How do I add a type to GWT's Serialization Policy whitelist?
Asked Answered
B

9

35

GWT's serializer has limited java.io.Serializable support, but for security reasons there is a whitelist of types it supports. The documentation I've found, for example this FAQ entry says that any types you want to serialize "must be included in the serialization policy whitelist", and that the list is generated at compile time, but doesn't explain how the compiler decides what goes on the whitelist.

The generated list contains a number of types that are part of the standard library, such as java.lang.String and java.util.HashMap. I get an error when trying to serialize java.sql.Date, which implements the Serializable interface, but is not on the whitelist. How can I add this type to the list?

Barbosa answered 26/9, 2008 at 7:7 Comment(0)
H
11

Any specific types that you include in your service interface and any types that they reference will be automatically whitelisted, as long as they implement java.io.Serializable, eg:

public String getStringForDates(ArrayList<java.util.Date> dates);

Will result in ArrayList and Date both being included on the whitelist.

It gets trickier if you try and use java.lang.Object instead of specific types:

public Object getObjectForString(String str);

Because the compiler doesn't know what to whitelist. In that case if the objects are not referenced anywhere in your service interface, you have to mark them explicitly with the IsSerializable interface, otherwise it won't let you pass them through the RPC mechanism.

Hulbard answered 28/9, 2008 at 0:50 Comment(2)
I'm getting errors for java.lang.Double, so there's clearDona
I'm getting errors for java.lang.Double and other types that I cannot edit. So how would I add IsSerializable to them? Could you provide an example.Dona
D
31

There's a workaround: define a new Dummy class with member fields of all the types that you want to be included in serialization. Then add a method to your RPC interface:

Dummy dummy(Dummy d);

The implementation is just this:

Dummy dummy(Dummy d) { return d; }

And the async interface will have this:

void dummy(Dummy d, AsyncCallback< Dummy> callback);

The GWT compiler will pick this up, and because the Dummy class references those types, it will include them in the white list.

Example Dummy class:

public class Dummy implements IsSerializable {
    private java.sql.Date d;
}
Debbiedebbra answered 14/6, 2009 at 12:36 Comment(0)
H
11

Any specific types that you include in your service interface and any types that they reference will be automatically whitelisted, as long as they implement java.io.Serializable, eg:

public String getStringForDates(ArrayList<java.util.Date> dates);

Will result in ArrayList and Date both being included on the whitelist.

It gets trickier if you try and use java.lang.Object instead of specific types:

public Object getObjectForString(String str);

Because the compiler doesn't know what to whitelist. In that case if the objects are not referenced anywhere in your service interface, you have to mark them explicitly with the IsSerializable interface, otherwise it won't let you pass them through the RPC mechanism.

Hulbard answered 28/9, 2008 at 0:50 Comment(2)
I'm getting errors for java.lang.Double, so there's clearDona
I'm getting errors for java.lang.Double and other types that I cannot edit. So how would I add IsSerializable to them? Could you provide an example.Dona
A
8

The whitelist is generated by the GWT compiler and contains all the entries that are designated by the IsSerializable marker interface.

To add a type to the list you just need to make sure that the class implements the IsSerializable interface.

Additionally for serialization to work correctly the class must have a default no arg constructor (constructor can be private if needed). Also if the class is an inner it must be marked as static.

Afferent answered 26/9, 2008 at 11:53 Comment(2)
It should be added -- the class also needs to have a public default no-args constructor. Just implementing the IsSerializable interface without that is not enough. Found this out the hard way after an hour of debugging :)Creditor
@AdrianPetrescu That is not completely correct. The no args constructor may be private, but it must be there nevertheless. Furthermore, the class itself must not be be private, and if it is an inner class, it must be static. And the class may not have final non static fields.Quartzite
C
2

IMHO the simpliest way to access whitelist programmatically is to create a class similar to this:

public class SerializableWhitelist implements IsSerializable {
    String[] dummy1;
    SomeOtherThingsIWishToSerialize dummy2;
}

Then include it in the .client package and reference from the RPC service (so it gets analyzed by the compiler).

I couldn't find a better way to enable tranfer of unparameterized maps, which is obviously what you sometimes need in order to create more generic services...

Catwalk answered 4/8, 2009 at 22:14 Comment(0)
R
1

to ensure the desired result delete all war/<app>/gwt/*.gwt.rpc

Rover answered 7/10, 2009 at 19:36 Comment(0)
H
1

The whitelist is generated by the gwt compiler and contains all the entries that are designated by the IsSerializable marker interface.

To add a type to the list you just need to make sure that the class implements the IsSerializable interface.

-- Andrej

This is probably the easiest solution. The only thing to remember with this is that all the classes that you want to serialize should have "public, no-argument" constructor, and (depending upon requirements) setter methods for the member fields.

