RFR: 8277322: Document that setting an invalid property `jdk.serialFilter` disables deserialization

Stuart Marks smarks at openjdk.java.net
Tue Nov 23 04:43:07 UTC 2021


On Mon, 22 Nov 2021 19:57:25 GMT, Roger Riggs <rriggs at openjdk.org> wrote:

> The effects of an invalid `jdk.serialFilter` property are not completely documented. If the value of the system property jdk.serialFilter is invalid, deserialization should not be possible and it should be clear in the specification. 
> 
> Specify an implementation specific exception is thrown in the case where deserialization is invoked after reporting the invalid jdk.serialFilter.

src/java.base/share/classes/java/io/ObjectInputFilter.java line 529:

> 527:      * if the filter string is invalid, an {@link ExceptionInInitializerError} is thrown
> 528:      * and the initialization fails; subsequent attempts to use the configuration or
> 529:      * serialization will fail with an implementation specific exception.

I'm confused about exactly what happens after `ExceptionInInitializerError`.

> Subsequent attempts to use the configuration or serialization will fail....

Which configuration? I thought OIF.Config is a utility class and thus has no instances. If its class initialization fails, then other code cannot use `Config.setSerialFilter` to set a global filter (which might be desirable, but throws NCDFE instead of `IllegalStateException`) and other code can't use `Config.createFilter` to create individual filters. Is that right? It seems like there ought to be a better arrangement than to have the system come up in some dysfunctional way, where any subsequent reference to `OIF.Config` results in NCDFE.

And surely this affects deserialization, not serialization?

-------------

PR: https://git.openjdk.java.net/jdk/pull/6508


More information about the core-libs-dev mailing list