19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.rmi.server;
  27 
  28 import java.io.IOException;
  29 import java.io.InputStream;
  30 import java.io.ObjectInputStream;
  31 import java.io.ObjectStreamClass;
  32 import java.io.StreamCorruptedException;
  33 import java.net.URL;
  34 import java.util.*;
  35 import java.security.AccessControlException;
  36 import java.security.Permission;
  37 
  38 import java.rmi.server.RMIClassLoader;

  39 
  40 /**
  41  * MarshalInputStream is an extension of ObjectInputStream.  When resolving
  42  * a class, it reads an object from the stream written by a corresponding
  43  * MarshalOutputStream.  If the class to be resolved is not available
  44  * locally, from the first class loader on the execution stack, or from the
  45  * context class loader of the current thread, it will attempt to load the
  46  * class from the location annotated by the sending MarshalOutputStream.
  47  * This location object must be a string representing a path of URLs.
  48  *
  49  * A new MarshalInputStream should be created to deserialize remote objects or
  50  * graphs containing remote objects.  Objects are created from the stream
  51  * using the ObjectInputStream.readObject method.
  52  *
  53  * @author      Peter Jones
  54  */
  55 public class MarshalInputStream extends ObjectInputStream {
  56 
  57     /**
  58      * Value of "java.rmi.server.useCodebaseOnly" property,
  59      * as cached at class initialization time.
  60      *
  61      * The default value is true. That is, the value is true
  62      * if the property is absent or is not equal to "false".
  63      * The value is only false when the property is present
  64      * and is equal to "false".
  65      */
  66     private static final boolean useCodebaseOnlyProperty =
  67         ! java.security.AccessController.doPrivileged(
  68             new sun.security.action.GetPropertyAction(
  69                 "java.rmi.server.useCodebaseOnly", "true"))
  70             .equalsIgnoreCase("false");
  71 
  72     /** table to hold sun classes to which access is explicitly permitted */
  73     protected static Map<String, Class<?>> permittedSunClasses
  74         = new HashMap<>(3);
  75 
  76     /** if true, don't try superclass first in resolveClass() */
  77     private boolean skipDefaultResolveClass = false;
  78 
  79     /** callbacks to make when done() called: maps Object to Runnable */
  80     private final Map<Object, Runnable> doneCallbacks
  81         = new HashMap<>(3);
  82 
  83     /**
  84      * if true, load classes (if not available locally) only from the
  85      * URL specified by the "java.rmi.server.codebase" property.
  86      */
  87     private boolean useCodebaseOnly = useCodebaseOnlyProperty;
  88 

  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.rmi.server;
  27 
  28 import java.io.IOException;
  29 import java.io.InputStream;
  30 import java.io.ObjectInputStream;
  31 import java.io.ObjectStreamClass;
  32 import java.io.StreamCorruptedException;
  33 import java.net.URL;
  34 import java.util.*;
  35 import java.security.AccessControlException;
  36 import java.security.Permission;
  37 
  38 import java.rmi.server.RMIClassLoader;
  39 import java.security.PrivilegedAction;
  40 
  41 /**
  42  * MarshalInputStream is an extension of ObjectInputStream.  When resolving
  43  * a class, it reads an object from the stream written by a corresponding
  44  * MarshalOutputStream.  If the class to be resolved is not available
  45  * locally, from the first class loader on the execution stack, or from the
  46  * context class loader of the current thread, it will attempt to load the
  47  * class from the location annotated by the sending MarshalOutputStream.
  48  * This location object must be a string representing a path of URLs.
  49  *
  50  * A new MarshalInputStream should be created to deserialize remote objects or
  51  * graphs containing remote objects.  Objects are created from the stream
  52  * using the ObjectInputStream.readObject method.
  53  *
  54  * @author      Peter Jones
  55  */
  56 public class MarshalInputStream extends ObjectInputStream {
  57 
  58     /**
  59      * Value of "java.rmi.server.useCodebaseOnly" property,
  60      * as cached at class initialization time.
  61      *
  62      * The default value is true. That is, the value is true
  63      * if the property is absent or is not equal to "false".
  64      * The value is only false when the property is present
  65      * and is equal to "false".
  66      */
  67     private static final boolean useCodebaseOnlyProperty =
  68         ! java.security.AccessController.doPrivileged(
  69             (PrivilegedAction<String>) () -> System.getProperty(
  70                 "java.rmi.server.useCodebaseOnly", "true"))
  71             .equalsIgnoreCase("false");
  72 
  73     /** table to hold sun classes to which access is explicitly permitted */
  74     protected static Map<String, Class<?>> permittedSunClasses
  75         = new HashMap<>(3);
  76 
  77     /** if true, don't try superclass first in resolveClass() */
  78     private boolean skipDefaultResolveClass = false;
  79 
  80     /** callbacks to make when done() called: maps Object to Runnable */
  81     private final Map<Object, Runnable> doneCallbacks
  82         = new HashMap<>(3);
  83 
  84     /**
  85      * if true, load classes (if not available locally) only from the
  86      * URL specified by the "java.rmi.server.codebase" property.
  87      */
  88     private boolean useCodebaseOnly = useCodebaseOnlyProperty;
  89