com.thoughtworks.xstream.security.PrimitiveTypePermission Java Examples

/**
 *
 * @return
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 

static Object readFromXml(InputStream bufferedInput) throws IOException {
	final XStream xstream = createXStream(false);
	// see http://x-stream.github.io/security.html
	// clear out existing permissions and set own ones
	xstream.addPermission(NoTypePermission.NONE);
	// allow some basics
	xstream.addPermission(NullPermission.NULL);
	xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
	xstream.allowTypesByWildcard(
			new String[] { "java.lang.*", "java.util.*", "java.util.concurrent.*" });
	// allow any type from the same package
	xstream.allowTypesByWildcard(new String[] { PACKAGE_NAME + ".*" });
	final InputStreamReader reader = new InputStreamReader(bufferedInput, XML_CHARSET_NAME);
	try {
		return xstream.fromXML(reader);
	} finally {
		reader.close();
	}
}
 

/**
 * gets an <code>XStream</code> reader. Creates, customizes, and returns
 * <code>XStream</code> for XML serialization
 *
 * @pre <code>XStream</code> package is available @post <code>XStream</code>
 * for XML decoding is returned
 *
 * @return <code>XStream</code> - for XML serialization decoding
 */
public static XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 

/**
 *
 * @return
 */
public default XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 

/**
 *
 * @return
 */
protected XStream getXStream() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);
    

    return xstream;
}
 

/**
 * gets an <code>XStream</code> reader. Creates, customizes, and returns
 * <code>XStream</code> for XML serialization
 *
 * @pre     <code>XStream</code> package is available
 * @post    <code>XStream</code> for XML decoding is returned
 * @return  <code>XStream</code> - for XML serialization decoding
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 

/**
 * gets an <code>XStream</code> reader. Creates, customizes, and returns
 * <code>XStream</code> for XML serialization
 *
 * @pre     <code>XStream</code> package is available
 * @post    <code>XStream</code> for XML decoding is returned
 * @return  <code>XStream</code> - for XML serialization decoding
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 

/**
 *
 * @return
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);
    
    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 

/**
 *
 * @return
 */
private XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 

/**
 * gets an <code>XStream</code> reader. Creates, customizes, and returns
 * <code>XStream</code> for XML serialization
 *
 * @pre <code>XStream</code> package is available @post <code>XStream</code>
 * for XML decoding is returned
 *
 * @return <code>XStream</code> - for XML serialization decoding
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 

/**
 *
 * @return
 */
private XStream getXStreamReader() {
    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 

/**
 * gets an <code>XStream</code> reader. Creates, customizes, and returns
 * <code>XStream</code> for XML serialization
 *
 * @pre <code>XStream</code> package is available @post <code>XStream</code>
 * for XML decoding is returned
 *
 * @return <code>XStream</code> - for XML serialization decoding
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 

/**
 *
 * @return
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 

/**
 *
 * @return
 */
private XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 

public static List<?> loadWmlFile(String hash) {
	String name = OmFileHelper.getName(hash, EXTENSION_WML);
	File file = new File(OmFileHelper.getUploadWmlDir(), name);
	log.debug("filepathComplete: {}", file);

	XStream xstream = new XStream(new XppDriver());
	xstream.setMode(XStream.NO_REFERENCES);
	xstream.addPermission(NoTypePermission.NONE);
	xstream.addPermission(NullPermission.NULL);
	xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
	xstream.allowTypeHierarchy(List.class);
	xstream.allowTypeHierarchy(String.class);
	xstream.ignoreUnknownElements();
	try (InputStream is = new FileInputStream(file); BufferedReader reader = new BufferedReader(new InputStreamReader(is, UTF_8))) {
		return (List<?>) xstream.fromXML(reader);
	} catch (Exception err) {
		log.error("loadWmlFile", err);
	}
	return new ArrayList<>();
}
 

public static App createHardened(int port) {
    final XStream xstream = new XStream();
    xstream.addPermission(NoTypePermission.NONE);
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypes(new Class<?>[] { Person.class });
    return new App(port, xstream);
}
 

