序列化攻击补充
This commit is contained in:
@@ -1,5 +1,7 @@
|
|||||||
package top.fjy8018.designpattern.pattern.creational.singleton;
|
package top.fjy8018.designpattern.pattern.creational.singleton;
|
||||||
|
|
||||||
|
import lombok.extern.slf4j.Slf4j;
|
||||||
|
|
||||||
import java.io.Serializable;
|
import java.io.Serializable;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -10,6 +12,7 @@ import java.io.Serializable;
|
|||||||
* @author F嘉阳
|
* @author F嘉阳
|
||||||
* @date 2018-09-24 15:38
|
* @date 2018-09-24 15:38
|
||||||
*/
|
*/
|
||||||
|
@Slf4j
|
||||||
public class HungrySingleton implements Serializable {
|
public class HungrySingleton implements Serializable {
|
||||||
/**
|
/**
|
||||||
* 类加载时初始化
|
* 类加载时初始化
|
||||||
@@ -18,10 +21,15 @@ public class HungrySingleton implements Serializable {
|
|||||||
private static final HungrySingleton HUNGRYSINGLETON;
|
private static final HungrySingleton HUNGRYSINGLETON;
|
||||||
|
|
||||||
static {
|
static {
|
||||||
|
log.debug(HungrySingleton.class.getSimpleName() + "静态块实例化");
|
||||||
HUNGRYSINGLETON = new HungrySingleton();
|
HUNGRYSINGLETON = new HungrySingleton();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* 该构造器会在反射攻击时调用
|
||||||
|
*/
|
||||||
private HungrySingleton() {
|
private HungrySingleton() {
|
||||||
|
log.debug(HungrySingleton.class.getSimpleName() + "构造器实例化");
|
||||||
}
|
}
|
||||||
|
|
||||||
public static HungrySingleton getInstance() {
|
public static HungrySingleton getInstance() {
|
||||||
|
|||||||
@@ -1,5 +1,7 @@
|
|||||||
package top.fjy8018.designpattern.pattern.creational.singleton;
|
package top.fjy8018.designpattern.pattern.creational.singleton;
|
||||||
|
|
||||||
|
import lombok.extern.slf4j.Slf4j;
|
||||||
|
|
||||||
import java.io.ObjectInputStream;
|
import java.io.ObjectInputStream;
|
||||||
import java.io.ObjectStreamClass;
|
import java.io.ObjectStreamClass;
|
||||||
import java.io.Serializable;
|
import java.io.Serializable;
|
||||||
@@ -13,21 +15,24 @@ import java.io.Serializable;
|
|||||||
* 返回true后序列化过程通过反射机制实例化该类
|
* 返回true后序列化过程通过反射机制实例化该类
|
||||||
* <p>
|
* <p>
|
||||||
* 改进方法:在{@link ObjectInputStream#readOrdinaryObject(boolean)} 2071行会检测内部方法
|
* 改进方法:在{@link ObjectInputStream#readOrdinaryObject(boolean)} 2071行会检测内部方法
|
||||||
* 在{@link ObjectStreamClass#hasReadResolveMethod()} 中,判断是否存在名为readResolve的方法,方法名定义在522行
|
* 在{@link ObjectStreamClass#hasReadResolveMethod()} 中,此时已经实例化了一个新对象,之后判断是否存在名为readResolve的方法,方法名定义在522行
|
||||||
* 若有该方法,则用该方法返回的对象写入
|
* 若有该方法,则用该方法返回的对象替换之前实例化的新对象
|
||||||
*
|
*
|
||||||
* @author F嘉阳
|
* @author F嘉阳
|
||||||
* @date 2018-09-24 15:38
|
* @date 2018-09-24 15:38
|
||||||
*/
|
*/
|
||||||
|
@Slf4j
|
||||||
public class HungrySingletonSerializableImprove implements Serializable {
|
public class HungrySingletonSerializableImprove implements Serializable {
|
||||||
|
|
||||||
private static final HungrySingletonSerializableImprove HUNGRYSINGLETON;
|
private static final HungrySingletonSerializableImprove HUNGRYSINGLETON;
|
||||||
|
|
||||||
static {
|
static {
|
||||||
|
log.debug(HungrySingletonSerializableImprove.class.getSimpleName() + "实例化");
|
||||||
HUNGRYSINGLETON = new HungrySingletonSerializableImprove();
|
HUNGRYSINGLETON = new HungrySingletonSerializableImprove();
|
||||||
}
|
}
|
||||||
|
|
||||||
private HungrySingletonSerializableImprove() {
|
private HungrySingletonSerializableImprove() {
|
||||||
|
log.debug(HungrySingletonSerializableImprove.class.getSimpleName() + "实例化");
|
||||||
}
|
}
|
||||||
|
|
||||||
public static HungrySingletonSerializableImprove getInstance() {
|
public static HungrySingletonSerializableImprove getInstance() {
|
||||||
@@ -40,6 +45,7 @@ public class HungrySingletonSerializableImprove implements Serializable {
|
|||||||
* @return
|
* @return
|
||||||
*/
|
*/
|
||||||
private Object readResolve() {
|
private Object readResolve() {
|
||||||
|
log.debug("序列化获取对象");
|
||||||
return HUNGRYSINGLETON;
|
return HUNGRYSINGLETON;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user