1 /* 2 * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 /* @test 25 * @bug 4311940 26 * @summary Verify that unauthorized ObjectOutputStream and ObjectInputStream 27 * cannot be constructed if they override security-sensitive non-final 28 * methods. 29 * @build AuditStreamSubclass 30 * @run main/othervm AuditStreamSubclass 31 */ 32 import java.io.*; 33 34 class GoodOOS1 extends ObjectOutputStream { 35 GoodOOS1(OutputStream out) throws IOException { super(out); } 36 } 37 38 class GoodOOS2 extends GoodOOS1 { 39 GoodOOS2(OutputStream out) throws IOException { super(out); } 40 } 41 42 class BadOOS1 extends ObjectOutputStream { 43 BadOOS1(OutputStream out) throws IOException { super(out); } 44 public PutField putFields() throws IOException { return null; } 45 } 46 47 class BadOOS2 extends ObjectOutputStream { 48 BadOOS2(OutputStream out) throws IOException { super(out); } 49 public void writeUnshared(Object obj) throws IOException {} 50 } 51 52 class BadOOS3 extends GoodOOS1 { 53 BadOOS3(OutputStream out) throws IOException { super(out); } 54 public void writeUnshared(Object obj) throws IOException {} 55 } 56 57 58 class GoodOIS1 extends ObjectInputStream { 59 GoodOIS1(InputStream in) throws IOException { super(in); } 60 } 61 62 class GoodOIS2 extends GoodOIS1 { 63 GoodOIS2(InputStream in) throws IOException { super(in); } 64 } 65 66 class BadOIS1 extends ObjectInputStream { 67 BadOIS1(InputStream in) throws IOException { super(in); } 68 public GetField readFields() throws IOException, ClassNotFoundException { 69 return null; 70 } 71 } 72 73 class BadOIS2 extends ObjectInputStream { 74 BadOIS2(InputStream in) throws IOException { super(in); } 75 public Object readUnshared() throws IOException, ClassNotFoundException { 76 return null; 77 } 78 } 79 80 class BadOIS3 extends GoodOIS1 { 81 BadOIS3(InputStream in) throws IOException { super(in); } 82 public Object readUnshared() throws IOException, ClassNotFoundException { 83 return null; 84 } 85 } 86 87 public class AuditStreamSubclass { 88 public static void main(String[] args) throws Exception { 89 if (System.getSecurityManager() == null) { 90 System.setSecurityManager(new SecurityManager()); 91 } 92 ByteArrayOutputStream bout = new ByteArrayOutputStream(); 93 ObjectOutputStream oout = new ObjectOutputStream(bout); 94 oout.flush(); 95 byte[] buf = bout.toByteArray(); 96 97 new GoodOOS1(bout); 98 new GoodOOS2(bout); 99 new GoodOIS1(new ByteArrayInputStream(buf)); 100 new GoodOIS2(new ByteArrayInputStream(buf)); 101 102 try { 103 new BadOOS1(bout); 104 throw new Error(); 105 } catch (SecurityException ex) { 106 } 107 108 try { 109 new BadOOS2(bout); 110 throw new Error(); 111 } catch (SecurityException ex) { 112 } 113 114 try { 115 new BadOOS3(bout); 116 throw new Error(); 117 } catch (SecurityException ex) { 118 } 119 120 try { 121 new BadOIS1(new ByteArrayInputStream(buf)); 122 throw new Error(); 123 } catch (SecurityException ex) { 124 } 125 126 try { 127 new BadOIS2(new ByteArrayInputStream(buf)); 128 throw new Error(); 129 } catch (SecurityException ex) { 130 } 131 132 try { 133 new BadOIS3(new ByteArrayInputStream(buf)); 134 throw new Error(); 135 } catch (SecurityException ex) { 136 } 137 } 138 }