ObjectInputStream
Alan Bateman
Alan.Bateman at oracle.com
Thu Mar 1 01:45:55 PST 2012
On 01/03/2012 00:09, Jesse Glick wrote:
> On 02/24/2012 12:26 PM, David M. Lloyd wrote:
>> look at how ObjectInputStream resolves classes by default
>
> ...bizarrely, in fact. In NetBeans we created NbObjectInputStream [1]
> in part to solve this exact problem. (The getNBClassLoader method
> returns a "master" loader, also the default TCCL, which can load from
> any enabled module when unambiguous.)
>
> While NbOIS is a helpful replacement for OIS in module code, if a
> module calls a preexisting library using plain OIS, and this library
> tries to deserialize an instance of a class defined in some unrelated
> module, you are out of luck. Perhaps Jigsaw's ObjectStreamClass should
> be modified to store the module ID where available, which would be
> easier to use and also handle cases where multiple modules define a
> class of the same name?
>
> [1]
> https://hg.netbeans.org/core-main/raw-file/default/openide.util/src/org/openide/util/io/NbObjectInputStream.java
We know that serialization will require work. Probably RMI too. There
will be other areas in the JDK but we don't have a complete list. Jon
has changes to jtreg in the works that will allow us to run most of the
existing tests with modules and that should give us more complete
picture. As always then contributions are welcome. For serialization
then it'scritical that any changes have as many eyes on the changes as
possible, particularly security eyes.
-Alan
More information about the jigsaw-dev
mailing list