View Javadoc
1   /*
2    * Copyright 2012 The Netty Project
3    *
4    * The Netty Project licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  package io.netty.handler.codec.serialization;
17  
18  import io.netty.buffer.ByteBuf;
19  import io.netty.buffer.ByteBufInputStream;
20  import io.netty.channel.ChannelHandlerContext;
21  import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
22  
23  import java.io.ObjectInputStream;
24  import java.io.ObjectOutputStream;
25  import java.io.StreamCorruptedException;
26  
27  /**
28   * A decoder which deserializes the received {@link ByteBuf}s into Java
29   * objects.
30   * <p>
31   * Please note that the serialized form this decoder expects is not
32   * compatible with the standard {@link ObjectOutputStream}.  Please use
33   * {@link ObjectEncoder} or {@link ObjectEncoderOutputStream} to ensure the
34   * interoperability with this decoder.
35   * <p>
36   * <strong>Security:</strong> serialization can be a security liability,
37   * and should not be used without defining a list of classes that are
38   * allowed to be desirialized. Such a list can be specified with the
39   * <tt>jdk.serialFilter</tt> system property, for instance.
40   * See the <a href="https://docs.oracle.com/en/java/javase/17/core/serialization-filtering1.html">
41   * serialization filtering</a> article for more information.
42   *
43   * @deprecated This class has been deprecated with no replacement,
44   * because serialization can be a security liability
45   */
46  @Deprecated
47  public class ObjectDecoder extends LengthFieldBasedFrameDecoder {
48  
49      private final ClassResolver classResolver;
50  
51      /**
52       * Creates a new decoder whose maximum object size is {@code 1048576}
53       * bytes.  If the size of the received object is greater than
54       * {@code 1048576} bytes, a {@link StreamCorruptedException} will be
55       * raised.
56       *
57       * @param classResolver  the {@link ClassResolver} to use for this decoder
58       */
59      public ObjectDecoder(ClassResolver classResolver) {
60          this(1048576, classResolver);
61      }
62  
63      /**
64       * Creates a new decoder with the specified maximum object size.
65       *
66       * @param maxObjectSize  the maximum byte length of the serialized object.
67       *                       if the length of the received object is greater
68       *                       than this value, {@link StreamCorruptedException}
69       *                       will be raised.
70       * @param classResolver    the {@link ClassResolver} which will load the class
71       *                       of the serialized object
72       */
73      public ObjectDecoder(int maxObjectSize, ClassResolver classResolver) {
74          super(maxObjectSize, 0, 4, 0, 4);
75          this.classResolver = classResolver;
76      }
77  
78      @Override
79      protected Object decode(ChannelHandlerContext ctx, ByteBuf in) throws Exception {
80          ByteBuf frame = (ByteBuf) super.decode(ctx, in);
81          if (frame == null) {
82              return null;
83          }
84  
85          ObjectInputStream ois = new CompactObjectInputStream(new ByteBufInputStream(frame, true), classResolver);
86          try {
87              return ois.readObject();
88          } finally {
89              ois.close();
90          }
91      }
92  }