[12] RFR 8193859: Allow user provided ObjectInputFilter in SealedObject and SignedObject
Sean Mullan
sean.mullan at oracle.com
Tue Aug 21 12:57:33 UTC 2018
On 8/20/18 11:06 PM, Weijun Wang wrote:
> That said, I think "before it is returned" is useful. How about this?
>
> * In this example, an {@link ObjectInputFilter} is used during
> * deserialization of the original object before it is returned. If {@link #getObject()} is
> * called, the {@link ObjectInputFilter.Config#getSerialFilter()
> * system filter} is used instead.
Better, but I might be a bit more specific about the purpose of the
filter. How about:
"In this example, an {@link ObjectInputFilter} is passed in to {@link
#getObject(ObjectInputFilter)} and used during deserialization to
validate the contents of the object before it is returned. If {@link
#getObject()} is called, the {@link
ObjectInputFilter.Config#getSerialFilter()
system filter} is used instead.
Also, I think the specification of the getObject() method should be
updated to say that the system filter is used to validate the
deserialized object. I realize that this was a previous side-effect of
adding the system filter and not part of this change, but this did
change the behavior of this method, so I think it should be added to the
specification while you are making changes. The CSR will also need to be
updated with this change.
--Sean
More information about the security-dev
mailing list