Google Git
Sign in
gwt / gwt / 2.6.0 / . / user / src / com / google / gwt / user / server / rpc / ServerCustomFieldSerializer.java
blob: 2641df43d3ce3b5cc6d8d0dbbba2b94284a3dcc5 [file] [log] [blame]
/*
* Copyright 2011 Google Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under
* the License.
*/
package com.google.gwt.user.server.rpc;
import com.google.gwt.user.client.rpc.CustomFieldSerializer;
import com.google.gwt.user.client.rpc.SerializationException;
import com.google.gwt.user.server.rpc.impl.DequeMap;
import com.google.gwt.user.server.rpc.impl.ServerSerializationStreamReader;
import java.lang.reflect.Type;
import java.lang.reflect.TypeVariable;
/**
* An interface that may be implemented by server-side class-based custom field
* serializers.
*
* Usage of this class will reduce the amount of server-side reflection during
* serialization and provide type safety.
*
* @param <T> the type of the object being serialized
*/
public abstract class ServerCustomFieldSerializer<T> extends CustomFieldSerializer<T> {
/**
* Deserializes the content of the object from the
* {@link ServerSerializationStreamReader}, with type checking.
*
* The calling code has verified that the instance this method is
* deserializing is of the correct type for the RPC call. However, is has not
* verified the objects that this deserializer will read. It is this method's
* responsibility to verify the types of objects that it reads. Failure to
* do so leaves the server vulnerable to an attacker who replaces
* deserialized data in the RPC message with data that takes an exponential
* time to deserialize or otherwise causes problems.
*
* In practice, any call to ServerSerilizationStreamReader.readObject() should
* use the type checking version, passing in the expected type of the object
* to be read. For classes that deserialize objects of generic types, the
* expectedParameterTypes array provides the type bound to each type
* generic parameter defined by the instance. See the built-in GWT
* server custom field serializers for examples.
*
* @param streamReader the {@link ServerSerializationStreamReader} to read the
* object's content from
* @param instance the object instance to deserialize
* @param expectedParameterTypes the types we expect for any generic
* parameters used by this class, in the order in which they
* appear in the instance.getTypeParameters()
* @param resolvedTypes map from generic types to actual types
*
* @throws SerializationException if the deserialization operation is not
* successful
*/
public abstract void deserializeInstance(ServerSerializationStreamReader streamReader,
T instance, Type[] expectedParameterTypes,
DequeMap<TypeVariable<?>, Type> resolvedTypes) throws SerializationException;
/**
* Instantiates an object from the {@link ServerSerializationStreamReader},
* without type checking.
*
* @param streamReader the {@link ServerSerializationStreamReader} to read the
* object's content from
* @return an object that has been loaded from the
* {@link ServerSerializationStreamReader}
*
* @throws SerializationException if the instantiation operation is not
* successful
*/
public T instantiateInstance(ServerSerializationStreamReader streamReader)
throws SerializationException {
return super.instantiateInstance(streamReader);
}
/**
* Instantiates an object from the {@link ServerSerializationStreamReader},
* with type checking.
* <p>
* Most of the time, this can be left unimplemented and the framework will
* instantiate the instance itself. This is typically used when the object
* being deserialized is immutable, hence it has to be created with its state
* already set.
* <p>
* If this is overridden, the
* {@link CustomFieldSerializer#hasCustomInstantiateInstance()} method must
* return <code>true</code> in order for the framework to know to call it.
*
* The calling code has verified that the instance this method is
* instantiating is of the correct type for the RPC call. However, is has not
* verified the objects that this instantiator will read. It is this method's
* responsibility to verify the types of objects that it reads. Failure to
* do so leaves the server vulnerable to an attacker who replaces
* deserialized data in the RPC message with data that takes an exponential
* time to instantiate or otherwise causes problems.
*
* In practice, any call to ServerSerilizationStreamReader.readObject() should
* use the type checking version, passing in the expected type of the object
* to be read. For classes that instantiate objects of generic types, the
* expectedParameterTypes array provides the type bound to each type
* generic parameter defined by the instance. See the built-in GWT
* server custom field serializers for examples.
*
* @param streamReader the {@link ServerSerializationStreamReader} to read the
* object's content from
* @param expectedParameterTypes the types we expect for any generic
* parameters used by this class, in the order returned by
* instance.getTypeParameters()
* @param resolvedTypes map from generic types to actual types
*
* @return an object that has been loaded from the
* {@link ServerSerializationStreamReader}
*
* @throws SerializationException if the instantiation operation is not
* successful
*/
public T instantiateInstance(ServerSerializationStreamReader streamReader,
Type[] expectedParameterTypes,
DequeMap<TypeVariable<?>, Type> resolvedTypes) throws SerializationException {
return super.instantiateInstance(streamReader);
}
}