RFR 9: 8155760 Implement Serialization Filtering
Chris Hegarty
chris.hegarty at oracle.com
Mon Oct 3 08:53:00 UTC 2016
Roger,
On 14/09/16 10:46, Chris Hegarty wrote:
> On 08/09/16 20:09, Roger Riggs wrote:
>...
> This looks very good Roger, just a few comments:
>
> 1) The pattern separator in the java.security file should be ';'
> Right?
> 925 #jdk.serialFilter=pattern,pattern
> ^^^
Strike this, it seems to have been fixed in the most recent version.
> 2) A question on the excepted usage. During the initialization of
> OIS the process-wide filter is cached in an instance field,
> 'serialFilter'. A subsequent change to the process-wide filter
> will not affect the OIS instance. I think this is ok, just
> checking the expected usage, as the example in the OIF class
> description reads the process-wide filter ever time. Maybe
> the example should be changed slightly to no promote this type
> of usage? Maybe just remove the call to getSerialFilter?
>
> 3) Are third-party OIS implementations required, or expected, to
> "callback" to the filter? The spec, of course, would appear to
> allow it, but not require it? Just wondering if this is required,
> or not, as it is not clear to me.
One more additional comment:
4) Since filtering is not controlled by the Security Manager,
does it make sense for its configuration to live in the
java.security file?
-Chris.
> -Chris.
>
>
>> SpecDiff:
>> http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html
>>
>> Javadoc (subset)
>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html
>>
>>
>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html
>>
>>
>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/SerializablePermission.html
>>
>>
>>
>> Thanks, Roger
>>
>>
>>
More information about the core-libs-dev
mailing list