com.thoughtworks.xstream.security.NoTypePermission Java Examples

The following examples show how to use com.thoughtworks.xstream.security.NoTypePermission. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: ValueModel.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 * gets an <code>XStream</code> reader. Creates, customizes, and returns
 * <code>XStream</code> for XML serialization
 *
 * @pre <code>XStream</code> package is available @post <code>XStream</code>
 * for XML decoding is returned
 *
 * @return <code>XStream</code> - for XML serialization decoding
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #2
Source File: SesarSample.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 * gets an <code>XStream</code> reader. Creates, customizes, and returns
 * <code>XStream</code> for XML serialization
 *
 * @pre <code>XStream</code> package is available @post <code>XStream</code>
 * for XML decoding is returned
 *
 * @return <code>XStream</code> - for XML serialization decoding
 */
public static XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #3
Source File: ReportSettingsInterface.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
public default XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #4
Source File: AbstractRatiosDataModel.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
protected XStream getXStream() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);
    

    return xstream;
}
 
Example #5
Source File: SESARSampleMetadata.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 * gets an <code>XStream</code> reader. Creates, customizes, and returns
 * <code>XStream</code> for XML serialization
 *
 * @pre     <code>XStream</code> package is available
 * @post    <code>XStream</code> for XML decoding is returned
 * @return  <code>XStream</code> - for XML serialization decoding
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #6
Source File: SampleMetaData.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 * gets an <code>XStream</code> reader. Creates, customizes, and returns
 * <code>XStream</code> for XML serialization
 *
 * @pre     <code>XStream</code> package is available
 * @post    <code>XStream</code> for XML decoding is returned
 * @return  <code>XStream</code> - for XML serialization decoding
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #7
Source File: UPbReduxAliquot.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);
    
    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #8
Source File: UPbFraction.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
private XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #9
Source File: AnalysisFraction.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #10
Source File: MineralStandardModel.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
private XStream getXStreamReader() {
    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #11
Source File: PbBlank.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 * gets an <code>XStream</code> reader. Creates, customizes, and returns
 * <code>XStream</code> for XML serialization
 *
 * @pre <code>XStream</code> package is available @post <code>XStream</code>
 * for XML decoding is returned
 *
 * @return <code>XStream</code> - for XML serialization decoding
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #12
Source File: UThReduxAliquot.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
public XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #13
Source File: PhysicalConstants.java    From ET_Redux with Apache License 2.0 6 votes vote down vote up
/**
 *
 * @return
 */
private XStream getXStreamReader() {

    XStream xstream = new XStream(new DomDriver());

    customizeXstream(xstream);

    // http://x-stream.github.io/security.html
    XStream.setupDefaultSecurity(xstream);
    // clear out existing permissions and set own ones
    xstream.addPermission(NoTypePermission.NONE);
    // allow some basics
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypeHierarchy(Collection.class);
    xstream.addPermission(AnyTypePermission.ANY);

    return xstream;
}
 
Example #14
Source File: WbConverter.java    From openmeetings with Apache License 2.0 6 votes vote down vote up
public static List<?> loadWmlFile(String hash) {
	String name = OmFileHelper.getName(hash, EXTENSION_WML);
	File file = new File(OmFileHelper.getUploadWmlDir(), name);
	log.debug("filepathComplete: {}", file);

	XStream xstream = new XStream(new XppDriver());
	xstream.setMode(XStream.NO_REFERENCES);
	xstream.addPermission(NoTypePermission.NONE);
	xstream.addPermission(NullPermission.NULL);
	xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
	xstream.allowTypeHierarchy(List.class);
	xstream.allowTypeHierarchy(String.class);
	xstream.ignoreUnknownElements();
	try (InputStream is = new FileInputStream(file); BufferedReader reader = new BufferedReader(new InputStreamReader(is, UTF_8))) {
		return (List<?>) xstream.fromXML(reader);
	} catch (Exception err) {
		log.error("loadWmlFile", err);
	}
	return new ArrayList<>();
}
 
