JDK 14 RFR of JDK-8231262: Suppress warnings on non-serializable instance fields in security libs serializable classes

Joe Darcy joe.darcy at oracle.com
Sat Sep 21 16:32:11 UTC 2019


On 9/21/2019 4:15 AM, Chris Hegarty wrote:
>
>> On 19 Sep 2019, at 18:32, Joe Darcy <joe.darcy at oracle.com> wrote:
>>
>> Hello,
>>
>> Ahead of augmenting javac's serial lint checks under JDK-8160675, it would be helpful to mark fields in security libs classes where the class is serializable, but a non-transient instance field does *not* have a serialiable type. Such classes may have difficulties being serialized at runtime:
>>
>>      JDK-8231262 : Suppress warnings on non-serializable instance fields in security libs serializable classes
>>      http://cr.openjdk.java.net/~darcy/8231262.0/
> The changes look good to me.
>
> The fields in PrivateCredentialPermission and SecureRandom, could be made final and assigned null, ensuring non-Serializable types will never leak into them. But equally, this could be left to a follow on change for someone working in the security area.


I'd prefer to leave such code changes to people working more directly in 
the area.

Thanks for the review,

-Joe




More information about the security-dev mailing list