35 import java.security.AccessController;
36 import java.security.PrivilegedAction;
37 import java.security.PrivilegedActionException;
38 import java.security.PrivilegedExceptionAction;
39 import java.util.Arrays;
40 import java.util.Map;
41 import java.util.Objects;
42 import java.util.concurrent.ConcurrentHashMap;
43 import java.util.concurrent.ConcurrentMap;
44
45 import static java.io.ObjectStreamClass.processQueue;
46
47 import jdk.internal.misc.SharedSecrets;
48 import jdk.internal.misc.Unsafe;
49 import sun.reflect.misc.ReflectUtil;
50
51 /**
52 * An ObjectInputStream deserializes primitive data and objects previously
53 * written using an ObjectOutputStream.
54 *
55 * <p>ObjectOutputStream and ObjectInputStream can provide an application with
56 * persistent storage for graphs of objects when used with a FileOutputStream
57 * and FileInputStream respectively. ObjectInputStream is used to recover
58 * those objects previously serialized. Other uses include passing objects
59 * between hosts using a socket stream or for marshaling and unmarshaling
60 * arguments and parameters in a remote communication system.
61 *
62 * <p>ObjectInputStream ensures that the types of all objects in the graph
63 * created from the stream match the classes present in the Java Virtual
64 * Machine. Classes are loaded as required using the standard mechanisms.
65 *
66 * <p>Only objects that support the java.io.Serializable or
67 * java.io.Externalizable interface can be read from streams.
68 *
69 * <p>The method <code>readObject</code> is used to read an object from the
70 * stream. Java's safe casting should be used to get the desired type. In
71 * Java, strings and arrays are objects and are treated as objects during
72 * serialization. When read they need to be cast to the expected type.
73 *
74 * <p>Primitive data types can be read from the stream using the appropriate
|
35 import java.security.AccessController;
36 import java.security.PrivilegedAction;
37 import java.security.PrivilegedActionException;
38 import java.security.PrivilegedExceptionAction;
39 import java.util.Arrays;
40 import java.util.Map;
41 import java.util.Objects;
42 import java.util.concurrent.ConcurrentHashMap;
43 import java.util.concurrent.ConcurrentMap;
44
45 import static java.io.ObjectStreamClass.processQueue;
46
47 import jdk.internal.misc.SharedSecrets;
48 import jdk.internal.misc.Unsafe;
49 import sun.reflect.misc.ReflectUtil;
50
51 /**
52 * An ObjectInputStream deserializes primitive data and objects previously
53 * written using an ObjectOutputStream.
54 *
55 * <p><strong>Warning: Deserialization of untrusted data is inherently dangerous
56 * and should be avoided. Untrusted data should be carefully validated according to the
57 * "Serialization and Deserialization" section of the
58 * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}.
59 * {@extLink serialization_filter_guide Serialization Filtering} describes best
60 * practices for defensive use of serial filters.
61 * </strong></p>
62 *
63 * <p>ObjectOutputStream and ObjectInputStream can provide an application with
64 * persistent storage for graphs of objects when used with a FileOutputStream
65 * and FileInputStream respectively. ObjectInputStream is used to recover
66 * those objects previously serialized. Other uses include passing objects
67 * between hosts using a socket stream or for marshaling and unmarshaling
68 * arguments and parameters in a remote communication system.
69 *
70 * <p>ObjectInputStream ensures that the types of all objects in the graph
71 * created from the stream match the classes present in the Java Virtual
72 * Machine. Classes are loaded as required using the standard mechanisms.
73 *
74 * <p>Only objects that support the java.io.Serializable or
75 * java.io.Externalizable interface can be read from streams.
76 *
77 * <p>The method <code>readObject</code> is used to read an object from the
78 * stream. Java's safe casting should be used to get the desired type. In
79 * Java, strings and arrays are objects and are treated as objects during
80 * serialization. When read they need to be cast to the expected type.
81 *
82 * <p>Primitive data types can be read from the stream using the appropriate
|