Source code

001/*
002GRANITE DATA SERVICES
003Copyright (C) 2011 GRANITE DATA SERVICES S.A.S.
004
005This file is part of Granite Data Services.
006
007Granite Data Services is free software; you can redistribute it and/or modify
008it under the terms of the GNU Library General Public License as published by
009the Free Software Foundation; either version 2 of the License, or (at your
010option) any later version.
011
012Granite Data Services is distributed in the hope that it will be useful, but
013WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
014FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License
015for more details.
016
017You should have received a copy of the GNU Library General Public License
018along with this library; if not, see <http://www.gnu.org/licenses/>.
019*/
020
021package org.granite.messaging.amf.io;
022
023import java.util.concurrent.ConcurrentHashMap;
024import java.util.concurrent.ConcurrentMap;
025import java.util.regex.Pattern;
026
027/**
028 * A default implementation of the securizer interface that prevents arbitrary class
029 * instantiation based on a regex pattern.
030 * 
031 * @author Franck WOLFF
032 */
033public class RegexAMF3DeserializerSecurizer implements AMF3DeserializerSecurizer {
034
035        private Pattern allow = null;
036        private ConcurrentMap<String, Boolean> cache = new ConcurrentHashMap<String, Boolean>();
037
038        /**
039         * Checks if the given class name isn't matched by the configured pattern. Note
040         * that null or empty class names are allowed.
041         * 
042         * @param className the class to check.
043         * @return <code>true</code> if the given class name is allowed to be
044         *              instantiated, <code>false</code> otherwise.
045         */
046        public boolean allowInstantiation(String className) {
047                if (allow == null || className == null || className.length() == 0)
048                        return true;
049                if (cache.containsKey(className))
050                        return true;
051                boolean allowed = allow.matcher(className).matches();
052                if (allowed)
053                        cache.putIfAbsent(className, Boolean.TRUE);
054                return allowed;
055        }
056
057        /**
058         * Set this securizer pattern. Note that you may use whitespaces in your pattern in
059         * order to improve readability: theses extra characters will be ignored.
060         * 
061         * @param param a regex containing <strong>allowed</strong> class name patterns.
062         * @throws java.util.regex.PatternSyntaxException if the given value isn't a valid
063         *              regex pattern.
064         */
065        public void setParam(String param) {
066                if (param == null || param.length() == 0)
067                        allow = null;
068                else {
069                        StringBuilder sb = new StringBuilder(param.length());
070                        for (String s : param.split("\\s", -1)) {
071                                if (s.length() > 0)
072                                        sb.append(s);
073                        }
074                        allow = Pattern.compile(sb.toString());
075                }
076                cache = new ConcurrentHashMap<String, Boolean>();
077        }
078        
079
080        /**
081         * Return this securizer pattern.
082         * 
083         * @return this securizer pattern.
084         */
085        public String getParam() {
086                return (allow != null ? allow.pattern() : null);
087        }
088}