Class ObjectInputFilter.Config
- Enclosing interface:
- ObjectInputFilter
ObjectInputFilter.
 The JVM-wide deserialization filter factory and the static JVM-wide filter
 can be configured from system properties during the initialization of the
 ObjectInputFilter.Config class.
 
If the Java virtual machine is started with the system property
 jdk.serialFilter, its value is used to configure the filter.
 If the system property is not defined, and the Security property
 jdk.serialFilter is defined then it is used to configure the filter.
 The filter is created as if createFilter is called,
 if the filter string is invalid the initialization fails and subsequent attempts to
 get the filter, set a filter,
 or create an ObjectInputStream
 throw IllegalStateException. Deserialization is not possible with an
 invalid serial filter.
 If the system property jdk.serialFilter or the Security
 property jdk.serialFilter is not set the filter can be set with
 Config.setSerialFilter.
 Setting the jdk.serialFilter with System.setProperty does not set the filter.
 The syntax for the property value is the same as for the
 createFilter method.
 
 If the Java virtual machine is started with the system property
 jdk.serialFilterFactory or the Security property
 of the same name, its value names the class to configure the JVM-wide deserialization
 filter factory.
 If the system property is not defined, and the Security property
 jdk.serialFilterFactory is defined then it is used to configure the filter factory.
 If it remains unset, the filter factory is a builtin filter factory compatible
 with previous versions.
 
The class must be public, must have a public zero-argument constructor, implement the
 BinaryOperator<ObjectInputFilter> interface, provide its implementation and
 be accessible via the application class loader.
 If the filter factory constructor is not invoked successfully subsequent attempts to
 get the factory,
 set the factory, or create an
 ObjectInputStream
 throw IllegalStateException. Deserialization is not possible with an
 invalid serial filter factory.
 The filter factory configured using the system or security property during initialization
 can NOT be replaced with Config.setSerialFilterFactory.
 This ensures that a filter factory set on the command line is not overridden accidentally
 or intentionally by the application.
 
Setting the jdk.serialFilterFactory with System.setProperty does not set the filter factory.
 The syntax for the system property value and security property value is the
 fully qualified class name of the deserialization filter factory.
- Since:
- 9
- 
Method SummaryModifier and TypeMethodDescriptionstatic ObjectInputFiltercreateFilter(String pattern) Returns an ObjectInputFilter from a string of patterns.static ObjectInputFilterReturns the static JVM-wide deserialization filter ornullif not configured.static BinaryOperator<ObjectInputFilter> Returns the JVM-wide deserialization filter factory.static voidsetSerialFilter(ObjectInputFilter filter) Set the static JVM-wide filter if it has not already been configured or set.static voidsetSerialFilterFactory(BinaryOperator<ObjectInputFilter> filterFactory) 
- 
Method Details- 
getSerialFilterReturns the static JVM-wide deserialization filter ornullif not configured.- Returns:
- the static JVM-wide deserialization filter or nullif not configured
- Throws:
- IllegalStateException- if the initialization of the filter from the system property- jdk.serialFilteror the security property- jdk.serialFilterfails.
 
- 
setSerialFilterSet the static JVM-wide filter if it has not already been configured or set.- Parameters:
- filter- the deserialization filter to set as the JVM-wide filter; not null
- Throws:
- IllegalStateException- if the filter has already been set or the initialization of the filter from the system property- jdk.serialFilteror the security property- jdk.serialFilterfails.
 
