use of com.hazelcast.config.JavaSerializationFilterConfig in project hazelcast by hazelcast.
the class DeserializationProtectionTest method assertDeserializationFails.
private void assertDeserializationFails(JavaSerializationFilterConfig javaSerializationFilterConfig, boolean keyOwnedByTarget) {
TestHazelcastInstanceFactory factory = createHazelcastInstanceFactory(2);
Config config = new Config();
config.getSerializationConfig().setJavaSerializationFilterConfig(javaSerializationFilterConfig);
HazelcastInstance[] instances = factory.newInstances(config);
String key = generateKeyOwnedBy(instances[keyOwnedByTarget ? 1 : 0]);
instances[0].getMap("test").put(key, new TestDeserialized());
try {
instances[1].getMap("test").get(key);
fail("Deserialization should have failed");
} catch (HazelcastSerializationException e) {
assertFalse(TestDeserialized.isDeserialized);
}
}
use of com.hazelcast.config.JavaSerializationFilterConfig in project hazelcast by hazelcast.
the class DeserializationProtectionTest method testClassBlacklisted.
/**
* <pre>
* When: Default Whitelist is disabled and classname of the test serialized object is blacklisted.
* Then: Deserialization fails.
* </pre>
*/
@Test
public void testClassBlacklisted() {
ClassFilter blacklist = new ClassFilter().addClasses(TestDeserialized.class.getName());
JavaSerializationFilterConfig filterConfig = new JavaSerializationFilterConfig().setDefaultsDisabled(true).setBlacklist(blacklist);
assertDeserializationFails(filterConfig, false);
}
use of com.hazelcast.config.JavaSerializationFilterConfig in project hazelcast by hazelcast.
the class AbstractClientConfigBuilderTest method testSerializationConfig.
@Test
public void testSerializationConfig() {
final SerializationConfig serializationConfig = fullClientConfig.getSerializationConfig();
assertEquals(3, serializationConfig.getPortableVersion());
final Map<Integer, String> dsClasses = serializationConfig.getDataSerializableFactoryClasses();
assertEquals(1, dsClasses.size());
assertEquals("com.hazelcast.examples.DataSerializableFactory", dsClasses.get(1));
final Map<Integer, String> pfClasses = serializationConfig.getPortableFactoryClasses();
assertEquals(1, pfClasses.size());
assertEquals("com.hazelcast.examples.PortableFactory", pfClasses.get(2));
final Collection<SerializerConfig> serializerConfigs = serializationConfig.getSerializerConfigs();
assertEquals(1, serializerConfigs.size());
final SerializerConfig serializerConfig = serializerConfigs.iterator().next();
assertEquals("com.hazelcast.examples.DummyType", serializerConfig.getTypeClassName());
assertEquals("com.hazelcast.examples.SerializerFactory", serializerConfig.getClassName());
final GlobalSerializerConfig globalSerializerConfig = serializationConfig.getGlobalSerializerConfig();
assertEquals("com.hazelcast.examples.GlobalSerializerFactory", globalSerializerConfig.getClassName());
assertEquals(ByteOrder.BIG_ENDIAN, serializationConfig.getByteOrder());
assertTrue(serializationConfig.isCheckClassDefErrors());
assertFalse(serializationConfig.isAllowUnsafe());
assertFalse(serializationConfig.isAllowOverrideDefaultSerializers());
assertFalse(serializationConfig.isEnableCompression());
assertTrue(serializationConfig.isEnableSharedObject());
assertTrue(serializationConfig.isUseNativeByteOrder());
JavaSerializationFilterConfig javaSerializationFilterConfig = serializationConfig.getJavaSerializationFilterConfig();
ClassFilter blacklist = javaSerializationFilterConfig.getBlacklist();
assertEquals(1, blacklist.getClasses().size());
assertTrue(blacklist.getClasses().contains("com.acme.app.BeanComparator"));
ClassFilter whitelist = javaSerializationFilterConfig.getWhitelist();
assertEquals(2, whitelist.getClasses().size());
assertTrue(whitelist.getClasses().contains("java.lang.String"));
assertTrue(whitelist.getClasses().contains("example.Foo"));
assertEquals(2, whitelist.getPackages().size());
assertTrue(whitelist.getPackages().contains("com.acme.app"));
assertTrue(whitelist.getPackages().contains("com.acme.app.subpkg"));
assertEquals(3, whitelist.getPrefixes().size());
assertTrue(whitelist.getPrefixes().contains("java"));
assertTrue(whitelist.getPrefixes().contains("["));
assertTrue(whitelist.getPrefixes().contains("com."));
}
use of com.hazelcast.config.JavaSerializationFilterConfig in project hazelcast by hazelcast.
the class ClientDeserializationProtectionTest method testClassBlacklisted.
/**
* <pre>
* When: Default Whitelist is disabled and classname of the test serialized object is blacklisted. The object is read from client.
* Then: Deserialization fails.
* </pre>
*/
@Test
public void testClassBlacklisted() {
ClassFilter blacklist = new ClassFilter().addClasses(TestDeserialized.class.getName());
JavaSerializationFilterConfig filterConfig = new JavaSerializationFilterConfig().setDefaultsDisabled(true).setBlacklist(blacklist);
Config config = new Config();
config.getSerializationConfig().setJavaSerializationFilterConfig(filterConfig);
HazelcastInstance member = hazelcastFactory.newInstances(config, 1)[0];
ClientConfig clientConfig = new ClientConfig();
clientConfig.getSerializationConfig().setJavaSerializationFilterConfig(filterConfig);
HazelcastInstance client = hazelcastFactory.newHazelcastClient(clientConfig);
member.getMap("test").put("key", new TestDeserialized());
try {
client.getMap("test").get("key");
fail("Deserialization should have failed");
} catch (HazelcastSerializationException e) {
assertFalse(TestDeserialized.isDeserialized);
}
}
use of com.hazelcast.config.JavaSerializationFilterConfig in project hazelcast by hazelcast.
the class ExternalizableDeserializationProtectionTest method testExternalizableProtectedOnMember.
@Test
public void testExternalizableProtectedOnMember() {
JavaSerializationFilterConfig javaSerializationFilterConfig = new JavaSerializationFilterConfig().setDefaultsDisabled(true);
javaSerializationFilterConfig.getBlacklist().addClasses(TestExternalizableDeserialized.class.getName());
Config config = smallInstanceConfig();
config.getSerializationConfig().setJavaSerializationFilterConfig(javaSerializationFilterConfig);
// the index will force deserialization
config.getMapConfig("test").addIndexConfig(new IndexConfig(IndexType.HASH, "name"));
hazelcastFactory.newHazelcastInstance(config);
HazelcastInstance client = hazelcastFactory.newHazelcastClient();
expected.expect(HazelcastSerializationException.class);
client.getMap("test").put("key", new TestExternalizableDeserialized());
}
Aggregations