chaokunyang commented on issue #2099:
URL: https://github.com/apache/fury/issues/2099#issuecomment-2727448224
```java
private Serializer createSerializer(Class<?> cls) {
DisallowedList.checkNotInDisallowedList(cls.getName());
if (!isSecure(cls)) {
throw new InsecureException(generateSecurityMsg(cls));
} else {
if (!fury.getConfig().suppressClassRegistrationWarnings()
&& !Functions.isLambda(cls)
&& !ReflectionUtils.isJdkProxy(cls)
&& !extRegistry.registeredClassIdMap.containsKey(cls)
&& !shimDispatcher.contains(cls)) {
LOG.warn(generateSecurityMsg(cls));
}
}
```
DisallowedList is checked always.
And we do have API to let users add their own checks. It's the
`org.apache.fury.resolver.ClassResolver#setClassChecker`:
```java
/**
* Check whether class or objects of class should be serialized. If class
checker will be invoked by
* multiple {@link ClassResolver}, class checker should be thread safe.
*/
public interface ClassChecker {
/**
* Check whether class should be allowed for serialization.
*
* @param classResolver class resolver
* @param className full name of class
* @return true if class is allowed for serialization.
*/
boolean checkClass(ClassResolver classResolver, String className);
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