Hinkley answered 10/4, 2010 at 17:53 Comment(1)
The visibility of the default constructor is not important. You just need a zero arg default constructor of any visibility (even a private will do)Purple
R
0

To anyone who will have the same question and doesn't find previous answers satisfactory...

I'm using GWT with GWTController, since I'm using Spring, which I modified as described in this message. The message explains how to modify GrailsRemoteServiceServlet, but GWTController calls RPC.decodeRequest() and RPC.encodeResponseForSuccess() in the same way.

This is the final version of GWTController I'm using:

/**
 * Used to instantiate GWT server in Spring context.
 *
 * Original version from <a href="http://docs.google.com/Doc?docid=dw2zgx2_25492p5qxfq&hl=en">this tutorial</a>.
 * 
 * ...fixed to work as explained <a href="http://blog.js-development.com/2009/09/gwt-meets-spring.html">in this tutorial</a>.
 * 
 * ...and then fixed to use StandardSerializationPolicy as explained in
 * <a href="http://markmail.org/message/k5j2vni6yzcokjsw">this message</a> to allow
 * using Serializable instead of IsSerializable in model.
 */
public class GWTController extends RemoteServiceServlet implements Controller, ServletContextAware {

 // Instance fields

 private RemoteService remoteService;

 private Class<? extends RemoteService> remoteServiceClass;

 private ServletContext servletContext;

 // Public methods

 /**
  * Call GWT's RemoteService doPost() method and return null.
  * 
  * @param request
  *            The current HTTP request
  * @param response
  *            The current HTTP response
  * @return A ModelAndView to render, or null if handled directly
  * @throws Exception
  *             In case of errors
  */
 public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
  doPost(request, response);
  return null; // response handled by GWT RPC over XmlHttpRequest
 }

 /**
  * Process the RPC request encoded into the payload string and return a string that encodes either the method return
  * or an exception thrown by it.
  * 
  * @param payload
  *            The RPC payload
  */
 public String processCall(String payload) throws SerializationException {
  try {
   RPCRequest rpcRequest = RPC.decodeRequest(payload, this.remoteServiceClass, this);

   // delegate work to the spring injected service
   return RPC.invokeAndEncodeResponse(this.remoteService, rpcRequest.getMethod(), rpcRequest.getParameters(), rpcRequest.getSerializationPolicy());
  } catch (IncompatibleRemoteServiceException e) {
   return RPC.encodeResponseForFailure(null, e);
  }
 }

 /**
  * Setter for Spring injection of the GWT RemoteService object.
  * 
  * @param RemoteService
  *            The GWT RemoteService implementation that will be delegated to by the {@code GWTController}.
  */
 public void setRemoteService(RemoteService remoteService) {
  this.remoteService = remoteService;
  this.remoteServiceClass = this.remoteService.getClass();
 }

 @Override
 public ServletContext getServletContext() {
  return servletContext;
 }

 public void setServletContext(ServletContext servletContext) {
  this.servletContext = servletContext;
 }
}
Reclinate answered 26/10, 2009 at 20:34 Comment(0)
P
0

I found that just putting it in the client package or using it in a dummy service interface was not sufficient as it seemed the system optimized it away.

I found it easiest to create a class that derived from one of the types already used in the service interface and stick it in the client package. Nothing else needed.

public class GWTSerializableTypes extends SomeTypeInServiceInterface implements IsSerializable {
    Long l;
    Double d;
    private GWTSerializableTypes() {}
}
Presto answered 23/9, 2011 at 16:38 Comment(0)
R
0

I had this problem but ended up tracing the problem back to a line of code in my Serializable object:

Logger.getLogger(this.getClass().getCanonicalName()).log(Level.INFO, "Foo");

There were no other complaints before the exception gets caught in:

 @Override
  protected void serialize(Object instance, String typeSignature)
      throws SerializationException {
    assert (instance != null);

    Class<?> clazz = getClassForSerialization(instance);

    try {
      serializationPolicy.validateSerialize(clazz);
    } catch (SerializationException e) {
      throw new SerializationException(e.getMessage() + ": instance = " + instance);
    }
    serializeImpl(instance, clazz);
  }

And the business end of the stack trace is:

com.google.gwt.user.client.rpc.SerializationException: Type 'net.your.class' was not included in the set of types which can be serialized by this SerializationPolicy or its Class object could not be loaded. For security purposes, this type will not be serialized.: instance = net.your.class@9c7edce
    at com.google.gwt.user.server.rpc.impl.ServerSerializationStreamWriter.serialize(ServerSerializationStreamWriter.java:619)
Roselynroseman answered 6/2, 2013 at 16:4 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.