Example 1 with ObjectInputStreamWithClassLoader
use of org.apache.activemq.artemis.utils.ObjectInputStreamWithClassLoader in project activemq-artemis by apache.
the class ConsumedObjectMessage method build.
@Override
public void build(Response.ResponseBuilder builder) {
buildHeaders(builder);
if (readObject == null) {
int size = message.getBodyBuffer().readInt();
if (size > 0) {
byte[] body = new byte[size];
message.getBodyBuffer().readBytes(body);
ByteArrayInputStream bais = new ByteArrayInputStream(body);
try (ObjectInputStreamWithClassLoader ois = new ObjectInputStreamWithClassLoader(bais)) {
if (options != null) {
ois.setWhiteList(options.getDeserializationWhiteList());
ois.setBlackList(options.getDeserializationBlackList());
}
readObject = ois.readObject();
} catch (Exception e) {
throw new RuntimeException(e);
}
}
}
builder.entity(readObject);
}
Also used :
ObjectInputStreamWithClassLoader(org.apache.activemq.artemis.utils.ObjectInputStreamWithClassLoader)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Example 2 with ObjectInputStreamWithClassLoader
use of org.apache.activemq.artemis.utils.ObjectInputStreamWithClassLoader in project activemq-artemis by apache.
the class ActiveMQObjectMessage method getObject.
// lazy deserialize the Object the first time the client requests it
@Override
public Serializable getObject() throws JMSException {
if (data == null || data.length == 0) {
return null;
}
try (ObjectInputStreamWithClassLoader ois = new ObjectInputStreamWithClassLoader(new ByteArrayInputStream(data))) {
String blackList = getDeserializationBlackList();
if (blackList != null) {
ois.setBlackList(blackList);
}
String whiteList = getDeserializationWhiteList();
if (whiteList != null) {
ois.setWhiteList(whiteList);
}
Serializable object = (Serializable) ois.readObject();
return object;
} catch (Exception e) {
JMSException je = new JMSException(e.getMessage());
je.setStackTrace(e.getStackTrace());
throw je;
}
}
Also used :
ObjectInputStreamWithClassLoader(org.apache.activemq.artemis.utils.ObjectInputStreamWithClassLoader)
Serializable(java.io.Serializable)
ByteArrayInputStream(java.io.ByteArrayInputStream)
JMSException(javax.jms.JMSException)
ActiveMQException(org.apache.activemq.artemis.api.core.ActiveMQException)
MessageFormatException(javax.jms.MessageFormatException)
JMSException(javax.jms.JMSException)
Example 3 with ObjectInputStreamWithClassLoader
use of org.apache.activemq.artemis.utils.ObjectInputStreamWithClassLoader in project activemq-artemis by apache.
the class ObjectInputStreamWithClassLoaderTest method testWhiteBlackListSystemProperty.
@Test
public void testWhiteBlackListSystemProperty() throws Exception {
File serailizeFile = new File(temporaryFolder.getRoot(), "testclass.bin");
ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream(serailizeFile));
try {
outputStream.writeObject(new TestClass1());
outputStream.flush();
} finally {
outputStream.close();
}
System.setProperty(ObjectInputStreamWithClassLoader.BLACKLIST_PROPERTY, "system.defined.black.list");
System.setProperty(ObjectInputStreamWithClassLoader.WHITELIST_PROPERTY, "system.defined.white.list");
try {
ObjectInputStreamWithClassLoader ois = new ObjectInputStreamWithClassLoader(new FileInputStream(serailizeFile));
String bList = ois.getBlackList();
String wList = ois.getWhiteList();
assertEquals("wrong black list: " + bList, "system.defined.black.list", bList);
assertEquals("wrong white list: " + wList, "system.defined.white.list", wList);
ois.close();
} finally {
System.clearProperty(ObjectInputStreamWithClassLoader.BLACKLIST_PROPERTY);
System.clearProperty(ObjectInputStreamWithClassLoader.WHITELIST_PROPERTY);
}
}
Also used :
ObjectInputStreamWithClassLoader(org.apache.activemq.artemis.utils.ObjectInputStreamWithClassLoader)
FileOutputStream(java.io.FileOutputStream)
ObjectOutputStream(java.io.ObjectOutputStream)
TestClass1(org.apache.activemq.artemis.tests.unit.util.deserialization.pkg1.TestClass1)
File(java.io.File)
FileInputStream(java.io.FileInputStream)
Test(org.junit.Test)
Example 4 with ObjectInputStreamWithClassLoader
use of org.apache.activemq.artemis.utils.ObjectInputStreamWithClassLoader in project activemq-artemis by apache.
