import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;

public class SafeObjectInputStream extends ObjectInputStream {

    String allowedClass;

    public SafeObjectInputStream(InputStream in, String allowedClass) throws IOException {
        super(in);
        this.allowedClass = allowedClass;
    }

    // local files are generally assumed to be safe, but this additional check slightly hardens the application against using arbitrary attacks to exploit
    // please note that it is still insecure; don't use in sensitive contexts!
    @Override
    protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
        if (!desc.getName().equals(allowedClass)) {
            throw new SecurityException();
        }
        return super.resolveClass(desc);
    }
}