RFR 9: 8155760 Implement Serialization Filtering

Chris Hegarty chris.hegarty at oracle.com
Wed Sep 14 09:46:09 UTC 2016 

On 08/09/16 20:09, Roger Riggs wrote:
> Please review updates to the Serialization filtering API and
> implementation:
>   - The ObjectInputFilter pattern based filters support matching on
> module names as well as package and class names.
>   - Rename of system property and java.security property for
> configurable filters.  (jdk.serialFilter)
>   - ObjectInputFilter clarifications about the values passed to the filter
>   - Javadoc editorial improvements
>   - Clarification of SerializablePermission description of targets
>
>   - More tests
>
> Webrev:
> http://cr.openjdk.java.net/~rriggs/webrev-serial-filter-jdk9-8155760/

This looks very good Roger, just a few comments:

1) The pattern separator in the java.security file should be ';'
    Right?
        925 #jdk.serialFilter=pattern,pattern
                                    ^^^

2) A question on the excepted usage. During the initialization of
    OIS the process-wide filter is cached in an instance field,
    'serialFilter'. A subsequent change to the process-wide filter
    will not affect the OIS instance. I think this is ok, just
    checking the expected usage, as the example in the OIF class
    description reads the process-wide filter ever time. Maybe
    the example should be changed slightly to no promote this type
    of usage? Maybe just remove the call to getSerialFilter?

3) Are third-party OIS implementations required, or expected, to
    "callback" to the filter? The spec, of course, would appear to
    allow it, but not require it? Just wondering if this is required,
    or not, as it is not clear to me.

-Chris.


> SpecDiff:
> http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html
>
> Javadoc (subset)
> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html
>
> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html
>
> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/SerializablePermission.html
>
>
> Thanks, Roger
>
>
>

More information about the core-libs-dev mailing list