Example #15
Source File: TransportFormat.java    From javamelody with Apache License 2.0 6 votes vote down vote up
static Object readFromXml(InputStream bufferedInput) throws IOException {
	final XStream xstream = createXStream(false);
	// see http://x-stream.github.io/security.html
	// clear out existing permissions and set own ones
	xstream.addPermission(NoTypePermission.NONE);
	// allow some basics
	xstream.addPermission(NullPermission.NULL);
	xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
	xstream.allowTypesByWildcard(
			new String[] { "java.lang.*", "java.util.*", "java.util.concurrent.*" });
	// allow any type from the same package
	xstream.allowTypesByWildcard(new String[] { PACKAGE_NAME + ".*" });
	final InputStreamReader reader = new InputStreamReader(bufferedInput, XML_CHARSET_NAME);
	try {
		return xstream.fromXML(reader);
	} finally {
		reader.close();
	}
}
 
Example #16
Source File: App.java    From tutorials with MIT License 5 votes vote down vote up
public static App createHardened(int port) {
    final XStream xstream = new XStream();
    xstream.addPermission(NoTypePermission.NONE);
    xstream.addPermission(NullPermission.NULL);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.allowTypes(new Class<?>[] { Person.class });
    return new App(port, xstream);
}
 
Example #17
Source File: XStreamFactory.java    From saros with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Sets up the security framework for the passed <code>XStream</code> object.
 *
 * @param xStream the <code>XStream</code> object to set the security framework up for
 * @see <a
 *     href="https://x-stream.github.io/security.html">https://x-stream.github.io/security.html</a>
 */
private static void setUpSecurityFramework(XStream xStream) {
  // forbid all classes by default
  xStream.addPermission(NoTypePermission.NONE);

  // allow default java stuff
  xStream.addPermission(NullPermission.NULL);
  xStream.addPermission(PrimitiveTypePermission.PRIMITIVES);
  xStream.allowTypeHierarchy(Collection.class);
  xStream.allowTypeHierarchy(Map.class);
  xStream.allowTypes(new Class[] {String.class});

  // allow all saros classes
  xStream.allowTypesByWildcard(new String[] {"saros.**"});
}
 
Example #18
Source File: UserDashboardPersister.java    From openmeetings with Apache License 2.0 5 votes vote down vote up
public XStreamDashboardPersister() {
	this.file = getUserDashboard(getUserId());

	xstream = new XStream(new DomDriver(UTF_8.name()));
	xstream.setMode(XStream.NO_REFERENCES);
	xstream.addPermission(NoTypePermission.NONE);
	xstream.addPermission(NullPermission.NULL);
	xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
	xstream.allowTypesByWildcard(new String[] {"org.apache.openmeetings.web.**"});
	xstream.allowTypeHierarchy(ArrayList.class);
	xstream.alias("dashboard", UserDashboard.class);
}
 
Example #19
Source File: XStream.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Setup the security framework of a XStream instance.
 * <p>
 * This method is a pure helper method for XStream 1.4.x. It initializes an XStream instance with a white list of
 * well-known and simply types of the Java runtime as it is done in XStream 1.5.x by default. This method will do
 * therefore nothing in XStream 1.5.
 * </p>
 * 
 * @param xstream
 * @since 1.4.10
 */
public static void setupDefaultSecurity(final XStream xstream) {
    if (!xstream.securityInitialized) {
        xstream.addPermission(NoTypePermission.NONE);
        xstream.addPermission(NullPermission.NULL);
        xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
        xstream.addPermission(ArrayTypePermission.ARRAYS);
        xstream.addPermission(InterfaceTypePermission.INTERFACES);
        xstream.allowTypeHierarchy(Calendar.class);
        xstream.allowTypeHierarchy(Collection.class);
        xstream.allowTypeHierarchy(Map.class);
        xstream.allowTypeHierarchy(Map.Entry.class);
        xstream.allowTypeHierarchy(Member.class);
        xstream.allowTypeHierarchy(Number.class);
        xstream.allowTypeHierarchy(Throwable.class);
        xstream.allowTypeHierarchy(TimeZone.class);

