Hessian whitelist2 (apache#6423)

vio-lin · Jul 7, 2020 · 9d5e8b3 · 9d5e8b3
1 parent 11e728c
commit 9d5e8b3
Show file tree

Hide file tree

Showing 8 changed files with 164 additions and 32 deletions.
diff --git a/...essian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2ObjectInput.java b/...essian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2ObjectInput.java
@@ -17,6 +17,7 @@
 package org.apache.dubbo.common.serialize.hessian2;
 
 import org.apache.dubbo.common.serialize.ObjectInput;
+import org.apache.dubbo.common.serialize.hessian2.dubbo.Hessian2FactoryInitializer;
 
 import com.alibaba.com.caucho.hessian.io.Hessian2Input;
 
@@ -31,7 +32,7 @@ public class Hessian2ObjectInput implements ObjectInput {
 
     private static ThreadLocal<Hessian2Input> INPUT_TL = ThreadLocal.withInitial(() -> {
         Hessian2Input h2i = new Hessian2Input(null);
-        h2i.setSerializerFactory(Hessian2SerializerFactory.SERIALIZER_FACTORY);
+        h2i.setSerializerFactory(Hessian2FactoryInitializer.getInstance().getSerializerFactory());
         h2i.setCloseStreamOnClose(true);
         return h2i;
     });

diff --git a/...ssian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2ObjectOutput.java b/...ssian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2ObjectOutput.java
@@ -17,6 +17,7 @@
 package org.apache.dubbo.common.serialize.hessian2;
 
 import org.apache.dubbo.common.serialize.ObjectOutput;
+import org.apache.dubbo.common.serialize.hessian2.dubbo.Hessian2FactoryInitializer;
 
 import com.alibaba.com.caucho.hessian.io.Hessian2Output;
 
@@ -30,7 +31,7 @@ public class Hessian2ObjectOutput implements ObjectOutput {
 
     private static ThreadLocal<Hessian2Output> OUTPUT_TL = ThreadLocal.withInitial(() -> {
         Hessian2Output h2o = new Hessian2Output(null);
-        h2o.setSerializerFactory(Hessian2SerializerFactory.SERIALIZER_FACTORY);
+        h2o.setSerializerFactory(Hessian2FactoryInitializer.getInstance().getSerializerFactory());
         h2o.setCloseStreamOnClose(true);
         return h2o;
     });

diff --git a/...2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java b/...2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java
@@ -16,40 +16,11 @@
  */
 package org.apache.dubbo.common.serialize.hessian2;
 
-import org.apache.dubbo.common.config.ConfigurationUtils;
-import org.apache.dubbo.common.utils.StringUtils;
-
 import com.alibaba.com.caucho.hessian.io.SerializerFactory;
 
 public class Hessian2SerializerFactory extends SerializerFactory {
-    private static final String WHITELIST = "dubbo.application.hessian2.whitelist";
-    private static final String ALLOW = "dubbo.application.hessian2.allow";
-    private static final String DENY = "dubbo.application.hessian2.deny";
-
-    public static final SerializerFactory SERIALIZER_FACTORY;
-
-    /**
-     * see https://github.com/ebourg/hessian/commit/cf851f5131707891e723f7f6a9718c2461aed826
-     */
-    static {
-        SERIALIZER_FACTORY = new Hessian2SerializerFactory();
-        String whiteList = ConfigurationUtils.getProperty(WHITELIST);
-        if ("true".equals(whiteList)) {
-            SERIALIZER_FACTORY.getClassFactory().setWhitelist(true);
-            String allowPattern = ConfigurationUtils.getProperty(ALLOW);
-            if (StringUtils.isNotEmpty(allowPattern)) {
-                SERIALIZER_FACTORY.getClassFactory().allow(allowPattern);
-            }
-        } else {
-            SERIALIZER_FACTORY.getClassFactory().setWhitelist(false);
-            String denyPattern = ConfigurationUtils.getProperty(DENY);
-            if (StringUtils.isNotEmpty(denyPattern)) {
-                SERIALIZER_FACTORY.getClassFactory().deny(denyPattern);
-            }
-        }
-    }
 
-    private Hessian2SerializerFactory() {
+    public Hessian2SerializerFactory() {
     }
 
