RFR 9: 8155760 Implement Serialization Filtering

Chris Hegarty chris.hegarty at oracle.com
Mon Oct 3 08:53:00 UTC 2016


Roger,

On 14/09/16 10:46, Chris Hegarty wrote:
> On 08/09/16 20:09, Roger Riggs wrote:
>...
> This looks very good Roger, just a few comments:
>
> 1) The pattern separator in the java.security file should be ';'
>    Right?
>        925 #jdk.serialFilter=pattern,pattern
>                                    ^^^

Strike this, it seems to have been fixed in the most recent version.


> 2) A question on the excepted usage. During the initialization of
>    OIS the process-wide filter is cached in an instance field,
>    'serialFilter'. A subsequent change to the process-wide filter
>    will not affect the OIS instance. I think this is ok, just
>    checking the expected usage, as the example in the OIF class
>    description reads the process-wide filter ever time. Maybe
>    the example should be changed slightly to no promote this type
>    of usage? Maybe just remove the call to getSerialFilter?
>
> 3) Are third-party OIS implementations required, or expected, to
>    "callback" to the filter? The spec, of course, would appear to
>    allow it, but not require it? Just wondering if this is required,
>    or not, as it is not clear to me.

One more additional comment:

  4) Since filtering is not controlled by the Security Manager,
     does it make sense for its configuration to live in the
     java.security file?

-Chris.

> -Chris.
>
>
>> SpecDiff:
>> http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html
>>
>> Javadoc (subset)
>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html
>>
>>
>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html
>>
>>
>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/SerializablePermission.html
>>
>>
>>
>> Thanks, Roger
>>
>>
>>


More information about the core-libs-dev mailing list