001    /**
002     * Licensed to the Apache Software Foundation (ASF) under one or more
003     * contributor license agreements.  See the NOTICE file distributed with
004     * this work for additional information regarding copyright ownership.
005     * The ASF licenses this file to You under the Apache License, Version 2.0
006     * (the "License"); you may not use this file except in compliance with
007     * the License.  You may obtain a copy of the License at
008     *
009     *      http://www.apache.org/licenses/LICENSE-2.0
010     *
011     * Unless required by applicable law or agreed to in writing, software
012     * distributed under the License is distributed on an "AS IS" BASIS,
013     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014     * See the License for the specific language governing permissions and
015     * limitations under the License.
016     */
017    package org.apache.activemq.util;
018    
019    import java.io.IOException;
020    import java.io.InputStream;
021    import java.io.ObjectInputStream;
022    import java.io.ObjectStreamClass;
023    import java.lang.reflect.Proxy;
024    import java.util.Arrays;
025    import java.util.Collection;
026    import java.util.HashMap;
027    import java.util.Map;
028    
029    @SuppressWarnings("rawtypes")
030    public class ClassLoadingAwareObjectInputStream extends ObjectInputStream {
031    
032        private static final ClassLoader FALLBACK_CLASS_LOADER =
033            ClassLoadingAwareObjectInputStream.class.getClassLoader();
034    
035        public static final String[] serializablePackages;
036    
037        static {
038            serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(",");
039        }
040    
041        /**
042         * Maps primitive type names to corresponding class objects.
043         */
044        private static final HashMap<String, Class> primClasses = new HashMap<String, Class>(8, 1.0F);
045    
046        public ClassLoadingAwareObjectInputStream(InputStream in) throws IOException {
047            super(in);
048        }
049    
050        protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
051            ClassLoader cl = Thread.currentThread().getContextClassLoader();
052            Class clazz = load(classDesc.getName(), cl);
053            checkSecurity(clazz);
054            return clazz;
055        }
056    
057        protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
058            ClassLoader cl = Thread.currentThread().getContextClassLoader();
059            Class[] cinterfaces = new Class[interfaces.length];
060            for (int i = 0; i < interfaces.length; i++) {
061                cinterfaces[i] = load(interfaces[i], cl);
062            }
063    
064            Class clazz = null;
065            try {
066                clazz = Proxy.getProxyClass(cl, cinterfaces);
067            } catch (IllegalArgumentException e) {
068                try {
069                    clazz = Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces);
070                } catch (IllegalArgumentException e1) {
071                }
072    
073            }
074    
075            if (clazz != null) {
076                checkSecurity(clazz);
077                return clazz;
078            } else {
079                throw new ClassNotFoundException(null);
080            }
081        }
082    
083        public static boolean isAllAllowed() {
084            return serializablePackages.length == 1 && serializablePackages[0].equals("*");
085        }
086    
087        private void checkSecurity(Class clazz) throws ClassNotFoundException {
088            if (!clazz.isPrimitive()) {
089                if (clazz.getPackage() != null && !isAllAllowed()) {
090                   boolean found = false;
091                   for (String packageName : serializablePackages) {
092                       if (clazz.getPackage().getName().equals(packageName) || clazz.getPackage().getName().startsWith(packageName + ".")) {
093                           found = true;
094                           break;
095                       }
096                   }
097    
098                   if (!found) {
099                       throw new ClassNotFoundException("Forbidden " + clazz + "! This class is not allowed to be serialized. Add package with 'org.apache.activemq.SERIALIZABLE_PACKAGES' system property.");
100                   }
101                }
102             }
103         }
104    
105        private Class<?> load(String className, ClassLoader cl) throws ClassNotFoundException {
106            try {
107                return Class.forName(className, false, cl);
108            } catch (ClassNotFoundException e) {
109                final Class<?> clazz = (Class<?>) primClasses.get(className);
110                if (clazz != null) {
111                    return clazz;
112                } else {
113                    return Class.forName(className, false, FALLBACK_CLASS_LOADER);
114                }
115            }
116        }
117    
118        static {
119            primClasses.put("boolean", boolean.class);
120            primClasses.put("byte", byte.class);
121            primClasses.put("char", char.class);
122            primClasses.put("short", short.class);
123            primClasses.put("int", int.class);
124            primClasses.put("long", long.class);
125            primClasses.put("float", float.class);
126            primClasses.put("double", double.class);
127            primClasses.put("void", void.class);
128        }
129    }