[12] RFR 8193859: Allow user provided ObjectInputFilter in SealedObject and SignedObject
Roger Riggs
roger.riggs at oracle.com
Tue Aug 21 15:27:18 UTC 2018
Hi Max,
On 8/21/18 11:19 AM, Weijun Wang wrote:
> Also, I think the specification of the getObject() method should be updated to say that the system filter is used to validate the deserialized object. I realize that this was a previous side-effect of adding the system filter and not part of this change, but this did change the behavior of this method, so I think it should be added to the specification while you are making changes. The CSR will also need to be updated with this change.
> I can.
>
> In fact, I have always wanted to add a new @throws if the filter rejects the stream. The problem is that even ObjectInputStream::readObject does not clearly list one.
>
> *Roger*: According to ObjectInputStream::setObjectInputFilter it's InvalidClassException. Can I say "@throws InvalidClassException if the (system) filter returns REJECTED while deserializing the original object"?
yes, that's accurate. The same @throws would apply to the other methods
also. (Except for the mention of "system").
Roger
More information about the security-dev
mailing list