the class ObjectInputStreamWithClassLoaderTest method readSerializedObject.
private Exception readSerializedObject(String whiteList, String blackList, File serailizeFile) {
Exception result = null;
ObjectInputStreamWithClassLoader ois = null;
try {
ois = new ObjectInputStreamWithClassLoader(new FileInputStream(serailizeFile));
ois.setWhiteList(whiteList);
ois.setBlackList(blackList);
ois.readObject();
} catch (Exception e) {
result = e;
} finally {
try {
ois.close();
} catch (IOException e) {
result = e;
}
}
return result;
}
Also used :
ObjectInputStreamWithClassLoader(org.apache.activemq.artemis.utils.ObjectInputStreamWithClassLoader)
IOException(java.io.IOException)
IOException(java.io.IOException)
FileInputStream(java.io.FileInputStream)
Example 5 with ObjectInputStreamWithClassLoader
use of org.apache.activemq.artemis.utils.ObjectInputStreamWithClassLoader in project activemq-artemis by apache.
the class ObjectInputStreamWithClassLoaderTest method testClassLoaderIsolationWithProxy.
@Test
public void testClassLoaderIsolationWithProxy() throws Exception {
ClassLoader originalClassLoader = Thread.currentThread().getContextClassLoader();
try {
AnObject originalProxy = (AnObject) Proxy.newProxyInstance(AnObject.class.getClassLoader(), new Class[] { AnObject.class }, new AnObjectInvocationHandler());
originalProxy.setMyInt(100);
byte[] bytes = ObjectInputStreamWithClassLoaderTest.toBytes(originalProxy);
ClassLoader testClassLoader = ObjectInputStreamWithClassLoaderTest.newClassLoader(this.getClass(), ActiveMQTestBase.class, Assert.class);
Thread.currentThread().setContextClassLoader(testClassLoader);
ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
ObjectInputStreamWithClassLoader ois = new ObjectInputStreamWithClassLoader(bais);
Runnable toRun = (Runnable) testClassLoader.loadClass(ProxyReader.class.getName()).newInstance();
toRun.getClass().getField("ois").set(toRun, ois);
toRun.getClass().getField("testClassLoader").set(toRun, testClassLoader);
toRun.getClass().getField("originalProxy").set(toRun, originalProxy);
toRun.run();
} finally {
Thread.currentThread().setContextClassLoader(originalClassLoader);
}
}
Also used :
ObjectInputStreamWithClassLoader(org.apache.activemq.artemis.utils.ObjectInputStreamWithClassLoader)
ByteArrayInputStream(java.io.ByteArrayInputStream)
URLClassLoader(java.net.URLClassLoader)
ObjectInputStreamWithClassLoader(org.apache.activemq.artemis.utils.ObjectInputStreamWithClassLoader)
EnclosingClass(org.apache.activemq.artemis.tests.unit.util.deserialization.pkg1.EnclosingClass)
Test(org.junit.Test)
Aggregations
ObjectInputStreamWithClassLoader (org.apache.activemq.artemis.utils.ObjectInputStreamWithClassLoader)8
ByteArrayInputStream (java.io.ByteArrayInputStream)6
Test (org.junit.Test)3
FileInputStream (java.io.FileInputStream)2
URLClassLoader (java.net.URLClassLoader)2
File (java.io.File)1
FileOutputStream (java.io.FileOutputStream)1
IOException (java.io.IOException)1
ObjectOutputStream (java.io.ObjectOutputStream)1
Serializable (java.io.Serializable)1
HashMap (java.util.HashMap)1
Map (java.util.Map)1
Set (java.util.Set)1
JMSException (javax.jms.JMSException)1
MessageFormatException (javax.jms.MessageFormatException)1
JsonArray (javax.json.JsonArray)1
JsonNumber (javax.json.JsonNumber)1
JsonObject (javax.json.JsonObject)1
JsonString (javax.json.JsonString)1
CompositeDataSupport (javax.management.openmbean.CompositeDataSupport)1