/**
 * Sets up the security framework for the passed <code>XStream</code> object.
 *
 * @param xStream the <code>XStream</code> object to set the security framework up for
 * @see <a
 *     href="https://x-stream.github.io/security.html">https://x-stream.github.io/security.html</a>
 */
private static void setUpSecurityFramework(XStream xStream) {
  // forbid all classes by default
  xStream.addPermission(NoTypePermission.NONE);

  // allow default java stuff
  xStream.addPermission(NullPermission.NULL);
  xStream.addPermission(PrimitiveTypePermission.PRIMITIVES);
  xStream.allowTypeHierarchy(Collection.class);
  xStream.allowTypeHierarchy(Map.class);
  xStream.allowTypes(new Class[] {String.class});

  // allow all saros classes
  xStream.allowTypesByWildcard(new String[] {"saros.**"});
}
 

public static XStream getInstance() {
  XStream xstream = new XStream(new PureJavaReflectionProvider(), new XppDriver() {

    @Override
    public HierarchicalStreamWriter createWriter(Writer out) {
      return new PrettyPrintWriter(out, getNameCoder()) {
        protected String PREFIX_CDATA = "<![CDATA[";
        protected String SUFFIX_CDATA = "]]>";
        protected String PREFIX_MEDIA_ID = "<MediaId>";
        protected String SUFFIX_MEDIA_ID = "</MediaId>";

        @Override
        protected void writeText(QuickWriter writer, String text) {
          if (text.startsWith(this.PREFIX_CDATA) && text.endsWith(this.SUFFIX_CDATA)) {
            writer.write(text);
          } else if (text.startsWith(this.PREFIX_MEDIA_ID) && text.endsWith(this.SUFFIX_MEDIA_ID)) {
            writer.write(text);
          } else {
            super.writeText(writer, text);
          }

        }

        @Override
        public String encodeNode(String name) {
          //防止将_转换成__
          return name;
        }
      };
    }
  });

  xstream.ignoreUnknownElements();
  xstream.setMode(XStream.NO_REFERENCES);
  xstream.addPermission(NullPermission.NULL);
  xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
  xstream.setClassLoader(Thread.currentThread().getContextClassLoader());
  return xstream;
}
 

public static XStream getInstance() {
  XStream xstream = new XStream(new XppDriver() {

    @Override
    public HierarchicalStreamWriter createWriter(Writer out) {
      return new PrettyPrintWriter(out, getNameCoder()) {
        protected String PREFIX_CDATA = "<![CDATA[";
        protected String SUFFIX_CDATA = "]]>";
        protected String PREFIX_MEDIA_ID = "<MediaId>";
        protected String SUFFIX_MEDIA_ID = "</MediaId>";
        @Override
        protected void writeText(QuickWriter writer, String text) {
          if (text.startsWith(PREFIX_CDATA) && text.endsWith(SUFFIX_CDATA)) {
            writer.write(text);
          } else if (text.startsWith(PREFIX_MEDIA_ID) && text.endsWith(SUFFIX_MEDIA_ID)) {
            writer.write(text);
          } else {
            super.writeText(writer, text);
          }

        }
      };
    }
  });
  xstream.ignoreUnknownElements();
  xstream.setMode(XStream.NO_REFERENCES);
  xstream.addPermission(NullPermission.NULL);
  xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
  return xstream;
}
 

public XStreamDashboardPersister() {
	this.file = getUserDashboard(getUserId());

	xstream = new XStream(new DomDriver(UTF_8.name()));
	xstream.setMode(XStream.NO_REFERENCES);
	xstream.addPermission(NoTypePermission.NONE);
	xstream.addPermission(NullPermission.NULL);
	xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
	xstream.allowTypesByWildcard(new String[] {"org.apache.openmeetings.web.**"});
	xstream.allowTypeHierarchy(ArrayList.class);
	xstream.alias("dashboard", UserDashboard.class);
}
 

