Explicit Serialization API and Security
Chris Hegarty
chris.hegarty at oracle.com
Wed Jan 14 11:39:26 UTC 2015
On 13/01/15 00:51, Peter Firmstone wrote:
> ----- Original message -----
> > On 10/01/15 07:00, Peter Firmstone wrote:
> > > Again, thank you all for engaging in discussion of this very difficult
> > > topic.
> > >
> > > While we can't presently check intra object dependencies during
> > > deserialization with readObject(), the examples I provide can do this.
> >
> > I have replied to Davids mail with a small change to GetField ( added
> > superTypeFields() ) to return the deserialized supertypes fields. This
> > gives subtypes the ability to check values of the supertypes persistent
> > state.
>
> Unfortunately this breaks encapsulation, a class is then locked into
> using that serial form as public api forever.
Yes, of course. Withdrawn.
-Chris.
More information about the core-libs-dev
mailing list