Explicit Serialization API and Security
Brian Goetz
brian.goetz at oracle.com
Thu Jan 8 20:10:40 UTC 2015
> 1) Validate invariants
>
> A clear and easy to understand mechanism that can validate the deserialized
> fields. Does not prevent the use of final fields, as the serialization framework
> will be responsible for setting them. Something along the lines of what David
> suggested:
>
> private static void validate(GetField fields) {
> if (fields.getInt("lo") > fields.getInt("hi")) { ... }
> }
>
> This could be a “special” method, or annotation driven. TBD.
>
> Note: the validate method is static, so the object instance is not required to
> be created before running the validation.
Sort of...
This is true if the fields participating in the invariant are
primitives. But if they're refs, what do you do? What if you want to
validate something like
count == list.size() // fields are int count, List list
? Then wouldn't GetField.getObject have to deserialize the object
referred to by that field?
More information about the core-libs-dev
mailing list