in hessian-lite/src/main/java/com/alibaba/com/caucho/hessian/io/ClassFactory.java [130:171]
public Class<?> load(String className)
throws ClassNotFoundException {
if (isAllow(className)) {
Class<?> aClass = Class.forName(className, false, _loader);
if (_allowClassSet.containsKey(className)) {
return aClass;
}
if (aClass.getInterfaces().length > 0) {
for (Class<?> anInterface : aClass.getInterfaces()) {
if (!isAllow(anInterface.getName())) {
log.log(Level.SEVERE, className + "'s interfaces: " + anInterface.getName() + " in blacklist or not in whitelist, deserialization with type 'HashMap' instead.");
return HashMap.class;
}
}
}
List<Class<?>> allSuperClasses = new LinkedList<>();
Class<?> superClass = aClass.getSuperclass();
while (superClass != null) {
// add current super class
allSuperClasses.add(superClass);
superClass = superClass.getSuperclass();
}
for (Class<?> aSuperClass : allSuperClasses) {
if (!isAllow(aSuperClass.getName())) {
log.log(Level.SEVERE, className + "'s superClass: " + aSuperClass.getName() + " in blacklist or not in whitelist, deserialization with type 'HashMap' instead.");
return HashMap.class;
}
}
_allowClassSet.put(className, className);
return aClass;
} else {
log.log(Level.SEVERE, className + " in blacklist or not in whitelist, deserialization with type 'HashMap' instead.");
return HashMap.class;
}
}