On 08/09/16 20:09, Roger Riggs wrote:
Please review updates to the Serialization filtering API and
implementation:
- The ObjectInputFilter pattern based filters support matching on
module names as well as package and class names.
- Rename of system property and java.security property for
configurable filters. (jdk.serialFilter)
- ObjectInputFilter clarifications about the values passed to the filter
- Javadoc editorial improvements
- Clarification of SerializablePermission description of targets
- More tests
Webrev:
http://cr.openjdk.java.net/~rriggs/webrev-serial-filter-jdk9-8155760/
This looks very good Roger, just a few comments:
1) The pattern separator in the java.security file should be ';'
Right?
925 #jdk.serialFilter=pattern,pattern
^^^
2) A question on the excepted usage. During the initialization of
OIS the process-wide filter is cached in an instance field,
'serialFilter'. A subsequent change to the process-wide filter
will not affect the OIS instance. I think this is ok, just
checking the expected usage, as the example in the OIF class
description reads the process-wide filter ever time. Maybe
the example should be changed slightly to no promote this type
of usage? Maybe just remove the call to getSerialFilter?
3) Are third-party OIS implementations required, or expected, to
"callback" to the filter? The spec, of course, would appear to
allow it, but not require it? Just wondering if this is required,
or not, as it is not clear to me.
-Chris.
SpecDiff:
http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html
Javadoc (subset)
http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html
http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html
http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/SerializablePermission.html
Thanks, Roger
