Regarding AdbaType.JAVA_OBJECT
Douglas Surber
douglas.surber at oracle.com
Mon Sep 17 19:36:49 UTC 2018
JAVA_OBJECT is included in AdbaType solely because it is in JDBCTypes and JDBCType. How and if it is implemented is entirely up to the database vendor and/or driver implementer. Or we can remove it.
Douglas
> On Sep 17, 2018, at 12:08 PM, Alexander Kjäll <alexander.kjall at gmail.com> wrote:
>
> Hi
>
> I would like to ask about how the JAVA_OBJECT type is supposed to be
> implemented.
>
> One way to do it would be to use java's built in serialization, but
> that's impossible without creating a serialization security hole in
> the driver, same if I serialize it to xml/json and let arbitrary types
> be deserialized.
>
> One way to maybe implement it without security holes is to let the end
> user register classes that are allowed, but that feels very clunky.
>
> I'm also questioning the usefulness of this feature in regard to all
> the serialization security holes java are suffering from, is it really
> needed or can it be dropped?
>
> best regards
> Alexander Kjäll
More information about the jdbc-spec-discuss
mailing list