package org.springframework.security.oauth2.common.util;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.NotSerializableException;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.springframework.util.ClassUtils;

@Deprecated
/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-2.5.0.RELEASE.jar:org/springframework/security/oauth2/common/util/WhitelistedSerializationStrategy.class */
public class WhitelistedSerializationStrategy extends DefaultSerializationStrategy {
    private static final List<String> DEFAULT_ALLOWED_CLASSES;
    private final List<String> allowedClasses;

    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-2.5.0.RELEASE.jar:org/springframework/security/oauth2/common/util/WhitelistedSerializationStrategy$WhitelistedObjectInputStream.class */
    private static class WhitelistedObjectInputStream extends ObjectInputStream {
        private final List<String> allowedClasses;
        private final ClassLoader classLoader;

        private WhitelistedObjectInputStream(InputStream inputStream, ClassLoader classLoader, List<String> list) throws IOException {
            super(inputStream);
            this.classLoader = classLoader;
            this.allowedClasses = Collections.unmodifiableList(list);
        }

        @Override // java.io.ObjectInputStream
        protected Class<?> resolveClass(ObjectStreamClass objectStreamClass) throws IOException, ClassNotFoundException {
            if (isProhibited(objectStreamClass.getName())) {
                throw new NotSerializableException("Not allowed to deserialize " + objectStreamClass.getName());
            }
            return this.classLoader != null ? ClassUtils.forName(objectStreamClass.getName(), this.classLoader) : super.resolveClass(objectStreamClass);
        }

        private boolean isProhibited(String str) {
            Iterator<String> it = this.allowedClasses.iterator();
            while (it.hasNext()) {
                if (str.startsWith(it.next())) {
                    return false;
                }
            }
            return true;
        }
    }

    public WhitelistedSerializationStrategy() {
        this(DEFAULT_ALLOWED_CLASSES);
    }

    public WhitelistedSerializationStrategy(List<String> list) {
        this.allowedClasses = Collections.unmodifiableList(list);
    }

    @Override // org.springframework.security.oauth2.common.util.DefaultSerializationStrategy
    protected ObjectInputStream createObjectInputStream(byte[] bArr) throws IOException {
        return new WhitelistedObjectInputStream(new ByteArrayInputStream(bArr), Thread.currentThread().getContextClassLoader(), this.allowedClasses);
    }

    static {
        ArrayList arrayList = new ArrayList();
        arrayList.add("java.lang.");
        arrayList.add("java.util.");
        arrayList.add("org.springframework.security.");
        DEFAULT_ALLOWED_CLASSES = Collections.unmodifiableList(arrayList);
    }
}
