You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by bd...@apache.org on 2015/11/19 21:25:58 UTC
svn commit: r1715266 -
/commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java
Author: bdelacretaz
Date: Thu Nov 19 20:25:58 2015
New Revision: 1715266
URL: http://svn.apache.org/viewvc?rev=1715266&view=rev
Log:
IO-487 - demonstrate 3 variants in MoreComplexObjectTest
Modified:
commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java
Modified: commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java
URL: http://svn.apache.org/viewvc/commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java?rev=1715266&r1=1715265&r2=1715266&view=diff
==============================================================================
--- commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java (original)
+++ commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java Thu Nov 19 20:25:58 2015
@@ -55,22 +55,36 @@ public class MoreComplexObjectTest exten
assertEquals("Expecting same data after deserializing", original.toString(), copy.toString());
}
- /** Having to specify all the MoreComplexObject member classes like
- * this is a bit painful - we might need a utility that analyzes the
- * class members and accepts their classes. On the other hand this gives
- * a precise view of what's accepted (assuming we trust java.lang.*).
+ /** Trusting java.lang.* and the array variants of that means we have
+ * to define a number of accept classes explicitly. Quite safe but
+ * might become a bit verbose.
*/
@Test
- public void specifyAllAccepts() throws IOException, ClassNotFoundException {
+ public void trustJavaLang() throws IOException, ClassNotFoundException {
assertSerialization(willClose(
new ValidatingObjectInputStream(inputStream)
- .accept(MoreComplexObject.class, ArrayList.class, Integer[].class, Random.class)
- .accept("java.lang.*")
+ .accept(MoreComplexObject.class, ArrayList.class, Random.class)
+ .accept("java.lang.*","[Ljava.lang.*")
));
}
- /** An alternative is to accept everything but reject specific classes.
- * That's not as safe as it's hard to get an exhaustive blacklist.
+ /** Trusting java.* is probably reasonable and avoids having to be too
+ * detailed in the accepts.
+ */
+ @Test
+ public void trustJavaIncludingArrays() throws IOException, ClassNotFoundException {
+ assertSerialization(willClose(
+ new ValidatingObjectInputStream(inputStream)
+ .accept(MoreComplexObject.class)
+ .accept("java.*","[Ljava.*")
+ ));
+ }
+
+ /** Here we accept everything but reject specific classes, using a pure
+ * blacklist mode.
+ *
+ * That's not as safe as it's hard to get an exhaustive blacklist, but
+ * might be ok in controlled environments.
*/
@Test
public void useBlacklist() throws IOException, ClassNotFoundException {