001/**
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017package org.apache.activemq.util;
018
019import java.io.IOException;
020import java.io.InputStream;
021import java.io.ObjectInputStream;
022import java.io.ObjectStreamClass;
023import java.lang.reflect.Proxy;
024import java.util.Arrays;
025import java.util.Collection;
026import java.util.HashMap;
027import java.util.Map;
028
029@SuppressWarnings("rawtypes")
030public class ClassLoadingAwareObjectInputStream extends ObjectInputStream {
031
032    private static final ClassLoader FALLBACK_CLASS_LOADER =
033        ClassLoadingAwareObjectInputStream.class.getClassLoader();
034
035    public static final String[] serializablePackages;
036
037    static {
038        serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(",");
039    }
040
041    /**
042     * Maps primitive type names to corresponding class objects.
043     */
044    private static final HashMap<String, Class> primClasses = new HashMap<String, Class>(8, 1.0F);
045
046    public ClassLoadingAwareObjectInputStream(InputStream in) throws IOException {
047        super(in);
048    }
049
050    protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
051        ClassLoader cl = Thread.currentThread().getContextClassLoader();
052        Class clazz = load(classDesc.getName(), cl);
053        checkSecurity(clazz);
054        return clazz;
055    }
056
057    protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
058        ClassLoader cl = Thread.currentThread().getContextClassLoader();
059        Class[] cinterfaces = new Class[interfaces.length];
060        for (int i = 0; i < interfaces.length; i++) {
061            cinterfaces[i] = load(interfaces[i], cl);
062        }
063
064        Class clazz = null;
065        try {
066            clazz = Proxy.getProxyClass(cl, cinterfaces);
067        } catch (IllegalArgumentException e) {
068            try {
069                clazz = Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces);
070            } catch (IllegalArgumentException e1) {
071            }
072
073        }
074
075        if (clazz != null) {
076            checkSecurity(clazz);
077            return clazz;
078        } else {
079            throw new ClassNotFoundException(null);
080        }
081    }
082
083    public static boolean isAllAllowed() {
084        return serializablePackages.length == 1 && serializablePackages[0].equals("*");
085    }
086
087    private void checkSecurity(Class clazz) throws ClassNotFoundException {
088        if (!clazz.isPrimitive()) {
089            if (clazz.getPackage() != null && !isAllAllowed()) {
090               boolean found = false;
091               for (String packageName : serializablePackages) {
092                   if (clazz.getPackage().getName().equals(packageName) || clazz.getPackage().getName().startsWith(packageName + ".")) {
093                       found = true;
094                       break;
095                   }
096               }
097
098               if (!found) {
099                   throw new ClassNotFoundException("Forbidden " + clazz + "! This class is not allowed to be serialized. Add package with 'org.apache.activemq.SERIALIZABLE_PACKAGES' system property.");
100               }
101            }
102         }
103     }
104
105    private Class<?> load(String className, ClassLoader cl) throws ClassNotFoundException {
106        try {
107            return Class.forName(className, false, cl);
108        } catch (ClassNotFoundException e) {
109            final Class<?> clazz = (Class<?>) primClasses.get(className);
110            if (clazz != null) {
111                return clazz;
112            } else {
113                return Class.forName(className, false, FALLBACK_CLASS_LOADER);
114            }
115        }
116    }
117
118    static {
119        primClasses.put("boolean", boolean.class);
120        primClasses.put("byte", byte.class);
121        primClasses.put("char", char.class);
122        primClasses.put("short", short.class);
123        primClasses.put("int", int.class);
124        primClasses.put("long", long.class);
125        primClasses.put("float", float.class);
126        primClasses.put("double", double.class);
127        primClasses.put("void", void.class);
128    }
129}