Explicit Serialization API and Security

Wed Jan 7 14:54:43 UTC 2015

On 06/01/15 17:49, Peter Levart wrote:
> On 01/06/2015 06:21 PM, Chris Hegarty wrote:
>> On 6 Jan 2015, at 15:06, Peter Levart <peter.levart at gmail.com> wrote:
>>
>>> On 01/06/2015 04:03 PM, Peter Levart wrote:
>>>> private void readObject(ObjectInputStream in) throws IOException,
>>>> ClassNotFoundException {
>>>>         ObjectInputStream.GetField fields = in.readFields(); // this
>>>> already validates the types
>>> Well, not true currently. But type validation could be added at this
>>> point.
>> Right. I think I’ll file a bug to track this as it seems reasonable to
>> add type validation to readFields and defaultReadObject. So we can
>> probably assume/ignore it in this discussion.
>>
>> I like the idea of a callback into the serialization framework to
>> handling the setting of final fields, after validation. I played a
>> little with your patch and added it to a branch in the sandbox**
>>
>> So a simple example, without legacy fields, might looks as below (
>> without the need for writeObject or serialPersistentFields ). The
>> simple validating readObject is starting to look like boilerplate ?
>
> Well, 1st and last line are always the same, yes. What's between them is
> what you would have to write in a special check-only method too.

I guess what I'm getting at is, if you want just invariant checking, 
then maybe something like this would be more readable:

     @SerialInvariantChecker()
     private static void validate(@SerialParam(name="lo", 
type=Integer.class)int lo,
                                  @SerialParam(name="hi", 
type=Integer.class)int hi)
     {
         if (lo > hi)
             throw new IllegalArgumentException("lo:" + lo + " > hi:" + hi);
     }

    ... and the serialization machinery would call this when appropriate.

-Chris

> Regards, Peter
>
>>
>> public class SimpleInterval implements Serializable {
>>
>>      private final int lo, hi;
>>
>>      private static void validate(int lo, int hi) {
>>          // invariant
>>          if (lo > hi)
>>              throw new IllegalArgumentException("lo:" + lo + " > hi:"
>> + hi);
>>      }
>>
>>      public SimpleInterval(int lo, int hi) {
>>          validate(lo, hi);
>>          this.lo = lo;
>>          this.hi = hi;
>>      }
>>
>>      public int getLo() { return lo; }
>>
>>      public int getHi() { return hi; }
>>
>>      private void readObject(ObjectInputStream in) throws IOException,
>> ClassNotFoundException {
>>          ObjectInputStream.GetField fields = in.readFields();
>>
>>          // validate 'lo' and 'hi' fields invariant
>>          int lo = fields.get("lo", 0);
>>          int hi = fields.get("hi", 0);
>>          validate(lo, hi);
>>
>>          // set current fields from read data
>>          fields.defaultReadFields(); // this is new API!
>>      }
>> }
>>
>> -Chris.
>>
>> ** hg clone http://hg.openjdk.java.net/jdk9/sandbox sandbox
>>      cd sandbox
>>      sh get_source.sh
>>      sh common/bin/hgforest.sh update -r serial-exp-branch
>>
>>      I also added your example, etc, under:
>>        jdk/test/java/io/Serializable/invarientChecker
>>
>>      see http://cr.openjdk.java.net/~chegar/docs/sandbox.html
>>
>