RFR: 8264859: Implement Context-Specific Deserialization Filters [v14]

[Roger Riggs]

On Tue, 8 Jun 2021 11:41:28 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:

>> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Clarified javadoc for rejectUndecidedClass.
>>   Added javadoc to describe throwing of ExceptionInInitializerError if the class
>>   named by system property jdk.serialFilterFactory is not valid.
>>   Added description of jdk.serialFilterFactory to java.security file.
>
> src/java.base/share/classes/java/io/ObjectInputFilter.java line 550:
> 
>> 548:      * be accessible via the {@linkplain ClassLoader#getSystemClassLoader() application class loader}.
>> 549:      * If the filter factory constructor is not invoked successfully, an {@link ExceptionInInitializerError}
>> 550:      * is thrown.
> 
> Should you also say that later attempts to create an `ObjectInputStream` or to call `ObjectInputStream::setObjectInputFilter` will result in an `IllegalStateException`?

Yes, and setObjectInputFilter should throw ISE if the initialization from the system property has failed.
``` 
     * If the filter factory constructor is not invoked successfully, an {@link ExceptionInInitializerError}
     * is thrown and subsequent use of the filter factory for deserialization fails with
     * {@link IllegalStateException}.

-------------

PR: https://git.openjdk.java.net/jdk/pull/3996