Hi Roger,
ObjectInputStream.java: some cosmetic comments:
317 * {@link ObjectInputFilter.Config#getSerialFilter() the
process-wide filter}.
352 * {@link ObjectInputFilter.Config#getSerialFilter() the
process-wide filter}.
=> should be @linkplain
1185 * The filter, when not {@code null}, is invoked during
{@linkplain #readObject()}
1186 * and {@linkplain #readUnshared readUnshared} for each object
(+ also at lines 1207,1208,1211,1212,
Should that be @link? I saw that in other places, readObject and
readUnshared were not wrapped in {@code } - so for consistency it
might make sense to use @linkplain. However the usual idiom would
be to use {@link }.
2046 // Filter the replacement object
2047 if (rep != null) {
2048 if (rep.getClass().isArray()) {
2049 filterCheck(rep.getClass(),
Array.getLength(rep));
2050 } else {
2051 filterCheck(rep.getClass(), -1);
2052 }
2053 }
In this case should the filter be also invoked with the
class of each element in the substituted array?
Or is it OK that only the array type is checked (could be
"[Ljava.lang.Object;" containing elements of classes
X, Y, Z, but the filter will only see the array type).
best regards,
-- daniel
On 08/09/16 20:09, Roger Riggs wrote:
Please review updates to the Serialization filtering API and
implementation:
- The ObjectInputFilter pattern based filters support matching on
module names as well as package and class names.
- Rename of system property and java.security property for
configurable filters. (jdk.serialFilter)
- ObjectInputFilter clarifications about the values passed to the filter
- Javadoc editorial improvements
- Clarification of SerializablePermission description of targets
- More tests
Webrev:
http://cr.openjdk.java.net/~rriggs/webrev-serial-filter-jdk9-8155760/
SpecDiff:
http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html
Javadoc (subset)
http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html
http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html
http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/SerializablePermission.html
Thanks, Roger