In Spring Integration we rely on the ClassLoader from the provided DefaultDeserializer and use for the purpose reflection:
public AllowListDeserializingConverter(Deserializer<Object> deserializer) {
Assert.notNull(deserializer, "Deserializer must not be null");
this.deserializer = deserializer;
if (deserializer instanceof DefaultDeserializer) {
ClassLoader classLoader = null;
try {
classLoader = (ClassLoader) new DirectFieldAccessor(deserializer).getPropertyValue("classLoader");
}
catch (Exception e) {
// no-op
}
this.defaultDeserializerClassLoader = classLoader;
this.usingDefaultDeserializer = true;
}
else {
this.defaultDeserializerClassLoader = null;
this.usingDefaultDeserializer = false;
}
}
That defaultDeserializerClassLoader is used afterwards for an internal ConfigurableObjectInputStream extension:
ObjectInputStream objectInputStream = new ConfigurableObjectInputStream(inputStream,
this.defaultDeserializerClassLoader) {
@Override
protected Class<?> resolveClass(ObjectStreamClass classDesc)
throws IOException, ClassNotFoundException {
Class<?> clazz = super.resolveClass(classDesc);
checkAllowList(clazz);
return clazz;
}
};
If you expose a DefaultDeserializer.getClassLoader(), it would be very helpful in our case to avoid reflection and possible native image hint.
Thanks
In Spring Integration we rely on the
ClassLoaderfrom the providedDefaultDeserializerand use for the purpose reflection:That
defaultDeserializerClassLoaderis used afterwards for an internalConfigurableObjectInputStreamextension:If you expose a
DefaultDeserializer.getClassLoader(), it would be very helpful in our case to avoid reflection and possible native image hint.Thanks