<!DOCTYPE html><html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body>
    On 14/05/2024 14:42, David Lloyd wrote:<br>
    <blockquote type="cite" cite="mid:CANghgrRA8B5Bn7gyUs=g3bgVyA1Hjn7dOSiUOZbG7Ad3LCo9dA@mail.gmail.com">
      
      <div dir="ltr">:
        <div class="gmail_quote">
          <div><br>
          </div>
          <div>
            <div class="gmail_default" style="font-family:arial,helvetica,sans-serif">I'm well
              aware of these arguments, as I was present when they were
              devised (and have the scars - and jpms-spec-experts
              membership - to prove it). As I said, I fully support the
              goal of integrity by default.</div>
            <div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br>
            </div>
            <div class="gmail_default" style="font-family:arial,helvetica,sans-serif">However
              neither of these points really addresses the problem at
              hand. In particular, ReflectionFactory does not relate
              specifically to serializing JDK classes; it presently
              provides access to serialization constructors and (lately)
              the non-public serialization spec methods for *all*
              classes. It does not address the problem of field access
              in any way.</div>
            <div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br>
            </div>
            <div class="gmail_default" style="font-family:arial,helvetica,sans-serif">:</div>
            <div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br>
            </div>
            <div class="gmail_default" style="font-family:arial,helvetica,sans-serif">ReflectionFactory
              allows access to serialization facilities without any
              access checking (other than the defunct SecurityManager
              checks). Perhaps this class could gain some more methods,
              like this:</div>
            <div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br>
            </div>
            <div class="gmail_default" style="font-family:arial,helvetica,sans-serif">*
              `newGetterForSerialization(Field field)` - includes
              ability to access `objectStreamFields` and
              `serialVersionUID`, or these could be separate methods</div>
            <div class="gmail_default" style="font-family:arial,helvetica,sans-serif">*
              `newSetterForSerialziation(Field field)`</div>
          </div>
          <div><br>
          </div>
          <div>
            <div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Does this
              seem workable?</div>
            <br>
          </div>
        </div>
      </div>
    </blockquote>
    The intention with ReflectionFactory is that serialization libraries
    go through the readObject/writeObject and other magic methods, to
    avoid field access.<br>
    <br>
    Probably best to being this to core-libs-dev for further discussion.<br>
    <br>
    -Alan<br>
  </body>
</html>