Explicit Serialization API and Security

Chris Hegarty chris.hegarty at oracle.com
Tue Jan 6 17:21:39 UTC 2015 

On 6 Jan 2015, at 15:06, Peter Levart <peter.levart at gmail.com> wrote:

> On 01/06/2015 04:03 PM, Peter Levart wrote:
>> private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
>>        ObjectInputStream.GetField fields = in.readFields(); // this already validates the types 
> 
> Well, not true currently. But type validation could be added at this point.

Right. I think I’ll file a bug to track this as it seems reasonable to add type validation to readFields and defaultReadObject. So we can probably assume/ignore it in this discussion.

I like the idea of a callback into the serialization framework to handling the setting of final fields, after validation. I played a little with your patch and added it to a branch in the sandbox**

So a simple example, without legacy fields, might looks as below ( without the need for writeObject or serialPersistentFields ). The simple validating readObject is starting to look like boilerplate ?

public class SimpleInterval implements Serializable {

    private final int lo, hi;

    private static void validate(int lo, int hi) {
        // invariant
        if (lo > hi)
            throw new IllegalArgumentException("lo:" + lo + " > hi:" + hi);
    }

    public SimpleInterval(int lo, int hi) {
        validate(lo, hi);
        this.lo = lo;
        this.hi = hi;
    }

    public int getLo() { return lo; }

    public int getHi() { return hi; }

    private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
        ObjectInputStream.GetField fields = in.readFields();

        // validate 'lo' and 'hi' fields invariant
        int lo = fields.get("lo", 0);
        int hi = fields.get("hi", 0);
        validate(lo, hi);

        // set current fields from read data
        fields.defaultReadFields(); // this is new API!
    }
}

-Chris.

** hg clone http://hg.openjdk.java.net/jdk9/sandbox sandbox
    cd sandbox
    sh get_source.sh
    sh common/bin/hgforest.sh update -r serial-exp-branch

    I also added your example, etc, under:
      jdk/test/java/io/Serializable/invarientChecker

    see http://cr.openjdk.java.net/~chegar/docs/sandbox.html

More information about the core-libs-dev mailing list