Skip to content

Commit ee4ce5f

Browse files
committed
IO-487 - demonstrate blacklist-only in MoreComplexObjectTest
git-svn-id: https://svn.apache.org/repos/asf/commons/proper/io/trunk@1715263 13f79535-47bb-0310-9956-ffa450edef68
1 parent a9159ab commit ee4ce5f

1 file changed

Lines changed: 46 additions & 17 deletions

File tree

src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java

Lines changed: 46 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -29,32 +29,61 @@
2929
import java.util.ArrayList;
3030
import java.util.Random;
3131

32+
import org.junit.Before;
3233
import org.junit.Test;
3334

34-
/** Test deserializing our {@link MoreComplexObject} to verify
35-
* which settings it requires, as the object uses a number
36-
* of primitive and java.* member objects.
35+
/** This is more an example than a test - deserialize our {@link MoreComplexObject}
36+
* to verify which settings it requires, as the object uses a number of primitive
37+
* and java.* member objects.
3738
*/
3839
public class MoreComplexObjectTest extends ClosingBase {
3940

40-
@Test
41-
public void serializeAndCheck() throws IOException, ClassNotFoundException {
42-
final MoreComplexObject original = new MoreComplexObject();
41+
private InputStream inputStream;
42+
private MoreComplexObject original;
43+
44+
@Before
45+
public void setup() throws IOException {
46+
original = new MoreComplexObject();
4347
final ByteArrayOutputStream bos = willClose(new ByteArrayOutputStream());
4448
final ObjectOutputStream oos = willClose(new ObjectOutputStream(bos));
4549
oos.writeObject(original);
46-
47-
final InputStream is = willClose(new ByteArrayInputStream(bos.toByteArray()));
48-
49-
// Having to specify all the MoreComplexObject member classes like
50-
// this is a bit painful - we might create a utility that analyzes the
51-
// class members and accepts their classes
52-
final ObjectInputStream ois = willClose(
53-
new ValidatingObjectInputStream(is)
54-
.accept(MoreComplexObject.class, ArrayList.class, Integer[].class, Random.class)
55-
.accept("java.lang.*")
56-
);
50+
inputStream = willClose(new ByteArrayInputStream(bos.toByteArray()));
51+
}
52+
53+
private void assertSerialization(ObjectInputStream ois) throws ClassNotFoundException, IOException {
5754
final MoreComplexObject copy = (MoreComplexObject) (ois.readObject());
5855
assertEquals("Expecting same data after deserializing", original.toString(), copy.toString());
5956
}
57+
58+
/** Having to specify all the MoreComplexObject member classes like
59+
* this is a bit painful - we might need a utility that analyzes the
60+
* class members and accepts their classes. On the other hand this gives
61+
* a precise view of what's accepted (assuming we trust java.lang.*).
62+
*/
63+
@Test
64+
public void specifyAllAccepts() throws IOException, ClassNotFoundException {
65+
assertSerialization(willClose(
66+
new ValidatingObjectInputStream(inputStream)
67+
.accept(MoreComplexObject.class, ArrayList.class, Integer[].class, Random.class)
68+
.accept("java.lang.*")
69+
));
70+
}
71+
72+
/** An alternative is to accept everything but reject specific classes.
73+
* That's not as safe as it's hard to get an exhaustive blacklist.
74+
*/
75+
@Test
76+
public void useBlacklist() throws IOException, ClassNotFoundException {
77+
final String [] blacklist = {
78+
"org.apache.commons.collections.functors.InvokerTransformer",
79+
"org.codehaus.groovy.runtime.ConvertedClosure",
80+
"org.codehaus.groovy.runtime.MethodClosure",
81+
"org.springframework.beans.factory.ObjectFactory"
82+
};
83+
assertSerialization(willClose(
84+
new ValidatingObjectInputStream(inputStream)
85+
.accept("*")
86+
.reject(blacklist)
87+
));
88+
}
6089
}

0 commit comments

Comments
 (0)