        Class type = JVM.loadClassForName("java.lang.Enum");
        if (type != null) {
            xstream.allowTypeHierarchy(type);
        }
        type = JVM.loadClassForName("java.nio.file.Path");
        if (type != null) {
            xstream.allowTypeHierarchy(type);
        }

        final Set types = new HashSet();
        types.add(BitSet.class);
        types.add(Charset.class);
        types.add(Class.class);
        types.add(Currency.class);
        types.add(Date.class);
        types.add(DecimalFormatSymbols.class);
        types.add(File.class);
        types.add(Locale.class);
        types.add(Object.class);
        types.add(Pattern.class);
        types.add(StackTraceElement.class);
        types.add(String.class);
        types.add(StringBuffer.class);
        types.add(JVM.loadClassForName("java.lang.StringBuilder"));
        types.add(URL.class);
        types.add(URI.class);
        types.add(JVM.loadClassForName("java.util.UUID"));
        if (JVM.isSQLAvailable()) {
            types.add(JVM.loadClassForName("java.sql.Timestamp"));
            types.add(JVM.loadClassForName("java.sql.Time"));
            types.add(JVM.loadClassForName("java.sql.Date"));
        }
        if (JVM.isVersion(8)) {
            xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.Clock"));
            types.add(JVM.loadClassForName("java.time.Duration"));
            types.add(JVM.loadClassForName("java.time.Instant"));
            types.add(JVM.loadClassForName("java.time.LocalDate"));
            types.add(JVM.loadClassForName("java.time.LocalDateTime"));
            types.add(JVM.loadClassForName("java.time.LocalTime"));
            types.add(JVM.loadClassForName("java.time.MonthDay"));
            types.add(JVM.loadClassForName("java.time.OffsetDateTime"));
            types.add(JVM.loadClassForName("java.time.OffsetTime"));
            types.add(JVM.loadClassForName("java.time.Period"));
            types.add(JVM.loadClassForName("java.time.Ser"));
            types.add(JVM.loadClassForName("java.time.Year"));
            types.add(JVM.loadClassForName("java.time.YearMonth"));
            types.add(JVM.loadClassForName("java.time.ZonedDateTime"));
            xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId"));
            types.add(JVM.loadClassForName("java.time.chrono.HijrahDate"));
            types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate"));
            types.add(JVM.loadClassForName("java.time.chrono.JapaneseEra"));
            types.add(JVM.loadClassForName("java.time.chrono.MinguoDate"));
            types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate"));
            types.add(JVM.loadClassForName("java.time.chrono.Ser"));
            xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology"));
            types.add(JVM.loadClassForName("java.time.temporal.ValueRange"));
            types.add(JVM.loadClassForName("java.time.temporal.WeekFields"));
        }
        types.remove(null);

        final Iterator iter = types.iterator();
        final Class[] classes = new Class[types.size()];
        for (int i = 0; i < classes.length; ++i) {
            classes[i] = (Class)iter.next();
        }
        xstream.allowTypes(classes);
    } else {
        throw new IllegalArgumentException("Security framework of XStream instance already initialized");
    }
}
 
Example #20
Source File: SecurityMapper.java    From lams with GNU General Public License v2.0 2 votes vote down vote up
/**
 * Add a new permission.
 * <p>
 * Permissions are evaluated in the added sequence. An instance of {@link NoTypePermission} or
 * {@link AnyTypePermission} will implicitly wipe any existing permission.
 * </p>
 * 
 * @param permission the permission to add.
 * @since 1.4.7
 */
public void addPermission(final TypePermission permission) {
    if (permission.equals(NoTypePermission.NONE) || permission.equals(AnyTypePermission.ANY))
        permissions.clear();
    permissions.add(0, permission);
}