[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15007015#comment-15007015 ]
Christopher Schultz commented on IO-487: ---------------------------------------- I made a suggestion on the tomcat-user mailing list where we have been discussing the same thing, and are likely to use your implementation once it's complete: allow for the [Whatever]InputStream to be put into a mode where it merely reports (via log @ INFO level) which classes would have been rejected. This will allow a developer to run in this mode to ensure that there aren't any classes being used that are expected to be deserialized during legitimate uses of the application, but aren't matching the currently-configured "accept" criteria. Yes, this can be done by watching for UnsupportedOperationException/InvalidClassException, but it will require the developer to re-build and re-try many times to get all of the various classes taken care of. With this feature, someone could enable the logging, run the application normally, and end up with a complete list of classes that need to be "allowed" by grepping the log file. > SafeObjectInputStream contribution - restrict which classes can be > deserialized > ------------------------------------------------------------------------------- > > Key: IO-487 > URL: https://issues.apache.org/jira/browse/IO-487 > Project: Commons IO > Issue Type: Improvement > Components: Utilities > Affects Versions: 2.4 > Reporter: Bertrand Delacretaz > Priority: Minor > Labels: patch > Fix For: 2.5 > > Attachments: IO-487-2.patch, IO-487-accept-reject.patch, > IO-487-matchers.patch, IO-487-name-regex-acceptor.patch, IO-487.patch, > IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, > IO-487.patch > > > As discussed on the commons dev list I'd like to contribute my SLING-5288 > code to commons-io. I'll attach a patch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)