RFR: 8264859: Implement Context-Specific Deserialization Filters [v9]

[Roger Riggs]

On Wed, 26 May 2021 06:35:46 GMT, Peter Levart <plevart at openjdk.org> wrote:

>> src/java.base/share/classes/java/io/ObjectInputStream.java line 1265:
>> 
>>> 1263:      * must return a non-null filter. It is not permitted to remove filtering once established.
>>> 1264:      * See the {@linkplain ObjectInputFilter filter models} for examples of composition and delegation.
>>> 1265:      *
>> 
>> Hi Roger,
>> When I first read this javadoc, I was a little confused and had to peek into the implementation. After that, I understood the above text, but without peeking and in-depth knowledge, I couldn't. The confusing part is the apparently conflicting claims made by 1st vs. 2nd paragraph. Both talk about setting the deserialization filter - the 1st just says "set the deserialization filter for the stream", and with the `setObjectInputFilter` method having a sole `filter` parameter, together these establish a simple picture - ah, just a setter method. But no, the 2nd paragraph talks about something entirely different which doesn't fit into the established picture. So would it be possible to rephrase that 1st paragraph somehow? Or what about starting with 2nd paragraph: "Set the deserialization filter for the stream to the filter returned by invoking ...." followed by 1st paragraph: "The filter can be set and only set once before reading any objects..."
>
> Also a better wording for the following paragraph could be: "This method can only be called once and before reading any objects with this ObjectInputStream"
> Talking about "The filter can only be set once" is a little confusing, since the filter may actually already be set to JVM-wide filter when this methods is called to replace it with per-OIS filter.

Rewrote and included your suggestions.

-------------

PR: https://git.openjdk.java.net/jdk/pull/3996