RFR 9: 8155760 Implement Serialization Filtering

Roger Riggs Roger.Riggs at Oracle.com
Wed Sep 14 14:27:33 UTC 2016 

Hi Chris,

Thanks for the review and comments...

On 9/14/2016 5:46 AM, Chris Hegarty wrote:
> On 08/09/16 20:09, Roger Riggs wrote:
>> Please review updates to the Serialization filtering API and
>> implementation:
>>   - The ObjectInputFilter pattern based filters support matching on
>> module names as well as package and class names.
>>   - Rename of system property and java.security property for
>> configurable filters.  (jdk.serialFilter)
>>   - ObjectInputFilter clarifications about the values passed to the 
>> filter
>>   - Javadoc editorial improvements
>>   - Clarification of SerializablePermission description of targets
>>
>>   - More tests
>>
>> Webrev:
>> http://cr.openjdk.java.net/~rriggs/webrev-serial-filter-jdk9-8155760/
>
> This looks very good Roger, just a few comments:
>
> 1) The pattern separator in the java.security file should be ';'
>    Right?
>        925 #jdk.serialFilter=pattern,pattern
Good catch, will fix
>                                    ^^^
>
> 2) A question on the expected usage. During the initialization of
>    OIS the process-wide filter is cached in an instance field,
>    'serialFilter'. A subsequent change to the process-wide filter
>    will not affect the OIS instance. I think this is ok, just
>    checking the expected usage, as the example in the OIF class
>    description reads the process-wide filter ever time. Maybe
>    the example should be changed slightly to not promote this type
>    of usage? Maybe just remove the call to getSerialFilter?
The process-wide filter is set-once, so it can't change. 
(ObjectInputFilter.setSerialFilter())
The caching in OIS as a final field allows some optimizations;
Client code as in the example could do the same for performance reasons.

>
> 3) Are third-party OIS implementations required, or expected, to
>    "callback" to the filter? The spec, of course, would appear to
>    allow it, but not require it? Just wondering if this is required,
>    or not, as it is not clear to me.
Practically, I don't think it can be required; but is encouraged.

Thanks, Roger


>
> -Chris.
>
>
>> SpecDiff:
>> http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html
>>
>> Javadoc (subset)
>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html 
>>
>>
>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html 
>>
>>
>> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/SerializablePermission.html 
>>
>>
>>
>> Thanks, Roger
>>
>>
>>

More information about the core-libs-dev mailing list