Package org.apache.commons.collections.functors

This package contains implementations of the Closure, Predicate, Transformer and Factory interfaces. These provide simple callbacks for processing with collections.

WARNING: from v3.2.2 onwards this several classes in this package will throw an UnsupportedOperationException when trying to serialize or de-serialize an instance to prevent potential remote code execution exploits.

Classes considered to be unsafe are:

  • CloneTransformer
  • ForClosure
  • InstantiateFactory
  • InstantiateTransformer
  • InvokerTransformer
  • PrototypeFactory$PrototypeCloneFactory
  • PrototypeFactory$PrototypeSerializationFactory
  • WhileClosure

In order to re-enable serialization support for these unsafe classes, the following system property can be used (via -Dproperty=true):

org.apache.commons.collections.enableUnsafeSerialization

Be warned though that enabling serialization support for these unsafe classes makes your application vulnerable to known exploits and you must ensure that your application does not de-serialize objects from untrusted sources.