JDK 14 RFR of JDK-8231262: Suppress warnings on non-serializable instance fields in security libs serializable classes
Joe Darcy
joe.darcy at oracle.com
Sat Sep 21 16:32:11 UTC 2019
On 9/21/2019 4:15 AM, Chris Hegarty wrote:
>
>> On 19 Sep 2019, at 18:32, Joe Darcy <joe.darcy at oracle.com> wrote:
>>
>> Hello,
>>
>> Ahead of augmenting javac's serial lint checks under JDK-8160675, it would be helpful to mark fields in security libs classes where the class is serializable, but a non-transient instance field does *not* have a serialiable type. Such classes may have difficulties being serialized at runtime:
>>
>> JDK-8231262 : Suppress warnings on non-serializable instance fields in security libs serializable classes
>> http://cr.openjdk.java.net/~darcy/8231262.0/
> The changes look good to me.
>
> The fields in PrivateCredentialPermission and SecureRandom, could be made final and assigned null, ensuring non-Serializable types will never leak into them. But equally, this could be left to a follow on change for someone working in the security area.
I'd prefer to leave such code changes to people working more directly in
the area.
Thanks for the review,
-Joe
More information about the security-dev
mailing list