Class Serializer
java.lang.Object
org.jpos.util.Serializer
Java-serialization helpers with deserialization filters that reject
known gadget-chain classes and enforce a depth limit.
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionstatic ObjectInputStreamcreateAllowListObjectInputStream(InputStream in, String... allowedPackages) Creates an ObjectInputStream with an allow-list filter that only permits classes matching the specified packages or exact class names.static ObjectInputStreamCreates an ObjectInputStream with a deserialization filter that rejects known gadget-chain classes and enforces resource limits.static Objectdeserialize(byte[] b) Deserializes the byte array usingcreateSafeObjectInputStream(InputStream).static <T> Tdeserialize(byte[] b, Class<T> clazz) Deserializes the byte array and casts the result toT.deserializeStringMap(byte[] buf) Inverse ofserializeStringMap(Map); only allows JDK collection/string classes.static byte[]Serializesobjinto a byte array using standard Java serialization.static <T> TserializeDeserialize(T obj) Round-trips an object through serialization and back, useful for deep-cloning.static byte[]Serializes aMap<String,String>using a compact entry-by-entry format.
-
Constructor Details
-
Serializer
public Serializer()Utility class; instances carry no state.
-
-
Method Details
-
createSafeObjectInputStream
Creates an ObjectInputStream with a deserialization filter that rejects known gadget-chain classes and enforces resource limits.- Parameters:
in- the underlying input stream- Returns:
- a filtered ObjectInputStream
- Throws:
IOException- if an I/O error occurs
-
createAllowListObjectInputStream
public static ObjectInputStream createAllowListObjectInputStream(InputStream in, String... allowedPackages) throws IOException Creates an ObjectInputStream with an allow-list filter that only permits classes matching the specified packages or exact class names.- Parameters:
in- the underlying input streamallowedPackages- package prefixes to allow (e.g. "org.jpos.iso.")- Returns:
- a filtered ObjectInputStream
- Throws:
IOException- if an I/O error occurs
-
serialize
Serializesobjinto a byte array using standard Java serialization.- Parameters:
obj- object to serialize- Returns:
- the serialized byte array
- Throws:
IOException- if writing fails
-
deserialize
Deserializes the byte array usingcreateSafeObjectInputStream(InputStream).- Parameters:
b- serialized bytes- Returns:
- the deserialized object
- Throws:
IOException- if reading failsClassNotFoundException- if a referenced class cannot be loaded
-
deserialize
public static <T> T deserialize(byte[] b, Class<T> clazz) throws IOException, ClassNotFoundException Deserializes the byte array and casts the result toT.- Type Parameters:
T- expected concrete type- Parameters:
b- serialized bytesclazz- expected class (used for the unchecked cast)- Returns:
- the deserialized object
- Throws:
IOException- if reading failsClassNotFoundException- if a referenced class cannot be loaded
-
serializeDeserialize
Round-trips an object through serialization and back, useful for deep-cloning.- Type Parameters:
T- object type- Parameters:
obj- object to clone- Returns:
- a fresh deserialized copy of
obj - Throws:
IOException- if serialization failsClassNotFoundException- if a referenced class cannot be loaded
-
serializeStringMap
Serializes aMap<String,String>using a compact entry-by-entry format.- Parameters:
m- the map to serialize- Returns:
- the serialized byte array
- Throws:
IOException- if writing fails
-
deserializeStringMap
public static Map<String,String> deserializeStringMap(byte[] buf) throws ClassNotFoundException, IOException Inverse ofserializeStringMap(Map); only allows JDK collection/string classes.- Parameters:
buf- the serialized bytes- Returns:
- the deserialized map
- Throws:
ClassNotFoundException- if a referenced class cannot be loadedIOException- if reading fails
-