Reliably identify the class of a serialized Java object

https://stackoverflow.com/questions/13261804

java
object
serialization
identification
deserialization

27-11-2021
|

문제

I am in need of reliably identifying the class of a serialized object in Java without deserializing it.

So far I have found that the raw data stream will contain the class name. However someone could create a custom class with an arbitrary name to fool the recognition.

Now I am considering implementing a system where the stored data of the object is also checked against a template but this seems cumbersome.

Is there a package that already does this and/or is there a simpler way to reliably identify the class of a serialized Java object?

해결책

Have you looked at JavaAssist (http://www.csg.ci.i.u-tokyo.ac.jp/~chiba/javassist/)? It appears to be able to load class files metadata and make it available without necessarily creating the class.

라이센스 : CC-BY-SA ~와 함께 속성

제휴하지 않습니다 StackOverflow