为什么gson不允许java.lang.Class的序列化? [英] Why has gson does not allow serialization of java.lang.Class?
问题描述
如果您尝试序列化一个具有类型 java.lang.Class 的字段的对象,则序列化它将导致 java.lang。 UnsupportedOperationException:试图序列化java.lang.Class:< some_class>忘记注册类型适配器
以下是com.google.gson.internal.bind.TypeAdapters.java中的代码片段
public final class TypeAdapters {
。
。
。
public static final TypeAdapter< Class> CLASS = new TypeAdapter< Class>(){
@Override
public void write(JsonWriter out,Class value)throws IOException {
if(value == null){
out .nullValue();
} else {
throw new UnsupportedOperationException(试图序列化java.lang.Class:
+ value.getName()+。忘记注册类型适配器?);
}
}
。
。
。
$ b 在gson中编码是为了提醒人们他们是否忘记注册一个类型适配器?
正如我所看到的, Class 类型对象可以很容易地使用下面的序列化和反序列化语句:
$ b
序列化: clazz.getName()
<反序列化: Class.forName(className)
当前实现背后的原因是什么?我在哪里错了?
解决方案由@Programmer Bruce Gson不解析类变量 -
在发行评论340 ,Gson项目经理解释道:
序列化类型实际上有点安全问题,所以我们
默认不想支持它。一个恶意的.json文件可能
导致你的应用程序加载它否则不会的类;
取决于你的类路径加载某些类可能会阻止你的
应用程序。
但是写一个类型适配器来支持这个$ b非常简单
当然,由于序列化不同于
反序列化,我不明白这是如何解释
禁用的序列化,除非未提到的概念是在某种意义上
平衡序列化与反序列化的默认行为。
If you try to serialize an object that has a field of type java.lang.Class, serializing it will lead to java.lang.UnsupportedOperationException: Attempted to serialize java.lang.Class: <some_class> Forgot to register a type adapter
Below is the code snippet from com.google.gson.internal.bind.TypeAdapters.java
public final class TypeAdapters {
.
.
.
public static final TypeAdapter<Class> CLASS = new TypeAdapter<Class>() {
@Override
public void write(JsonWriter out, Class value) throws IOException {
if (value == null) {
out.nullValue();
} else {
throw new UnsupportedOperationException("Attempted to serialize java.lang.Class: "
+ value.getName() + ". Forgot to register a type adapter?");
}
}
.
.
.
}
Was this coded in gson just to remind people if they "Forgot to register a type adapter"?
As I see it, Class type object could have easily been serialized and deserialized using the following statements:
Serialize : clazz.getName()
Deserialize : Class.forName(className)
What could the reason behind the current implementation be? Where am I wrong in this?
解决方案 as answered by @Programmer Bruce Gson not parsing Class variable -
In a comment in issue 340, a Gson project manager explains:
Serializing types is actually somewhat of a security problem, so we
don't want to support it by default. A malicious .json file could
cause your application to load classes that it wouldn't otherwise;
depending on your class path loading certain classes could DoS your
application.
But it's quite straightforward to write a type adapter to support this
in your own app.
Of course, since serialization is not the same as
deserialization, I don't understand how this is an explanation for the
disabled serialization, unless the unmentioned notion is to in a sense
"balance" the default behaviors of serialization with deserialization.
这篇关于为什么gson不允许java.lang.Class的序列化?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
