RFR: 8277322: Document that setting an invalid property `jdk.serialFilter` disables deserialization

Jaikiran Pai jpai at openjdk.java.net
Tue Nov 23 02:36:09 UTC 2021


On Mon, 22 Nov 2021 19:57:25 GMT, Roger Riggs <rriggs at openjdk.org> wrote:

> The effects of an invalid `jdk.serialFilter` property are not completely documented. If the value of the system property jdk.serialFilter is invalid, deserialization should not be possible and it should be clear in the specification. 
> 
> Specify an implementation specific exception is thrown in the case where deserialization is invoked after reporting the invalid jdk.serialFilter.

src/java.base/share/classes/java/io/ObjectInputFilter.java line 530:

> 528:      * and the initialization fails; subsequent attempts to use the configuration or
> 529:      * serialization will fail with an implementation specific exception.
> 530:      * If the system property {@code jdk.serialFilter} is not set on the command line

Hello Roger,
Thank you for rearranging these lines. It reads much more clearly. One tiny final question - this new line now states `If the system property {@code jdk.serialFilter} is not set on the command line it can be set with ....`. However, this property if not set on the command line could have instead been set as a `java.security.Security` property (in a file). The javadoc does mention this a few lines back. So do you think this new line should be reworded to something like `If the filter is neither set as a system property on the command line nor as a security property then it can be set with...`

-------------

PR: https://git.openjdk.java.net/jdk/pull/6508


More information about the core-libs-dev mailing list