JEP 187: Serialization 2.0
Florian Weimer
fweimer at redhat.com
Wed Jan 22 15:14:34 UTC 2014
On 01/22/2014 03:47 PM, Chris Hegarty wrote:
> On 22/01/14 13:57, Florian Weimer wrote:
>> On 01/14/2014 01:26 AM, mark.reinhold at oracle.com wrote:
>>> Posted: http://openjdk.java.net/jeps/187
>>
>> There's another aspect of the current approach to serialization that is
>> not mentioned: the type information does not come from the calling
>> context, but exclusively from the input stream.
>
> Have you overlooked resolveClass [1], or are you looking for additional
> context?
I mean something slightly different, so here's a concrete example:
Assume we are deserializing an instance of a class with a String field.
The current framework deserializes whatever is in the input stream,
and will bail out with a ClassCastException if the deserialized object
turns out unusable. Contrast this with an alternative approach that
uses the knowledge that the field String and will refuse to read
anything else from the input stream.
--
Florian Weimer / Red Hat Product Security Team
More information about the core-libs-dev
mailing list