Explicit Serialization API and Security

Peter Levart peter.levart at gmail.com
Tue Jan 6 17:49:02 UTC 2015 

On 01/06/2015 06:21 PM, Chris Hegarty wrote:
> On 6 Jan 2015, at 15:06, Peter Levart <peter.levart at gmail.com> wrote:
>
>> On 01/06/2015 04:03 PM, Peter Levart wrote:
>>> private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
>>>         ObjectInputStream.GetField fields = in.readFields(); // this already validates the types
>> Well, not true currently. But type validation could be added at this point.
> Right. I think I’ll file a bug to track this as it seems reasonable to add type validation to readFields and defaultReadObject. So we can probably assume/ignore it in this discussion.
>
> I like the idea of a callback into the serialization framework to handling the setting of final fields, after validation. I played a little with your patch and added it to a branch in the sandbox**
>
> So a simple example, without legacy fields, might looks as below ( without the need for writeObject or serialPersistentFields ). The simple validating readObject is starting to look like boilerplate ?

Well, 1st and last line are always the same, yes. What's between them is 
what you would have to write in a special check-only method too.

Regards, Peter

>
> public class SimpleInterval implements Serializable {
>
>      private final int lo, hi;
>
>      private static void validate(int lo, int hi) {
>          // invariant
>          if (lo > hi)
>              throw new IllegalArgumentException("lo:" + lo + " > hi:" + hi);
>      }
>
>      public SimpleInterval(int lo, int hi) {
>          validate(lo, hi);
>          this.lo = lo;
>          this.hi = hi;
>      }
>
>      public int getLo() { return lo; }
>
>      public int getHi() { return hi; }
>
>      private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
>          ObjectInputStream.GetField fields = in.readFields();
>
>          // validate 'lo' and 'hi' fields invariant
>          int lo = fields.get("lo", 0);
>          int hi = fields.get("hi", 0);
>          validate(lo, hi);
>
>          // set current fields from read data
>          fields.defaultReadFields(); // this is new API!
>      }
> }
>
> -Chris.
>
> ** hg clone http://hg.openjdk.java.net/jdk9/sandbox sandbox
>      cd sandbox
>      sh get_source.sh
>      sh common/bin/hgforest.sh update -r serial-exp-branch
>
>      I also added your example, etc, under:
>        jdk/test/java/io/Serializable/invarientChecker
>
>      see http://cr.openjdk.java.net/~chegar/docs/sandbox.html
>

More information about the core-libs-dev mailing list