Regarding AdbaType.JAVA_OBJECT

Alexander Kjäll alexander.kjall at
Mon Sep 17 19:08:11 UTC 2018


I would like to ask about how the JAVA_OBJECT type is supposed to be

One way to do it would be to use java's built in serialization, but
that's impossible without creating a serialization security hole in
the driver, same if I serialize it to xml/json and let arbitrary types
be deserialized.

One way to maybe implement it without security holes is to let the end
user register classes that are allowed, but that feels very clunky.

I'm also questioning the usefulness of this feature in regard to all
the serialization security holes java are suffering from, is it really
needed or can it be dropped?

best regards
Alexander Kjäll

More information about the jdbc-spec-discuss mailing list