Regarding AdbaType.JAVA_OBJECT

Alexander Kjäll alexander.kjall at
Wed Sep 19 13:39:28 UTC 2018

My personal opinion is that this feature isn't widely in use and is very 
hard or maybe impossible to implement without deserialization security 
holes, so the gains from dropping it outweights the loss of functionality.

Just my 0.02€


On 17. sep. 2018 21:36, Douglas Surber wrote:
> JAVA_OBJECT is included in AdbaType solely because it is in JDBCTypes and JDBCType. How and if it is implemented is entirely up to the database vendor and/or driver implementer. Or we can remove it.
> Douglas
>> On Sep 17, 2018, at 12:08 PM, Alexander Kjäll <alexander.kjall at> wrote:
>> Hi
>> I would like to ask about how the JAVA_OBJECT type is supposed to be
>> implemented.
>> One way to do it would be to use java's built in serialization, but
>> that's impossible without creating a serialization security hole in
>> the driver, same if I serialize it to xml/json and let arbitrary types
>> be deserialized.
>> One way to maybe implement it without security holes is to let the end
>> user register classes that are allowed, but that feels very clunky.
>> I'm also questioning the usefulness of this feature in regard to all
>> the serialization security holes java are suffering from, is it really
>> needed or can it be dropped?
>> best regards
>> Alexander Kjäll

More information about the jdbc-spec-discuss mailing list