RFR: 8277322: Document that setting an invalid property `jdk.serialFilter` disables deserialization
Stuart Marks
smarks at openjdk.java.net
Tue Nov 23 04:43:07 UTC 2021
On Mon, 22 Nov 2021 19:57:25 GMT, Roger Riggs <rriggs at openjdk.org> wrote:
> The effects of an invalid `jdk.serialFilter` property are not completely documented. If the value of the system property jdk.serialFilter is invalid, deserialization should not be possible and it should be clear in the specification.
>
> Specify an implementation specific exception is thrown in the case where deserialization is invoked after reporting the invalid jdk.serialFilter.
src/java.base/share/classes/java/io/ObjectInputFilter.java line 529:
> 527: * if the filter string is invalid, an {@link ExceptionInInitializerError} is thrown
> 528: * and the initialization fails; subsequent attempts to use the configuration or
> 529: * serialization will fail with an implementation specific exception.
I'm confused about exactly what happens after `ExceptionInInitializerError`.
> Subsequent attempts to use the configuration or serialization will fail....
Which configuration? I thought OIF.Config is a utility class and thus has no instances. If its class initialization fails, then other code cannot use `Config.setSerialFilter` to set a global filter (which might be desirable, but throws NCDFE instead of `IllegalStateException`) and other code can't use `Config.createFilter` to create individual filters. Is that right? It seems like there ought to be a better arrangement than to have the system come up in some dysfunctional way, where any subsequent reference to `OIF.Config` results in NCDFE.
And surely this affects deserialization, not serialization?
-------------
PR: https://git.openjdk.java.net/jdk/pull/6508
More information about the core-libs-dev
mailing list