@Override public SessionData decode(String data) { byte[] bytes = Base64.getDecoder().decode(data); try (ByteArrayInputStream inputStream = new ByteArrayInputStream(bytes); WhitelistObjectInputStream objectInputStream = new WhitelistObjectInputStream(inputStream)) { return (SessionData) objectInputStream.readObject(); } catch (IOException | ClassNotFoundException e) { throw new PippoRuntimeException(e, "Cannot deserialize session. A new one will be created."); } }
protected Class<?> resolveClass(ObjectStreamClass descriptor) throws ClassNotFoundException, IOException { String className = descriptor.getName(); if (!isWhiteClass(className)) { throw new InvalidClassException("Unauthorized deserialization attempt", className); } return super.resolveClass(descriptor); }
private XStream xstream() { XStream xstream = new XStream(); // allow annotations on models for maximum flexibility xstream.autodetectAnnotations(true); // prevent xstream from creating complex XML graphs xstream.setMode(XStream.NO_REFERENCES); // setup security (see http://x-stream.github.io/security.html) xstream.allowTypes(WhitelistObjectInputStream.getWhiteClassNames()); xstream.allowTypesByRegExp(WhitelistObjectInputStream.getWhiteRegEx()); return xstream; }
addWhiteRegEx(line.substring(1).trim()); } else { addWhiteClassName(line.trim());