RFR: 8264859: Implement Context-Specific Deserialization Filters [v3]
Chris Hegarty
chegar at openjdk.java.net
Tue May 25 09:18:04 UTC 2021
On Mon, 24 May 2021 15:09:26 GMT, Roger Riggs <rriggs at openjdk.org> wrote:
> i) is too limiting. It should be possible for an application to check whether a filter factory has been provided on the command line (by calling getSerialFilterFactory) and if not setting the factory itself. It may also want to install its own filter factory that delegates to the builtin factory without needed to re-implement the builtin behavior.
How is this supposed to work in practice? getSerialFilterFactory always returns a non-null factory, so how does one know whether or not the returned factory is the built-in factory, a factory set by the command line (or security property) ? (without resorting to implementation assumptions)
-------------
PR: https://git.openjdk.java.net/jdk/pull/3996
More information about the core-libs-dev
mailing list