- Enclosing interface:
public static final class ObjectInputFilter.Config extends ObjectA utility class to set and get the process-wide filter or create a filter from a pattern string. If a process-wide filter is set, it will be used for each
ObjectInputStreamthat does not set its own filter.
When setting the filter, it should be stateless and idempotent, reporting the same result when passed the same arguments.
The filter is configured during the initialization of the
ObjectInputFilter.Configclass. For example, by calling
Config.getSerialFilter. If the system property
jdk.serialFilteris defined, it is used to configure the filter. If the system property is not defined, and the
jdk.serialFilteris defined then it is used to configure the filter. Otherwise, the filter is not configured during initialization. The syntax for each property is the same as for the
createFiltermethod. If a filter is not configured, it can be set with
Modifier and Type Method Description
createFilter(String pattern)Returns an ObjectInputFilter from a string of patterns.
getSerialFilter()Returns the process-wide serialization filter or
nullif not configured.
setSerialFilter(ObjectInputFilter filter)Set the process-wide filter if it has not already been configured or set.
public static ObjectInputFilter getSerialFilter()Returns the process-wide serialization filter or
nullif not configured.
- the process-wide serialization filter or
nullif not configured
public static void setSerialFilter(ObjectInputFilter filter)Set the process-wide filter if it has not already been configured or set.
public static ObjectInputFilter createFilter(String pattern)Returns an ObjectInputFilter from a string of patterns.
Patterns are separated by ";" (semicolon). Whitespace is significant and is considered part of the pattern. If a pattern includes an equals assignment, "
=" it sets a limit. If a limit appears more than once the last value is used.
value- the maximum depth of a graph
value- the maximum number of internal references
value- the maximum number of bytes in the input stream
value- the maximum array length allowed
Other patterns match or reject class or package name as returned from
Class.getName()and if an optional module name is present
class.getModule().getName(). Note that for arrays the element type is used in the pattern, not the array type.
- If the pattern starts with "!", the class is rejected if the remaining pattern is matched; otherwise the class is allowed if the pattern matches.
- If the pattern contains "/", the non-empty prefix up to the "/" is the module name; if the module name matches the module name of the class then the remaining pattern is matched with the class name. If there is no "/", the module name is not compared.
- If the pattern ends with ".**" it matches any class in the package and all subpackages.
- If the pattern ends with ".*" it matches any class in the package.
- If the pattern ends with "*", it matches any class with the pattern as a prefix.
- If the pattern is equal to the class name, it matches.
- Otherwise, the pattern is not matched.
The resulting filter performs the limit checks and then tries to match the class, if any. If any of the limits are exceeded, the filter returns
Status.REJECTED. If the class is an array type, the class to be matched is the element type. Arrays of any number of dimensions are treated the same as the element type. For example, a pattern of "
!example.Foo", rejects creation of any instance or array of
example.Foo. The first pattern that matches, working from left to right, determines the
Status.REJECTEDresult. If the limits are not exceeded and no pattern matches the class, the result is
pattern- the pattern string to parse; not null
- a filter to check a class being deserialized;
nullif no patterns
IllegalArgumentException- if the pattern string is illegal or malformed and cannot be parsed. In particular, if any of the following is true:
- if a limit is missing the name or the name is not one of "maxdepth", "maxrefs", "maxbytes", or "maxarray"
- if the value of the limit can not be parsed by
Long.parseLongor is negative
- if the pattern contains "/" and the module name is missing or the remaining pattern is empty
- if the package is missing for ".*" and ".**"