RFR 9: 8155760 Implement Serialization Filtering

Daniel Fuchs daniel.fuchs at oracle.com
Mon Sep 12 17:15:18 UTC 2016 

Hi Roger,

ObjectInputStream.java: some cosmetic comments:

317      * {@link ObjectInputFilter.Config#getSerialFilter() the 
process-wide filter}.
352      * {@link ObjectInputFilter.Config#getSerialFilter() the 
process-wide filter}.

  => should be @linkplain

1185      * The filter, when not {@code null}, is invoked during 
{@linkplain #readObject()}
1186      * and {@linkplain #readUnshared readUnshared} for each object
        (+ also at lines 1207,1208,1211,1212,
Should that be @link? I saw that in other places, readObject and
readUnshared were not wrapped in {@code } - so for consistency it
might make sense to use @linkplain. However the usual idiom would
be to use {@link }.

2046                 // Filter the replacement object
2047                 if (rep != null) {
2048                     if (rep.getClass().isArray()) {
2049                         filterCheck(rep.getClass(), 
Array.getLength(rep));
2050                     } else {
2051                         filterCheck(rep.getClass(), -1);
2052                     }
2053                 }

In this case should the filter be also invoked with the
class of each element in the substituted array?
Or is it OK that only the array type is checked (could be
"[Ljava.lang.Object;" containing elements of classes
X, Y, Z, but the filter will only see the array type).

best regards,

-- daniel

On 08/09/16 20:09, Roger Riggs wrote:
> Please review updates to the Serialization filtering API and
> implementation:
>   - The ObjectInputFilter pattern based filters support matching on
> module names as well as package and class names.
>   - Rename of system property and java.security property for
> configurable filters.  (jdk.serialFilter)
>   - ObjectInputFilter clarifications about the values passed to the filter
>   - Javadoc editorial improvements
>   - Clarification of SerializablePermission description of targets
>
>   - More tests
>
> Webrev:
> http://cr.openjdk.java.net/~rriggs/webrev-serial-filter-jdk9-8155760/
>
> SpecDiff:
> http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html
>
> Javadoc (subset)
> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html
>
> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html
>
> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/SerializablePermission.html
>
>
> Thanks, Roger
>
>
>

More information about the core-libs-dev mailing list