RFR: 8264859: Implement Context-Specific Deserialization Filters [v3]

[Roger Riggs]

On Fri, 21 May 2021 15:54:50 GMT, Chris Hegarty <chegar at openjdk.org> wrote:

>> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Simplify factory interface to BinaryOperator<ObjectInputFilter> and cleanup the example
>
> src/java.base/share/classes/java/io/ObjectInputFilter.java line 365:
> 
>> 363:      * A utility class to set and get the JVM-wide deserialization filter factory,
>> 364:      * the static JVM-wide filter, or to create a filter from a pattern string.
>> 365:      * If a JVM-wide filter factory or static JVM-wide filter is set, it will determine the filter
> 
> This concerns me, "A JVM-wide filter factory". I was going to suggest that it should be "The ..", but then realised that there can only ever be one present at a time, but in the lifetime of a JVM there can be two (since getSerialFilterFactory if invoked before setSerialFilterFactory will subsequently return a different JVM-wide factory).   Is this intentional? It would great if this could be "The ..", so that setXXX can only be invoked successfully if getXXX has not been.   This may seen somewhat insignificant, but the fact that the JVM-wide factory can change make the model harder understand.

It is reasonable to require that the factory be set before any OIS is constructed.
Similar to the restriction that the filter on a stream cannot be changed after the first call to readObject.
So an IllegalStateException added to Config.setSerialFilterFactory.

-------------

PR: https://git.openjdk.java.net/jdk/pull/3996