Package org.apache.avro.util
Class ClassSecurityValidator
java.lang.Object
org.apache.avro.util.ClassSecurityValidator
Validates that a class is trusted to be included in Avro schemas. To be used
by
ClassUtils which therefore automatically guards not only the
loading of the classes but, since the class names are translated into
Class objects by using ClassUtils, also guards any other
reflection-based mechanisms (e.g. instantiation, setting internal variables).- See Also:
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classstatic interfaceA predicate that checks if a class is trusted to be included in Avro schemas.static class -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final ClassSecurityValidator.ClassSecurityPredicateThe default predicate that uses both the system properties and the hard-coded trusted classes.static final ClassSecurityValidator.ClassSecurityPredicateA couple of trusted classes that are safe to be loaded, instantiated with any constructors or alter any internals via reflection.static final ClassSecurityValidator.ClassSecurityPredicateThe predicate that uses the system properties "org.apache.avro.SERIALIZABLE_CLASSES" and "org.apache.avro.SERIALIZABLE_PACKAGES". -
Method Summary
Modifier and TypeMethodDescriptionbuilder()Creates a builder for aClassSecurityValidatorthat validates the trusted classes by whitelisting their names.composite(ClassSecurityValidator.ClassSecurityPredicate... validators) Creates a compositeClassSecurityValidatorthat delegates to the given validators.Returns the globalClassSecurityValidator.ClassSecurityPredicatethat is used byClassUtilsto validate the trusted classes.static voidSets the globalClassSecurityValidator.ClassSecurityPredicatethat is used byClassUtilsto validate the trusted classes.static voidValidates that the class is trusted to be included in Avro schemas.
-
Field Details
-
DEFAULT_TRUSTED_CLASSES
A couple of trusted classes that are safe to be loaded, instantiated with any constructors or alter any internals via reflection. -
SYSTEM_PROPERTIES
The predicate that uses the system properties "org.apache.avro.SERIALIZABLE_CLASSES" and "org.apache.avro.SERIALIZABLE_PACKAGES". -
DEFAULT
The default predicate that uses both the system properties and the hard-coded trusted classes.- See Also:
-
-
Method Details
-
validate
Validates that the class is trusted to be included in Avro schemas.Note: this method shall be invoked with un-initialized classes only to prevent any potential security issues the initialization may trigger.
- Parameters:
clazz- the class to validate- Throws:
SecurityException- if the class is not trusted
-
setGlobal
Sets the globalClassSecurityValidator.ClassSecurityPredicatethat is used byClassUtilsto validate the trusted classes.- Parameters:
validator- the validator to use
-
getGlobal
Returns the globalClassSecurityValidator.ClassSecurityPredicatethat is used byClassUtilsto validate the trusted classes.- Returns:
- the global validator
-
builder
Creates a builder for aClassSecurityValidatorthat validates the trusted classes by whitelisting their names. Note: no parent validator is used.- Returns:
- a new
ClassSecurityValidatorbuilder
-
composite
public static ClassSecurityValidator.ClassSecurityPredicate composite(ClassSecurityValidator.ClassSecurityPredicate... validators) Creates a compositeClassSecurityValidatorthat delegates to the given validators.- Parameters:
validators- the validators to delegate to- Returns:
- a new
ClassSecurityValidatorthat delegates to the given validators
-