You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by bd...@apache.org on 2015/11/19 21:25:58 UTC

svn commit: r1715266 - /commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java

Author: bdelacretaz
Date: Thu Nov 19 20:25:58 2015
New Revision: 1715266

URL: http://svn.apache.org/viewvc?rev=1715266&view=rev
Log:
IO-487 - demonstrate 3 variants in MoreComplexObjectTest

Modified:
    commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java

Modified: commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java
URL: http://svn.apache.org/viewvc/commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java?rev=1715266&r1=1715265&r2=1715266&view=diff
==============================================================================
--- commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java (original)
+++ commons/proper/io/trunk/src/test/java/org/apache/commons/io/serialization/MoreComplexObjectTest.java Thu Nov 19 20:25:58 2015
@@ -55,22 +55,36 @@ public class MoreComplexObjectTest exten
         assertEquals("Expecting same data after deserializing", original.toString(), copy.toString());
     }
     
-    /** Having to specify all the MoreComplexObject member classes like
-     *  this is a bit painful - we might need a utility that analyzes the
-     *  class members and accepts their classes. On the other hand this gives
-     *  a precise view of what's accepted (assuming we trust java.lang.*).
+    /** Trusting java.lang.* and the array variants of that means we have
+     *  to define a number of accept classes explicitly. Quite safe but
+     *  might become a bit verbose.
      */
     @Test
-    public void specifyAllAccepts() throws IOException, ClassNotFoundException {
+    public void trustJavaLang() throws IOException, ClassNotFoundException {
         assertSerialization(willClose(
                 new ValidatingObjectInputStream(inputStream)
-                .accept(MoreComplexObject.class, ArrayList.class, Integer[].class, Random.class)
-                .accept("java.lang.*")
+                .accept(MoreComplexObject.class, ArrayList.class, Random.class)
+                .accept("java.lang.*","[Ljava.lang.*")
         ));
     }
     
-    /** An alternative is to accept everything but reject specific classes.
-     *  That's not as safe as it's hard to get an exhaustive blacklist.
+    /** Trusting java.* is probably reasonable and avoids having to be too
+     *  detailed in the accepts.
+     */
+    @Test
+    public void trustJavaIncludingArrays() throws IOException, ClassNotFoundException {
+        assertSerialization(willClose(
+                new ValidatingObjectInputStream(inputStream)
+                .accept(MoreComplexObject.class)
+                .accept("java.*","[Ljava.*")
+        ));
+    }
+    
+    /** Here we accept everything but reject specific classes, using a pure
+     *  blacklist mode.
+     *  
+     *  That's not as safe as it's hard to get an exhaustive blacklist, but
+     *  might be ok in controlled environments.
      */
     @Test
     public void useBlacklist() throws IOException, ClassNotFoundException {