setSerialFilterFactory |
public static ObjectInputFilter getSerialFilter()
null if not configured.null if not configuredIllegalStateException - if the initialization of the filter from the system property jdk.serialFilter or the security property jdk.serialFilter fails.public static void setSerialFilter(ObjectInputFilter filter)
filter - the deserialization filter to set as the JVM-wide filter; not nullSecurityException - if there is security manager and the SerializablePermission("serialFilter") is not grantedIllegalStateException - if the filter has already been set or the initialization of the filter from the system property jdk.serialFilter or the security property jdk.serialFilter fails.public static BinaryOperator<ObjectInputFilter> getSerialFilterFactory()
setObjectInputFilter.to set the stream-specific filter the requested filter replaces the static JVM-wide filter, unless it has already been set. The builtin deserialization filter factory implements the behavior of earlier versions of setting the initial filter in the ObjectInputStream constructor and ObjectInputStream.setObjectInputFilter(java.io.ObjectInputFilter).IllegalStateException - if the filter factory initialization is incompletepublic static void setSerialFilterFactory(BinaryOperator<ObjectInputFilter> filterFactory)
jdk.serialFilterFactory property on the command line, setting the jdk.serialFilterFactory property in the Security file, or using this setSerialFilterFactory method. The filter factory can be set only before any ObjectInputStream has been created to avoid any inconsistency in which filter factory is being used. The JVM-wide filter factory is invoked when an ObjectInputStream is constructed and when the stream-specific filter is set. The parameters are the current filter and a requested filter and it returns the filter to be used for the stream. If the current filter is non-null, the filter factory must return a non-null filter; this is to prevent unintentional disabling of filtering after it has been enabled. The factory determines the filter to be used for ObjectInputStream streams based on its inputs, any other filters, context, or state that is available. The factory may throw runtime exceptions to signal incorrect use or invalid parameters. See the filter models for examples of composition and delegation.
filterFactory - the deserialization filter factory to set as the JVM-wide filter factory; not nullIllegalStateException - if the builtin deserialization filter factory has already been replaced or any instance of ObjectInputStream has been created.SecurityException - if there is security manager and the SerializablePermission("serialFilter") is not grantedpublic static ObjectInputFilter createFilter(String pattern)
Patterns are separated by ";" (semicolon). Whitespace is significant and is considered part of the pattern. If a pattern includes an equals assignment, "=" it sets a limit. If a limit appears more than once the last value is used.
value - the maximum depth of a graphvalue - the maximum number of internal referencesvalue - the maximum number of bytes in the input streamvalue - the maximum array length allowed Other patterns match or reject class or package name as returned from Class.getName() and if an optional module name is present class.getModule().getName(). Note that for arrays the element type is used in the pattern, not the array type.
The resulting filter performs the limit checks and then tries to match the class, if any. If any of the limits are exceeded, the filter returns Status.REJECTED. If the class is an array type, the class to be matched is the element type. Arrays of any number of dimensions are treated the same as the element type. For example, a pattern of "!example.Foo", rejects creation of any instance or array of example.Foo. The first pattern that matches, working from left to right, determines the Status.ALLOWED or Status.REJECTED result. If the limits are not exceeded and no pattern matches the class, the result is Status.UNDECIDED.
pattern - the pattern string to parse; not nullnull if no patternsIllegalArgumentException - if the pattern string is illegal or malformed and cannot be parsed. In particular, if any of the following is true: Long.parseLong or is negative
© 1993, 2023, Oracle and/or its affiliates. All rights reserved.
Documentation extracted from Debian's OpenJDK Development Kit package.
Licensed under the GNU General Public License, version 2, with the Classpath Exception.
Various third party code in OpenJDK is licensed under different licenses (see Debian package).
Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/io/ObjectInputFilter.Config.html