added "acceptProxyClasses" flag to RemoteInvocationSerializingExporter

git-svn-id: https://src.springframework.org/svn/spring-framework/trunk@4749 50f2f4bb-b051-0410-bef5-90022cba6387

org.springframework.context/src/main/java/org/springframework/remoting/rmi/CodebaseAwareObjectInputStream.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2008 the original author or authors.
+ * Copyright 2002-2011 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -82,6 +82,22 @@ public class CodebaseAwareObjectInputStream extends ConfigurableObjectInputStrea
 		this.codebaseUrl = codebaseUrl;
 	}
 
+	/**
+	 * Create a new CodebaseAwareObjectInputStream for the given InputStream and codebase.
+	 * @param in the InputStream to read from
+	 * @param classLoader the ClassLoader to use for loading local classes
+	 * (may be <code>null</code> to indicate RMI's default ClassLoader)
+	 * @param acceptProxyClasses whether to accept deserialization of proxy classes
+	 * (may be deactivated as a security measure)
+	 * @see java.io.ObjectInputStream#ObjectInputStream(java.io.InputStream)
+	 */
+	public CodebaseAwareObjectInputStream(
+			InputStream in, ClassLoader classLoader, boolean acceptProxyClasses) throws IOException {
+
+		super(in, classLoader, acceptProxyClasses);
+		this.codebaseUrl = null;
+	}
+
 
 	@Override
 	protected Class resolveFallbackIfPossible(String className, ClassNotFoundException ex)

org.springframework.context/src/main/java/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2008 the original author or authors.
+ * Copyright 2002-2011 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -57,6 +57,8 @@ public abstract class RemoteInvocationSerializingExporter extends RemoteInvocati
 
 	private String contentType = CONTENT_TYPE_SERIALIZED_OBJECT;
 
+	private boolean acceptProxyClasses = true;
+
 	private Object proxy;
 
 
@@ -76,6 +78,21 @@ public abstract class RemoteInvocationSerializingExporter extends RemoteInvocati
 		return this.contentType;
 	}
 
+	/**
+	 * Set whether to accept deserialization of proxy classes.
+	 * <p>Default is "true". May be deactivated as a security measure.
+	 */
+	public void setAcceptProxyClasses(boolean acceptProxyClasses) {
+		this.acceptProxyClasses = acceptProxyClasses;
+	}
+
+	/**
+	 * Return whether to accept deserialization of proxy classes.
+	 */
+	public boolean isAcceptProxyClasses() {
+		return this.acceptProxyClasses;
+	}
+
 
 	public void afterPropertiesSet() {
 		prepare();
@@ -102,7 +119,7 @@ public abstract class RemoteInvocationSerializingExporter extends RemoteInvocati
 	 * @throws java.io.IOException if creation of the ObjectInputStream failed
 	 */
 	protected ObjectInputStream createObjectInputStream(InputStream is) throws IOException {
-		return new CodebaseAwareObjectInputStream(is, getBeanClassLoader(), null);
+		return new CodebaseAwareObjectInputStream(is, getBeanClassLoader(), isAcceptProxyClasses());
 	}
 
 	/**

org.springframework.core/src/main/java/org/springframework/core/ConfigurableObjectInputStream.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2008 the original author or authors.
+ * Copyright 2002-2011 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@ package org.springframework.core;
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.NotSerializableException;
 import java.io.ObjectInputStream;
 import java.io.ObjectStreamClass;
 import java.lang.reflect.Proxy;
@@ -36,6 +37,8 @@ public class ConfigurableObjectInputStream extends ObjectInputStream {
 
 	private final ClassLoader classLoader;
 
+	private final boolean acceptProxyClasses;
+
 
 	/**
 	 * Create a new ConfigurableObjectInputStream for the given InputStream and ClassLoader.
@@ -44,8 +47,23 @@ public class ConfigurableObjectInputStream extends ObjectInputStream {
 	 * @see java.io.ObjectInputStream#ObjectInputStream(java.io.InputStream)
 	 */
 	public ConfigurableObjectInputStream(InputStream in, ClassLoader classLoader) throws IOException {
+		this(in, classLoader, true);
+	}
+
+	/**
+	 * Create a new ConfigurableObjectInputStream for the given InputStream and ClassLoader.
+	 * @param in the InputStream to read from
+	 * @param classLoader the ClassLoader to use for loading local classes
+	 * @param acceptProxyClasses whether to accept deserialization of proxy classes
+	 * (may be deactivated as a security measure)
+	 * @see java.io.ObjectInputStream#ObjectInputStream(java.io.InputStream)
+	 */
+	public ConfigurableObjectInputStream(
+			InputStream in, ClassLoader classLoader, boolean acceptProxyClasses) throws IOException {
+
 		super(in);
 		this.classLoader = classLoader;
+		this.acceptProxyClasses = acceptProxyClasses;
 	}
 
 
@@ -68,6 +86,9 @@ public class ConfigurableObjectInputStream extends ObjectInputStream {
 
 	@Override
 	protected Class resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
+		if (!this.acceptProxyClasses) {
+			throw new NotSerializableException("Not allowed to accept serialized proxy classes");
+		}
 		if (this.classLoader != null) {
 			// Use the specified ClassLoader to resolve local proxy classes.
 			Class[] resolvedInterfaces = new Class[interfaces.length];