- 
getSerialFilterFactoryReturns the JVM-wide deserialization filter factory. If the filter factory has been set it is returned, otherwise, a builtin deserialization filter factory is returned. The filter factory provides a filter for every ObjectInputStream when invoked from ObjectInputStream constructors and when a stream-specific filter is set withsetObjectInputFilter.- Implementation Requirements:
- The builtin deserialization filter factory provides the
 static JVM-wide filter when invoked from
 ObjectInputStream constructors.
 When invoked to set the stream-specific filterthe requested filter replaces the static JVM-wide filter, unless it has already been set. The builtin deserialization filter factory implements the behavior of earlier versions of setting the initial filter in theObjectInputStreamconstructor andObjectInputStream.setObjectInputFilter(java.io.ObjectInputFilter).
- Returns:
- the JVM-wide deserialization filter factory; non-null
- Throws:
- IllegalStateException- if the filter factory initialization is incomplete
- Since:
- 17
 
- 
setSerialFilterFactorySet the JVM-wide deserialization filter factory. The filter factory can be configured exactly once with one of: setting thejdk.serialFilterFactoryproperty on the command line, setting thejdk.serialFilterFactoryproperty in theSecurityfile, or using thissetSerialFilterFactorymethod. The filter factory can be set only before anyObjectInputStreamhas been created to avoid any inconsistency in which filter factory is being used.The JVM-wide filter factory is invoked when an ObjectInputStream is constructed and when the stream-specific filter is set. The parameters are the current filter and a requested filter and it returns the filter to be used for the stream. If the current filter is non-null, the filter factory must return anon-nullfilter; this is to prevent unintentional disabling of filtering after it has been enabled. The factory determines the filter to be used forObjectInputStreamstreams based on its inputs, any other filters, context, or state that is available. The factory may throw runtime exceptions to signal incorrect use or invalid parameters. See the filter models for examples of composition and delegation.- Parameters:
- filterFactory- the deserialization filter factory to set as the JVM-wide filter factory; not null
- Throws:
- IllegalStateException- if the builtin deserialization filter factory has already been replaced or any instance of- ObjectInputStreamhas been created.
- Since:
- 17
 
- 
createFilterReturns an ObjectInputFilter from a string of patterns.Patterns are separated by ";" (semicolon). Whitespace is significant and is considered part of the pattern. If a pattern includes an equals assignment, " =" it sets a limit. If a limit appears more than once the last value is used.- maxdepth=value- the maximum depth of a graph
- maxrefs=value- the maximum number of internal references
- maxbytes=value- the maximum number of bytes in the input stream
- maxarray=value- the maximum array length allowed
 Other patterns match or reject class or package name as returned from Class.getName()and if an optional module name is presentclass.getModule().getName(). Note that for arrays the element type is used in the pattern, not the array type.- If the pattern starts with "!", the class is rejected if the remaining pattern is matched; otherwise the class is allowed if the pattern matches.
- If the pattern contains "/", the non-empty prefix up to the "/" is the module name; if the module name matches the module name of the class then the remaining pattern is matched with the class name. If there is no "/", the module name is not compared.
- If the pattern ends with ".**" it matches any class in the package and all subpackages.
- If the pattern ends with ".*" it matches any class in the package.
- If the pattern ends with "*", it matches any class with the pattern as a prefix.
- If the pattern is equal to the class name, it matches.
- Otherwise, the pattern is not matched.
 The resulting filter performs the limit checks and then tries to match the class, if any. If any of the limits are exceeded, the filter returns Status.REJECTED. If the class is an array type, the class to be matched is the element type. Arrays of any number of dimensions are treated the same as the element type. For example, a pattern of "!example.Foo", rejects creation of any instance or array ofexample.Foo. The first pattern that matches, working from left to right, determines theStatus.ALLOWEDorStatus.REJECTEDresult. If the limits are not exceeded and no pattern matches the class, the result isStatus.UNDECIDED.- Parameters:
- pattern- the pattern string to parse; not null
- Returns:
- a filter to check a class being deserialized;
          nullif no patterns
- Throws:
- IllegalArgumentException- if the pattern string is illegal or malformed and cannot be parsed. In particular, if any of the following is true:- if a limit is missing the name or the name is not one of "maxdepth", "maxrefs", "maxbytes", or "maxarray"
-    if the value of the limit can not be parsed by
        Long.parseLongor is negative
- if the pattern contains "/" and the module name is missing or the remaining pattern is empty
- if the package is missing for ".*" and ".**"
 
 
- maxdepth=
 
-