RFR: 8264859: Implement Context-Specific Deserialization Filters [v3]

[Chris Hegarty]

On Thu, 20 May 2021 16:10:11 GMT, Roger Riggs <rriggs at openjdk.org> wrote:

>> JEP 415: Context-specific Deserialization Filters extends the deserialization filtering mechanisms with more flexible and customizable protections against malicious deserialization.  See JEP 415: https://openjdk.java.net/jeps/415.
>> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are extended with additional
>> configuration mechanisms and filter utilities.
>> 
>> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and `ObjectInputStream`:
>>     http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
>
> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Simplify factory interface to BinaryOperator<ObjectInputFilter> and cleanup the example

src/java.base/share/classes/java/io/ObjectInputFilter.java line 559:

> 557:          * Returns the static JVM-wide deserialization filter or {@code null} if not configured.
> 558:          *
> 559:          * @return the static JVM-wide deserialization filter or {@code null} if not configured

Is "static" significant here? Can it be dropped?   I fine myself questioning if the "static JVM-wide" and "JVM-wide" are two different filters. If we do this then we have just two terms: 1) the "JVM-wide deserialization filter" and 2) the "JVM-wide deserialization filter factory".

Additionally, can you please check all occurrence of these, to ensure that they are used consistently in all parts of the spec. I think I see serial/serialization (without the "de" ) used in a few places.

-------------

PR: https://git.openjdk.java.net/jdk/pull/3996