Explicit Serialization API and Security

David M. Lloyd david.lloyd at redhat.com
Wed Jan 7 16:14:58 UTC 2015 

On 01/07/2015 10:02 AM, Peter Levart wrote:
> On 01/07/2015 03:54 PM, Chris Hegarty wrote:
>> On 06/01/15 17:49, Peter Levart wrote:
>>> On 01/06/2015 06:21 PM, Chris Hegarty wrote:
>>>> On 6 Jan 2015, at 15:06, Peter Levart <peter.levart at gmail.com> wrote:
>>>>
>>>>> On 01/06/2015 04:03 PM, Peter Levart wrote:
>>>>>> private void readObject(ObjectInputStream in) throws IOException,
>>>>>> ClassNotFoundException {
>>>>>>         ObjectInputStream.GetField fields = in.readFields(); // this
>>>>>> already validates the types
>>>>> Well, not true currently. But type validation could be added at this
>>>>> point.
>>>> Right. I think I’ll file a bug to track this as it seems reasonable to
>>>> add type validation to readFields and defaultReadObject. So we can
>>>> probably assume/ignore it in this discussion.
>>>>
>>>> I like the idea of a callback into the serialization framework to
>>>> handling the setting of final fields, after validation. I played a
>>>> little with your patch and added it to a branch in the sandbox**
>>>>
>>>> So a simple example, without legacy fields, might looks as below (
>>>> without the need for writeObject or serialPersistentFields ). The
>>>> simple validating readObject is starting to look like boilerplate ?
>>>
>>> Well, 1st and last line are always the same, yes. What's between them is
>>> what you would have to write in a special check-only method too.
>>
>> I guess what I'm getting at is, if you want just invariant checking,
>> then maybe something like this would be more readable:
>>
>>     @SerialInvariantChecker()
>>     private static void validate(@SerialParam(name="lo",
>> type=Integer.class)int lo,
>>                                  @SerialParam(name="hi",
>> type=Integer.class)int hi)
>>     {
>>         if (lo > hi)
>>             throw new IllegalArgumentException("lo:" + lo + " > hi:" +
>> hi);
>>     }
>>
>>    ... and the serialization machinery would call this when appropriate.
>
> Nice.
>
> We have method parameter names accessible via reflection since JDK8 and
> types have always been, so no @SerialParam is necessary.

I tend to disagree, a bit.  Most superficially, there's no reason to 
bind serialization stream parameter names to method parameter names. 
But more importantly, this implies a pretty complex implementation when 
you consider we already have an API to represent the fields of a class 
in a stream (GetFields) as well as a well-established convention of 
using specifically-named private members for this kind of thing (in the 
form of readObject/writeObject, objectStreamFields, etc.).

You could just as well support this approach, and probably with a 
substantially simpler implementation:

   private static void validate(GetField fields) {
      if (fields.getInt("lo") > fields.getInt("hi")) { ... }
   }

But given these principles, I think this idea proposal was superior and 
is a sort of obvious "why wasn't it always this way" kind of thing:

>>>On 01/06/2015 06:21 PM, Chris Hegarty wrote:
>>>>[...]
>>>>      private void readObject(ObjectInputStream in) throws IOException,
>>>> ClassNotFoundException {
>>>>          ObjectInputStream.GetField fields = in.readFields();
>>>>
>>>>          // validate 'lo' and 'hi' fields invariant
>>>>          int lo = fields.get("lo", 0);
>>>>          int hi = fields.get("hi", 0);
>>>>          validate(lo, hi);
>>>>
>>>>          // set current fields from read data
>>>>          fields.defaultReadFields(); // this is new API!
>>>>      }

-- 
- DML

More information about the core-libs-dev mailing list