diff --git a/spring-core/src/main/java/org/springframework/core/serializer/DefaultDeserializer.java b/spring-core/src/main/java/org/springframework/core/serializer/DefaultDeserializer.java index 66a91b3836a67ccdd9f8dd73f60e7f14a5496647..9c100b685680985b312c5d04f2dd2d6329afee74 100644 --- a/spring-core/src/main/java/org/springframework/core/serializer/DefaultDeserializer.java +++ b/spring-core/src/main/java/org/springframework/core/serializer/DefaultDeserializer.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2012 the original author or authors. + * Copyright 2002-2015 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,23 +20,50 @@ import java.io.IOException; import java.io.InputStream; import java.io.ObjectInputStream; +import org.springframework.core.ConfigurableObjectInputStream; import org.springframework.core.NestedIOException; /** - * Deserializer that reads an input stream using Java Serialization. + * A default {@link Deserializer} implementation that reads an input stream + * using Java serialization. * * @author Gary Russell * @author Mark Fisher + * @author Juergen Hoeller * @since 3.0.5 + * @see ObjectInputStream */ public class DefaultDeserializer implements Deserializer { + private final ClassLoader classLoader; + + + /** + * Create a {@code DefaultDeserializer} with default {@link ObjectInputStream} + * configuration, using the "latest user-defined ClassLoader". + */ + public DefaultDeserializer() { + this.classLoader = null; + } + + /** + * Create a {@code DefaultDeserializer} for using an {@link ObjectInputStream} + * with the given {@code ClassLoader}. + * @since 4.2.1 + * @see ConfigurableObjectInputStream#ConfigurableObjectInputStream(InputStream, ClassLoader) + */ + public DefaultDeserializer(ClassLoader classLoader) { + this.classLoader = classLoader; + } + + /** * Reads the input stream and deserializes into an object. + * @see ObjectInputStream#readObject() */ @Override public Object deserialize(InputStream inputStream) throws IOException { - ObjectInputStream objectInputStream = new ObjectInputStream(inputStream); + ObjectInputStream objectInputStream = new ConfigurableObjectInputStream(inputStream, this.classLoader); try { return objectInputStream.readObject(); } diff --git a/spring-core/src/main/java/org/springframework/core/serializer/support/DeserializingConverter.java b/spring-core/src/main/java/org/springframework/core/serializer/support/DeserializingConverter.java index 074acf7bbb1585bce39f37c139eafe2a44a859a2..8bee4ddd2fdb0934001c77ec04ac6bd8b6e8980c 100644 --- a/spring-core/src/main/java/org/springframework/core/serializer/support/DeserializingConverter.java +++ b/spring-core/src/main/java/org/springframework/core/serializer/support/DeserializingConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2012 the original author or authors. + * Copyright 2002-2015 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -24,11 +24,13 @@ import org.springframework.core.serializer.Deserializer; import org.springframework.util.Assert; /** - * A {@link Converter} that delegates to a {@link org.springframework.core.serializer.Deserializer} + * A {@link Converter} that delegates to a + * {@link org.springframework.core.serializer.Deserializer} * to convert data in a byte array to an object. * * @author Gary Russell * @author Mark Fisher + * @author Juergen Hoeller * @since 3.0.5 */ public class DeserializingConverter implements Converter { @@ -37,14 +39,26 @@ public class DeserializingConverter implements Converter { /** - * Create a default DeserializingConverter that uses standard Java deserialization. + * Create a {@code DeserializingConverter} with default {@link java.io.ObjectInputStream} + * configuration, using the "latest user-defined ClassLoader". + * @see DefaultDeserializer#DefaultDeserializer() */ public DeserializingConverter() { this.deserializer = new DefaultDeserializer(); } /** - * Create a DeserializingConverter that delegates to the provided {@link Deserializer}. + * Create a {@code DeserializingConverter} for using an {@link java.io.ObjectInputStream} + * with the given {@code ClassLoader}. + * @since 4.2.1 + * @see DefaultDeserializer#DefaultDeserializer(ClassLoader) + */ + public DeserializingConverter(ClassLoader classLoader) { + this.deserializer = new DefaultDeserializer(classLoader); + } + + /** + * Create a {@code DeserializingConverter} that delegates to the provided {@link Deserializer}. */ public DeserializingConverter(Deserializer deserializer) { Assert.notNull(deserializer, "Deserializer must not be null");