JDK 14 RFR of JDK-8231262: Suppress warnings on non-serializable instance fields in security libs serializable classes
Chris Hegarty
chris.hegarty at oracle.com
Sat Sep 21 11:15:30 UTC 2019
> On 19 Sep 2019, at 18:32, Joe Darcy <joe.darcy at oracle.com> wrote:
>
> Hello,
>
> Ahead of augmenting javac's serial lint checks under JDK-8160675, it would be helpful to mark fields in security libs classes where the class is serializable, but a non-transient instance field does *not* have a serialiable type. Such classes may have difficulties being serialized at runtime:
>
> JDK-8231262 : Suppress warnings on non-serializable instance fields in security libs serializable classes
> http://cr.openjdk.java.net/~darcy/8231262.0/
The changes look good to me.
The fields in PrivateCredentialPermission and SecureRandom, could be made final and assigned null, ensuring non-Serializable types will never leak into them. But equally, this could be left to a follow on change for someone working in the security area.
-Chris.
More information about the security-dev
mailing list