[Java] Better ergonomics for AllowListChecker #3050
Description
Feature Request
AllowListChecker checker = new AllowListChecker(AllowListChecker.CheckLevel.STRICT);
ThreadSafeFory fory = new ThreadLocalFory(classLoader -> {
Fory f = Fory.builder().requireClassRegistration(true).withClassLoader(classLoader).build();
f.getClassResolver().setClassChecker(checker);
checker.addListener(f.getClassResolver());
return f;
});
checker.allowClass("org.example.*");
I think it makes sense setClassChecker doing checker.addListener(f.getClassResolver()); automatically unless I'm missing something.
Also after adding AllowListChecker I still get this error in log
ForyBuilder:477 [Test worker] - Class registration isn't forced, unknown classes can be deserialized. If the environment isn't secure, please enable class registration by ForyBuilder#requireClassRegistration(true)or configure TypeChecker byTypeResolver#setTypeChecker``
I think the security error should be suppressed with a TypeChecker registered since I'm not allowing any random class.
Is your feature request related to a problem? Please describe
No response
Describe the solution you'd like
I think either registration or TypeChecker should stop the unsafe serialization error.
Describe alternatives you've considered
No response
Additional context
No response