/**
 * Setup the security framework of a XStream instance.
 * <p>
 * This method is a pure helper method for XStream 1.4.x. It initializes an XStream instance with a white list of
 * well-known and simply types of the Java runtime as it is done in XStream 1.5.x by default. This method will do
 * therefore nothing in XStream 1.5.
 * </p>
 * 
 * @param xstream
 * @since 1.4.10
 */
public static void setupDefaultSecurity(final XStream xstream) {
    if (!xstream.securityInitialized) {
        xstream.addPermission(NoTypePermission.NONE);
        xstream.addPermission(NullPermission.NULL);
        xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
        xstream.addPermission(ArrayTypePermission.ARRAYS);
        xstream.addPermission(InterfaceTypePermission.INTERFACES);
        xstream.allowTypeHierarchy(Calendar.class);
        xstream.allowTypeHierarchy(Collection.class);
        xstream.allowTypeHierarchy(Map.class);
        xstream.allowTypeHierarchy(Map.Entry.class);
        xstream.allowTypeHierarchy(Member.class);
        xstream.allowTypeHierarchy(Number.class);
        xstream.allowTypeHierarchy(Throwable.class);
        xstream.allowTypeHierarchy(TimeZone.class);

        Class type = JVM.loadClassForName("java.lang.Enum");
        if (type != null) {
            xstream.allowTypeHierarchy(type);
        }
        type = JVM.loadClassForName("java.nio.file.Path");
        if (type != null) {
            xstream.allowTypeHierarchy(type);
        }

        final Set types = new HashSet();
        types.add(BitSet.class);
        types.add(Charset.class);
        types.add(Class.class);
        types.add(Currency.class);
        types.add(Date.class);
        types.add(DecimalFormatSymbols.class);
        types.add(File.class);
        types.add(Locale.class);
        types.add(Object.class);
        types.add(Pattern.class);
        types.add(StackTraceElement.class);
        types.add(String.class);
        types.add(StringBuffer.class);
        types.add(JVM.loadClassForName("java.lang.StringBuilder"));
        types.add(URL.class);
        types.add(URI.class);
        types.add(JVM.loadClassForName("java.util.UUID"));
        if (JVM.isSQLAvailable()) {
            types.add(JVM.loadClassForName("java.sql.Timestamp"));
            types.add(JVM.loadClassForName("java.sql.Time"));
            types.add(JVM.loadClassForName("java.sql.Date"));
        }
        if (JVM.isVersion(8)) {
            xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.Clock"));
            types.add(JVM.loadClassForName("java.time.Duration"));
            types.add(JVM.loadClassForName("java.time.Instant"));
            types.add(JVM.loadClassForName("java.time.LocalDate"));
            types.add(JVM.loadClassForName("java.time.LocalDateTime"));
            types.add(JVM.loadClassForName("java.time.LocalTime"));
            types.add(JVM.loadClassForName("java.time.MonthDay"));
            types.add(JVM.loadClassForName("java.time.OffsetDateTime"));
            types.add(JVM.loadClassForName("java.time.OffsetTime"));
            types.add(JVM.loadClassForName("java.time.Period"));
            types.add(JVM.loadClassForName("java.time.Ser"));
            types.add(JVM.loadClassForName("java.time.Year"));
            types.add(JVM.loadClassForName("java.time.YearMonth"));
            types.add(JVM.loadClassForName("java.time.ZonedDateTime"));
            xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId"));
            types.add(JVM.loadClassForName("java.time.chrono.HijrahDate"));
            types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate"));
            types.add(JVM.loadClassForName("java.time.chrono.JapaneseEra"));
            types.add(JVM.loadClassForName("java.time.chrono.MinguoDate"));
            types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate"));
            types.add(JVM.loadClassForName("java.time.chrono.Ser"));
            xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology"));
            types.add(JVM.loadClassForName("java.time.temporal.ValueRange"));
            types.add(JVM.loadClassForName("java.time.temporal.WeekFields"));
        }
        types.remove(null);

        final Iterator iter = types.iterator();
        final Class[] classes = new Class[types.size()];
        for (int i = 0; i < classes.length; ++i) {
            classes[i] = (Class)iter.next();
        }
        xstream.allowTypes(classes);
    } else {
        throw new IllegalArgumentException("Security framework of XStream instance already initialized");
    }
}