[12] RFR 8193859: Allow user provided ObjectInputFilter in SealedObject and SignedObject

Roger Riggs Roger.Riggs at Oracle.com
Tue Aug 14 14:18:04 UTC 2018 

Hi Max,

On 8/14/2018 12:29 AM, Weijun Wang wrote:
>> On Aug 7, 2018, at 10:57 PM, Roger Riggs <roger.riggs at oracle.com> wrote:
>>
>> Hi Max,
>>
>> It may be useful to include in the descriptions a reminder that if no ObjectInputFilter
>> is supplied the global filter is used.  Details in ObjectInputStream.
> The new getObject() methods with an ObjectInputFilter does not allow it to be null, so it looks strange to mention this in the method spec.
True, the system filter would only apply to the original getObject() 
method in which a serial filter is not supplied.
> I'm thinking about these changes in the example part of the class spec:
>
>    *     Signature.getInstance(algorithm, provider);
>    * if (so.verify(publickey, verificationEngine))
>    *     try {
> - *         Object myobj = so.getObject();
> + *         ObjectInputFilter myfilter = ...;
> + *         Object myobj = so.getObject(myfilter);
>    *     } catch (java.lang.ClassNotFoundException e) {};
>    * }</pre>
>    *
> + * In this example, the {@link ObjectInputFilter} object is used during
> + * deserialization to check the contents of the stream. If {@link #getObject()}
> + * is called, the {@link ObjectInputFilter.Config#getSerialFilter()
> + * initial process-wide filter} is used.
>
> I copied the words from ObjectInputStream::getObjectInputFilter. Is this a formal name of the "global filter"?
I've had a request to update the terminology, so 'system filter' will be 
more appropriate.
[1] 8202675 <https://bugs.openjdk.java.net/browse/JDK-8202675> Replace 
process-wide terminology in serial filtering to be consistent

Regards, Roger

>> Thanks, Roger
>>
>>
>> On 8/7/18 2:31 AM, Weijun Wang wrote:
>>> Please review the code change at
>>>
>>>     webrev: http://cr.openjdk.java.net/~weijun/8193859/webrev.00/
>>>
>>> where
>>>
>>>        JBS: https://bugs.openjdk.java.net/browse/JDK-8193859
>>>        CSR: https://bugs.openjdk.java.net/browse/JDK-8193887
>>>
>>> Thanks
>>> Max
>>>
>>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180814/c14e0707/attachment.htm>

More information about the security-dev mailing list