Search in sources :

Example 1 with ObjectInputFilter

use of sun.misc.ObjectInputFilter in project jdk8u_jdk by JetBrains.

the class GlobalFilterTest method setGlobalFilter.

/**
     * If the Global filter is already set, it should always refuse to be
     * set again.
     * If there is a security manager, setting the serialFilter should fail
     * without the appropriate permission.
     * If there is no security manager then setting it should work.
     */
@Test()
static void setGlobalFilter() {
    SecurityManager sm = System.getSecurityManager();
    ObjectInputFilter filter = new SerialFilterTest.Validator();
    ObjectInputFilter global = ObjectInputFilter.Config.getSerialFilter();
    if (global != null) {
        // once set, can never be re-set
        try {
            ObjectInputFilter.Config.setSerialFilter(filter);
            Assert.fail("set only once process-wide filter");
        } catch (IllegalStateException ise) {
            if (sm != null) {
                Assert.fail("wrong exception when security manager is set", ise);
            }
        } catch (SecurityException se) {
            if (sm == null) {
                Assert.fail("wrong exception when security manager is not set", se);
            }
        }
    } else {
        if (sm == null) {
            // no security manager
            try {
                ObjectInputFilter.Config.setSerialFilter(filter);
                // Note once set, it can not be reset; so other tests
                System.out.printf("Global Filter set to Validator%n");
            } catch (SecurityException se) {
                Assert.fail("setGlobalFilter should not get SecurityException", se);
            }
            try {
                // Try to set it again, expecting it to throw
                ObjectInputFilter.Config.setSerialFilter(filter);
                Assert.fail("set only once process-wide filter");
            } catch (IllegalStateException ise) {
            // Normal case
            }
        } else {
            // Security manager
            SecurityException expectSE = null;
            try {
                sm.checkPermission(new SerializablePermission("serialFilter"));
            } catch (SecurityException se1) {
                expectSE = se1;
            }
            SecurityException actualSE = null;
            try {
                ObjectInputFilter.Config.setSerialFilter(filter);
            } catch (SecurityException se2) {
                actualSE = se2;
            }
            if (expectSE == null | actualSE == null) {
                Assert.assertEquals(expectSE, actualSE, "SecurityException");
            } else {
                Assert.assertEquals(expectSE.getClass(), actualSE.getClass(), "SecurityException class");
            }
        }
    }
}
Also used : ObjectInputFilter(sun.misc.ObjectInputFilter) SerializablePermission(java.io.SerializablePermission) Test(org.testng.annotations.Test)

Example 2 with ObjectInputFilter

use of sun.misc.ObjectInputFilter in project jdk8u_jdk by JetBrains.

the class MixedFiltersTest method testRejectedInGlobal.

/**
     * Test:
     *   "global filter reject" + "specific ObjectInputStream filter is empty" => should reject
     *   "global filter reject" + "specific ObjectInputStream filter allow"    => should allow
     */
@Test(dataProvider = "RejectedInGlobal")
public void testRejectedInGlobal(Object toDeserialized, String pattern) throws Exception {
    byte[] bytes = SerialFilterTest.writeObjects(toDeserialized);
    try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
        ObjectInputStream ois = new ObjectInputStream(bais)) {
        Object o = ois.readObject();
        fail("filter should have thrown an exception");
    } catch (InvalidClassException expected) {
    }
    ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(pattern);
    try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
        ObjectInputStream ois = new ObjectInputStream(bais)) {
        ObjectInputFilter.Config.setObjectInputFilter(ois, filter);
        Object o = ois.readObject();
    }
}
Also used : ObjectInputFilter(sun.misc.ObjectInputFilter) ByteArrayInputStream(java.io.ByteArrayInputStream) InvalidClassException(java.io.InvalidClassException) ObjectInputStream(java.io.ObjectInputStream) Test(org.testng.annotations.Test)

Example 3 with ObjectInputFilter

use of sun.misc.ObjectInputFilter in project jdk8u_jdk by JetBrains.

the class SerialFilterTest method testEmptyPattern.

/**
     * Test that Config.create returns null if the argument does not contain any patterns or limits.
     */
@Test()
static void testEmptyPattern() {
    ObjectInputFilter filter = ObjectInputFilter.Config.createFilter("");
    Assert.assertNull(filter, "empty pattern did not return null");
    filter = ObjectInputFilter.Config.createFilter(";;;;");
    Assert.assertNull(filter, "pattern with only delimiters did not return null");
}
Also used : ObjectInputFilter(sun.misc.ObjectInputFilter) Test(org.testng.annotations.Test)

Example 4 with ObjectInputFilter

use of sun.misc.ObjectInputFilter in project jdk8u_jdk by JetBrains.

the class SerialFilterTest method testLimits.

/**
     * Test repeated limits use the last value.
     * Construct a filter with the limit and the limit repeated -1.
     * Invoke the filter with the limit to make sure it is rejected.
     * Invoke the filter with the limit -1 to make sure it is accepted.
     * @param name the name of the limit to test
     * @param value a test value
     */
@Test(dataProvider = "Limits")
static void testLimits(String name, int value) {
    Class<?> arrayClass = new int[0].getClass();
    String pattern = String.format("%s=%d;%s=%d", name, value, name, value - 1);
    ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(pattern);
    Assert.assertEquals(filter.checkInput(new FilterValues(arrayClass, value, value, value, value)), ObjectInputFilter.Status.REJECTED, "last limit value not used: " + filter);
    Assert.assertEquals(filter.checkInput(new FilterValues(arrayClass, value - 1, value - 1, value - 1, value - 1)), ObjectInputFilter.Status.UNDECIDED, "last limit value not used: " + filter);
}
Also used : ObjectInputFilter(sun.misc.ObjectInputFilter) Test(org.testng.annotations.Test)

Example 5 with ObjectInputFilter

use of sun.misc.ObjectInputFilter in project jdk8u_jdk by JetBrains.

the class DGCImpl method initDgcFilter.

/**
     * Initialize the dgcFilter from the security properties or system property; if any
     * @return an ObjectInputFilter, or null
     */
private static ObjectInputFilter initDgcFilter() {
    ObjectInputFilter filter = null;
    String props = System.getProperty(DGC_FILTER_PROPNAME);
    if (props == null) {
        props = Security.getProperty(DGC_FILTER_PROPNAME);
    }
    if (props != null) {
        filter = ObjectInputFilter.Config.createFilter(props);
        if (dgcLog.isLoggable(Log.BRIEF)) {
            dgcLog.log(Log.BRIEF, "dgcFilter = " + filter);
        }
    }
    return filter;
}
Also used : ObjectInputFilter(sun.misc.ObjectInputFilter)

Aggregations

ObjectInputFilter (sun.misc.ObjectInputFilter)11 Test (org.testng.annotations.Test)8 ByteArrayInputStream (java.io.ByteArrayInputStream)4 InvalidClassException (java.io.InvalidClassException)4 ObjectInputStream (java.io.ObjectInputStream)4 IOException (java.io.IOException)2 EOFException (java.io.EOFException)1 SerializablePermission (java.io.SerializablePermission)1 Log (sun.rmi.runtime.Log)1