Re: RFR 9: 8155760 Implement Serialization Filtering

Mon, 12 Sep 2016 10:16:48 -0700 

Hi Roger,

ObjectInputStream.java: some cosmetic comments:
317 * {@link ObjectInputFilter.Config#getSerialFilter() the process-wide filter}. 352 * {@link ObjectInputFilter.Config#getSerialFilter() the process-wide filter}. 

 => should be @linkplain
1185 * The filter, when not {@code null}, is invoked during {@linkplain #readObject()} 
1186      * and {@linkplain #readUnshared readUnshared} for each object
       (+ also at lines 1207,1208,1211,1212,
Should that be @link? I saw that in other places, readObject and
readUnshared were not wrapped in {@code } - so for consistency it
might make sense to use @linkplain. However the usual idiom would
be to use {@link }.

2046                 // Filter the replacement object
2047                 if (rep != null) {
2048                     if (rep.getClass().isArray()) {
2049 filterCheck(rep.getClass(), Array.getLength(rep)); 
2050                     } else {
2051                         filterCheck(rep.getClass(), -1);
2052                     }
2053                 }

In this case should the filter be also invoked with the
class of each element in the substituted array?
Or is it OK that only the array type is checked (could be
"[Ljava.lang.Object;" containing elements of classes
X, Y, Z, but the filter will only see the array type).

best regards,

-- daniel

On 08/09/16 20:09, Roger Riggs wrote:

Please review updates to the Serialization filtering API and
implementation:
  - The ObjectInputFilter pattern based filters support matching on
module names as well as package and class names.
  - Rename of system property and java.security property for
configurable filters.  (jdk.serialFilter)
  - ObjectInputFilter clarifications about the values passed to the filter
  - Javadoc editorial improvements
  - Clarification of SerializablePermission description of targets

  - More tests

Webrev:
http://cr.openjdk.java.net/~rriggs/webrev-serial-filter-jdk9-8155760/

SpecDiff:
http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html

Javadoc (subset)
http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html

http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html

http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/SerializablePermission.html


Thanks, Roger

Reply via email to