[jdk20] RFR: 8299891: JMX ObjectInputFilter additional classes needed [v2]
Kevin Walls
kevinw at openjdk.org
Tue Jan 31 14:29:38 UTC 2023
On Mon, 30 Jan 2023 21:20:55 GMT, Chris Plummer <cjplummer at openjdk.org> wrote:
>> It's "not everything else".
>>
>> https://docs.oracle.com/en/java/javase/19/core/serialization-filtering1.html
>>
>> "If a class name doesn’t match any filter, then it is allowed. If you want to allow only certain class names, then your filter must reject everything that doesn’t match. To reject all class names other than those specified, include !* as the last pattern in a class filter."
>
> Ok. It would be good to clarify that in the comment above this filter. Also, maybe put it on a new line. Otherwise at first glance it appears to have a relationship to the class immediately before it.
>
> Does this mean that this filter list would serve no purpose if the !* was omitted? I'm just curious as to why the !* is needed rather than it just being default behavior that a class has to match a filter in the list.
If a class is not matched, it is "undecided", mentioned at the end of the long comment. That is not a rejection, which that existing long comment does not state. For an actual rejection, we need the ! to match, so patterns generally end in !*
It's the same or very similar comment as in conf/security/java.security
I added a note about the !* at the end to clarify, as it is new to use the filter in this area, and yes put it on a new line.
-------------
PR: https://git.openjdk.org/jdk20/pull/97
More information about the serviceability-dev
mailing list