Explicit Serialization API and Security
Peter Firmstone
peter.firmstone at zeus.net.au
Tue Jan 13 00:51:09 UTC 2015
----- Original message -----
> On 10/01/15 07:00, Peter Firmstone wrote:
> > Again, thank you all for engaging in discussion of this very difficult
> > topic.
> >
> > While we can't presently check intra object dependencies during
> > deserialization with readObject(), the examples I provide can do this.
>
> I have replied to Davids mail with a small change to GetField ( added
> superTypeFields() ) to return the deserialized supertypes fields. This
> gives subtypes the ability to check values of the supertypes persistent
> state.
Unfortunately this breaks encapsulation, a class is then locked into
using that serial form as public api forever.
>
> As with your original proposal, it is limited to the persistent state as
> read off the stream, and not the transient state, but I think it gets us
> most of the way there.
>
> In your original proposal, it looks quite cumbersome to hook up the
> static validator method in the constructor hierarchy ( as it is to do
> this with standard constructors too ). It also relies on the fact that
> the subtype has to create an instance of the supertype. I just wonder if
> we can push on the alternative static validator proposal to come up with
> something a but more attractive ( maybe not! ).
Before proposing the constructor, I had considered a static validator
method, with the following limitations:
* A static method invariant check, while simple, cannot accommodate
intra object invariants in class inheritance hierarchies without
breaking encapsulation and allowing child classes to examine stream
content.
* When we break encapsulation, complexity of implementing Serializable
safely increases; how to evolve serial form without breaking
compatibility.
* An Object under construction, usually copies mutable parameters
before checking invariants, how can we guarantee that these objects
are not shared and haven't mutated between the time the invariants
are checked and when fields are set by reflection after
construction?
I'd also considered a static factory method:
* It offers maximum flexibility for evolution; it can return objects
of any class it likes.
* Lacks the ability to recreate inherited private state, without
breaking encapsulation.
* Issues establishing intra object dependencies in inheritance
hierarchies.
Advantages that led me to propose the use of a constructor:
* If existing constructors throw an exception when invariants
haven't been satisfied, best practise dictates they must
do so prior to calling Object's super class constructor to avoid
finalizer attacks; static validation methods should already exist,
if not the class should be refactored anyway, whether it implements
Serializable or not.
* Improved code reuse; invariant validation code is shared with
other constructors.
* Ability to satisfy complex intra object invariants in class
inheritance heirarchies without breaking encapsulation.
* Although it appears complex at first glance, once learnt,
it's easily proven, preserves encapsulation and is easy to
implement and test.
* No serial form lock in, encapsulation has not been broken.
Only the implementing class knows and uses the field names and types
directly.
It just seems like the best compromise, it's not perfect, is has less flaws.
>
> Have you seen the changes I proposing for failure atomicity, preliminary
> webrev
> http://cr.openjdk.java.net/~chegar/failureAtomicity/
>
> .. and I think we can go further than this, creating the containing
> object lazily, if there are no readObjectXXX methods in the hierarchy.
>
>
Yes, but need some more time to absorb it, before commenting.
Regards,
Peter.
More information about the core-libs-dev
mailing list