use of com.hazelcast.config.JavaSerializationFilterConfig in project hazelcast by hazelcast.
the class SerializationClassNameFilterTest method testBlacklistPrefix.
/**
* <pre>
* Given: Blacklist with prefix is used which overlaps default whitelist.
* When: {@link SerializationClassNameFilter#filter(String)} is called for a class which fits default whitelist
* but it's also blacklisted.
* Then: {@link SecurityException} is thrown
* </pre>
*/
@Test(expected = SecurityException.class)
public void testBlacklistPrefix() {
JavaSerializationFilterConfig config = new JavaSerializationFilterConfig();
config.getBlacklist().addPrefixes("com.hazelcast.test");
new SerializationClassNameFilter(config).filter("com.hazelcast.test.Test1");
}
use of com.hazelcast.config.JavaSerializationFilterConfig in project hazelcast by hazelcast.
the class SerializationClassNameFilterTest method testDefaultPass.
/**
* <pre>
* Given: Default configuration is used.
* When: {@link SerializationClassNameFilter#filter(String)} is called for a java.lang class
* Then: no exception is thrown as the java prefix is in the default whitelist
* </pre>
*/
@Test
public void testDefaultPass() {
JavaSerializationFilterConfig config = new JavaSerializationFilterConfig();
new SerializationClassNameFilter(config).filter("java.lang.Object");
}
use of com.hazelcast.config.JavaSerializationFilterConfig in project hazelcast by hazelcast.
the class SerializationClassNameFilterTest method testBlacklistedWithDefaultWhitelist.
/**
* <pre>
* Given: Blacklist is used and defaults are enabled.
* When: {@link SerializationClassNameFilter#filter(String)} is called for a class which is fits default whitelist
* but it's also blacklisted.
* Then: {@link SecurityException} is thrown
* </pre>
*/
@Test(expected = SecurityException.class)
public void testBlacklistedWithDefaultWhitelist() {
JavaSerializationFilterConfig config = new JavaSerializationFilterConfig();
config.getBlacklist().addClasses("java.lang.Test3", "java.lang.Test2", "java.lang.Test1");
new SerializationClassNameFilter(config).filter("java.lang.Test1");
}
use of com.hazelcast.config.JavaSerializationFilterConfig in project hazelcast by hazelcast.
the class DeserializationProtectionTest method testClassBlacklisted.
/**
* <pre>
* When: Default Whitelist is disabled and classname of the test serialized object is blacklisted.
* Then: Deserialization fails.
* </pre>
*/
@Test
public void testClassBlacklisted() {
ClassFilter blacklist = new ClassFilter().addClasses(TestDeserialized.class.getName());
JavaSerializationFilterConfig filterConfig = new JavaSerializationFilterConfig().setDefaultsDisabled(true).setBlacklist(blacklist);
assertDeserializationFails(filterConfig, false);
}
use of com.hazelcast.config.JavaSerializationFilterConfig in project hazelcast by hazelcast.
the class DeserializationProtectionTest method assertDeserializationFails.
private void assertDeserializationFails(JavaSerializationFilterConfig javaSerializationFilterConfig, boolean keyOwnedByTarget) {
TestHazelcastInstanceFactory factory = createHazelcastInstanceFactory(2);
Config config = new Config();
config.getSerializationConfig().setJavaSerializationFilterConfig(javaSerializationFilterConfig);
HazelcastInstance[] instances = factory.newInstances(config);
String key = generateKeyOwnedBy(instances[keyOwnedByTarget ? 1 : 0]);
instances[0].getMap("test").put(key, new TestDeserialized());
try {
instances[1].getMap("test").get(key);
fail("Deserialization should have failed");
} catch (HazelcastSerializationException e) {
assertFalse(TestDeserialized.isDeserialized);
}
}
Aggregations