Explicit Serialization API and Security

[Chris Hegarty]

On 08/01/15 22:03, David M. Lloyd wrote:

>> ....
>>>        private static void validate(GetField fields) {
>>>            if (fields.getInt("lo") > fields.getInt("hi")) { ... }
>>>       }

>  ...
> In fact you cannot validate invariants across multiple objects at all
> using this method *or* readObject() (existing or enhanced) unless the
> object in question is an enum, Class, or String (and a few other special
> cases) because you can't rely on initialization order during
> deserialization.  That's the very reason why OIS#registerValidation()
> even exists - inter-object validation is not possible until after the
> root-most readObject has completed, which is the time when validations
> are executed.  Robust validation of a given object class may require two
> stages - "near" validation and "spanning" validation - to fully
> validate.  However the readObject() approach and its proposed variations
> (including the static validate() version) can still be useful for
> fail-fast and non-complex validations; you just have to understand that
> (just as today) any Object you examine might not be fully initialized yet.


If I may, I'd like to build a little on this proposal:

  1) Specify that validate is called down the hierarchy, from
     j.l.Object.

  2) Provide access to persistent supertype's fields, so they can
     participate in the validation.

      public static abstract class GetField {
         ....

         /**
          * Returns the persistent fields of the supertype, read from
          * the stream, or null if the the supertype is not Serializable.
          */
         public abstract GetField superTypeFields();
     }


-Chris.