[14] RFR (doc) 8237651 Clarify initialization of jdk.serialFilter

Roger Riggs Roger.Riggs at oracle.com
Tue Jan 28 14:59:50 UTC 2020 

Hi Sean,

On 1/27/20 3:17 PM, Sean Mullan wrote:
> Hi Roger,
>
> Does setting jdk.serialFilter with Security.setProperty() work, or 
> must it only be pre-configured in the java.security file?
Assuming the System property is not defined, then setting the Security 
property
with Security.setProperty before the ObjectInputFilter.Config class is 
initialized will affect the filter defined.

Thanks, Roger


>
> --Sean
>
> On 1/24/20 2:51 PM, Roger Riggs wrote:
>> Please review a doc change in the description of the initialization 
>> of the jdk.serialFilter from
>> a system property to generalize it beyond only command line invocation.
>>
>> diff a/src/java.base/share/classes/java/io/ObjectInputFilter.java 
>> b/src/java.base/share/classes/java/io/ObjectInputFilter.java
>> --- a/src/java.base/share/classes/java/io/ObjectInputFilter.java
>> +++ b/src/java.base/share/classes/java/io/ObjectInputFilter.java
>> @@ -204,15 +204,14 @@
>>       * When setting the filter, it should be stateless and idempotent,
>>       * reporting the same result when passed the same arguments.
>>       * <p>
>>       * The filter is configured during the initialization of the 
>> {@code ObjectInputFilter.Config}
>>       * class. For example, by calling {@link #getSerialFilter() 
>> Config.getSerialFilter}.
>> -     * If the system property {@systemProperty jdk.serialFilter} is 
>> defined on the command line,
>> -     * it is used to configure the filter.
>> -     * If the system property is not defined on the command line, 
>> and the
>> -     * {@link java.security.Security} property {@code 
>> jdk.serialFilter} is defined
>> -     * then it is used to configure the filter.
>> +     * If the Java virtual machine is started with the system property
>> +     * {@systemProperty jdk.serialFilter}, its value is used to 
>> configure the filter.
>> +     * If the system property is not defined, and the {@link 
>> java.security.Security} property
>> +     * {@code jdk.serialFilter} is defined then it is used to 
>> configure the filter.
>>       * Otherwise, the filter is not configured during initialization 
>> and
>>       * can be set with {@link #setSerialFilter(ObjectInputFilter) 
>> Config.setSerialFilter}.
>>       * Setting the {@code jdk.serialFilter} with {@link 
>> System#setProperty(String, String)
>>       * System.setProperty} <em>does not set the filter</em>.
>>
>> Thanks, Roger
>>
>> Issue:
>>    https://bugs.openjdk.java.net/browse/JDK-8237651
>>
>> Webrev:
>>     http://cr.openjdk.java.net/~rriggs/webrev-filter-8237651/

More information about the core-libs-dev mailing list