RFR: 8264859: Implement Context-Specific Deserialization Filters [v3]
Roger Riggs
rriggs at openjdk.java.net
Mon May 24 15:12:06 UTC 2021
On Mon, 24 May 2021 08:31:29 GMT, Chris Hegarty <chegar at openjdk.org> wrote:
>> It is reasonable to require that the factory be set before any OIS is constructed.
>> Similar to the restriction that the filter on a stream cannot be changed after the first call to readObject.
>> So an IllegalStateException added to Config.setSerialFilterFactory.
>
> Ok, great. So setSerialFilterFactory cannot be successfully invoked after any of i) getSerialFilterFactory, or ii) an OIS is constructed. I don't yet see this in the code.
The spec/code is forthcoming.
ii) is sufficient to prevent ambiguity in which filter is used throughout the Java runtime;
though it requires a bit of package-private plumbing.
i) is too limiting. It should be possible for an application to check whether a filter factory has been provided on the command line (by calling getSerialFilterFactory) and if not setting the factory itself. It may also want to install its own filter factory that delegates to the builtin factory without needed to re-implement the builtin behavior.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3996
More information about the core-libs-dev
mailing list