Open quaff opened 2 months ago
Well, the ConfigurableObjectInputStream
is still going to be there since it relies on the specific ClassLoader
:
/**
* Special {@link ObjectInputStream} subclass that resolves class names
* against a specific {@link ClassLoader}.
*
* @author Juergen Hoeller
* @since 2.5.5
* @see org.springframework.core.serializer.DefaultDeserializer
*/
public class ConfigurableObjectInputStream extends ObjectInputStream {
Please, revise your request about the logic we do in the AllowedListDeserializingMessageConverter
to use that ObjectInputFilter
instead of resolveClass()
override.
Otherwise this is confusing and might be closed without the fix.
Thanks
I think it's better to use standard API. see Java Serialization Filters
https://github.com/spring-projects/spring-amqp/blob/603e6c8c09838aff5a8dcf3f9e6e1ab1d3488cde/spring-amqp/src/main/java/org/springframework/amqp/support/converter/SimpleMessageConverter.java#L158-L162
https://github.com/spring-projects/spring-amqp/blob/603e6c8c09838aff5a8dcf3f9e6e1ab1d3488cde/spring-amqp/src/main/java/org/springframework/amqp/support/converter/SerializerMessageConverter.java#L167-L172