     @Override

diff --git a/.../org/apache/dubbo/common/serialize/hessian2/dubbo/AbstractHessian2FactoryInitializer.java b/.../org/apache/dubbo/common/serialize/hessian2/dubbo/AbstractHessian2FactoryInitializer.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.common.serialize.hessian2.dubbo;
+
+import com.alibaba.com.caucho.hessian.io.SerializerFactory;
+
+public abstract class AbstractHessian2FactoryInitializer implements Hessian2FactoryInitializer {
+    private static SerializerFactory SERIALIZER_FACTORY;
+
+    @Override
+    public SerializerFactory getSerializerFactory() {
+        if (SERIALIZER_FACTORY != null) {
+            return SERIALIZER_FACTORY;
+        }
+        synchronized (this) {
+            SERIALIZER_FACTORY = createSerializerFactory();
+        }
+        return SERIALIZER_FACTORY;
+    }
+
+    protected abstract SerializerFactory createSerializerFactory();
+}
diff --git a/...a/org/apache/dubbo/common/serialize/hessian2/dubbo/DefaultHessian2FactoryInitializer.java b/...a/org/apache/dubbo/common/serialize/hessian2/dubbo/DefaultHessian2FactoryInitializer.java
@@ -0,0 +1,28 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.common.serialize.hessian2.dubbo;
+
+import org.apache.dubbo.common.serialize.hessian2.Hessian2SerializerFactory;
+
+import com.alibaba.com.caucho.hessian.io.SerializerFactory;
+
+public class DefaultHessian2FactoryInitializer extends AbstractHessian2FactoryInitializer {
+    @Override
+    protected SerializerFactory createSerializerFactory() {
+        return new Hessian2SerializerFactory();
+    }
+}
diff --git a/...ain/java/org/apache/dubbo/common/serialize/hessian2/dubbo/Hessian2FactoryInitializer.java b/...ain/java/org/apache/dubbo/common/serialize/hessian2/dubbo/Hessian2FactoryInitializer.java
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.common.serialize.hessian2.dubbo;
+
+import org.apache.dubbo.common.config.ConfigurationUtils;
+import org.apache.dubbo.common.extension.ExtensionLoader;
+import org.apache.dubbo.common.extension.SPI;
+import org.apache.dubbo.common.utils.StringUtils;
+
+import com.alibaba.com.caucho.hessian.io.SerializerFactory;
+
+@SPI("default")
+public interface Hessian2FactoryInitializer {
+    String WHITELIST = "dubbo.application.hessian2.whitelist";
+    String ALLOW = "dubbo.application.hessian2.allow";
+    String DENY = "dubbo.application.hessian2.deny";
+    ExtensionLoader<Hessian2FactoryInitializer> loader = ExtensionLoader.getExtensionLoader(Hessian2FactoryInitializer.class);
+
+    SerializerFactory getSerializerFactory();
+
+    static Hessian2FactoryInitializer getInstance() {
+        String whitelist = ConfigurationUtils.getProperty(WHITELIST);
+        if (StringUtils.isNotEmpty(whitelist)) {
+            return loader.getExtension("whitelist");
+        }
+        return loader.getDefaultExtension();
+    }
+
+}
diff --git a/...org/apache/dubbo/common/serialize/hessian2/dubbo/WhitelistHessian2FactoryInitializer.java b/...org/apache/dubbo/common/serialize/hessian2/dubbo/WhitelistHessian2FactoryInitializer.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.common.serialize.hessian2.dubbo;
+
+import org.apache.dubbo.common.config.ConfigurationUtils;
+import org.apache.dubbo.common.serialize.hessian2.Hessian2SerializerFactory;
+import org.apache.dubbo.common.utils.StringUtils;
+
+import com.alibaba.com.caucho.hessian.io.SerializerFactory;
+
+/**
+ * see https://github.com/ebourg/hessian/commit/cf851f5131707891e723f7f6a9718c2461aed826
+ */
+public class WhitelistHessian2FactoryInitializer extends AbstractHessian2FactoryInitializer {
+
+    @Override
+    public SerializerFactory createSerializerFactory() {
+        SerializerFactory serializerFactory = new Hessian2SerializerFactory();
+        String whiteList = ConfigurationUtils.getProperty(WHITELIST);
+        if ("true".equals(whiteList)) {
+            serializerFactory.getClassFactory().setWhitelist(true);
+            String allowPattern = ConfigurationUtils.getProperty(ALLOW);
+            if (StringUtils.isNotEmpty(allowPattern)) {
+                serializerFactory.getClassFactory().allow(allowPattern);
+            }
+        } else {
+            serializerFactory.getClassFactory().setWhitelist(false);
+            String denyPattern = ConfigurationUtils.getProperty(DENY);
+            if (StringUtils.isNotEmpty(denyPattern)) {
+                serializerFactory.getClassFactory().deny(denyPattern);
+            }
+        }
+        return serializerFactory;
+    }
+
+}
diff --git a/...ubbo/internal/org.apache.dubbo.common.serialize.hessian2.dubbo.Hessian2FactoryInitializer b/...ubbo/internal/org.apache.dubbo.common.serialize.hessian2.dubbo.Hessian2FactoryInitializer
@@ -0,0 +1,2 @@
+default=org.apache.dubbo.common.serialize.hessian2.dubbo.DefaultHessian2FactoryInitializer
+whitelist=org.apache.dubbo.common.serialize.hessian2.dubbo.WhitelistHessian2FactoryInitializer