readObject与readValue

ObjectInputStream的readObject是将二进制数据还原成一个对象

1
2
ObjectInputStream ois = new ObjectInputStream(this.mClient.getInputStream())
Object o = ois.readObject();

而objectMapper.readValue(jackson组件,可以实现json跟javabean之间的转换)是根据get/set方法来读写对象
比如这个待序列化的类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
public class Demo {
private String name;
private Integer age;
private String email;

public String getName_1() {
return name;
}
public void setName_1(String name) {
this.name = name;
}

public Integer getAge() {
return age;
}
public void setAge(Integer age) {
this.age = age;
}

public String toString(){
return "name:" + name + " age:" + age;
}
}

对他进行序列化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
public class DemoSerialize {

public static void main(String[] args) throws Throwable {
Demo test = new Demo();
test.setName_1("novy");
test.setAge(18);

ObjectMapper mapper = new ObjectMapper();
String json = mapper.writeValueAsString(test);
System.out.println(json);

List<Demo> test2 = new ArrayList<Demo>();
test2.add(test);
String jsonlist = mapper.writeValueAsString(test2);
System.out.println(jsonlist);
}
}

结果输出为

1
2
{"age":18,"name_1":"novy"}
[{"age":18,"name_1":"novy"}]

反序列化

1
2
3
4
5
6
7
8
9
public class DemoDeserialize {

public static void main(String[] args) throws Throwable {
String json = "{\"name_1\":\"novy\",\"age\":18}";
ObjectMapper mapper = new ObjectMapper();
Demo user = mapper.readValue(json, Demo.class); //根据Demo类中存在的set/get方法进行反序列化
System.out.println(user.toString());
}
}

结果输出为

1
name:novy age:18

不分析了,看参考链接

参考链接
http://blog.nsfocus.net/jackson-framework-java-vulnerability-analysis/


声明:
本文章用于学习交流,严禁用于非法操作,出现后果一切自行承担,阅读此文章表示你已同意本声明。

Disclaimer:
This article is for study and communication. It is strictly forbidden to use it for illegal operations. All consequences shall be borne by yourself. Reading this article means that you have agreed to this statement.