Regarding AdbaType.JAVA_OBJECT
Alexander Kjäll
alexander.kjall at gmail.com
Mon Sep 17 19:08:11 UTC 2018
Hi
I would like to ask about how the JAVA_OBJECT type is supposed to be
implemented.
One way to do it would be to use java's built in serialization, but
that's impossible without creating a serialization security hole in
the driver, same if I serialize it to xml/json and let arbitrary types
be deserialized.
One way to maybe implement it without security holes is to let the end
user register classes that are allowed, but that feels very clunky.
I'm also questioning the usefulness of this feature in regard to all
the serialization security holes java are suffering from, is it really
needed or can it be dropped?
best regards
Alexander Kjäll
More information about the jdbc-spec-discuss
mailing list