RFR: 8264859: Implement Context-Specific Deserialization Filters [v3]
Roger Riggs
rriggs at openjdk.java.net
Mon May 24 15:27:25 UTC 2021
On Mon, 24 May 2021 08:22:57 GMT, Chris Hegarty <chegar at openjdk.org> wrote:
>> In previous versions, calling OIS.setObjectInputFilter determined exactly the filter used for the stream.
>> With the filter factory enhancement, the current filter factory determines how the argument to OIS.setObjectInputFilter is used. There are plenty of cases where the filter factory will combine it with other filters and the composite will becomes the filter for the stream.
>
> Here is the source of my confusion. The bulleted list is enumerating how a stream-specific filter is determined, but I see an extra step in that which should be unnecessary. It is currently:
>
> 1. Check JVM-wide filter factory
> 2. If no JVM-wide, check built-in factory
> 3. setSerialFilterFactory
>
> , but 1 and 2 are not separate and distinct cases - there is always a JVM-wide deserialization filter factory. The JVM-wide deserialization filter factory is either i) set through a property, or ii) set explicitly by an API call, or iii) the built-in implementation.
>
> If the initialisation of the JVM-wide deserialization filter factory is separated out from how the stream-specific factory is determined, then I believe that it will be easier to follow.
Yes, I will describe the filter factory selection and separately the filter composition by the factory.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3996
More information about the core-libs-dev
mailing list