On Wed, 26 May 2021 06:21:12 GMT, Peter Levart <[email protected]> wrote:
>> Roger Riggs has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> Editorial updates
>> Updated java.security properties to include jdk.serialFilterFactory
>> Added test cases to SerialFilterFactoryTest for java.security properties
>> and
>> enabling of the SecurityManager with existing policy permission files
>> Corrected a test that OIS.setObjectInputFilter could not be called twice.
>> Removed a Factory test that was not intended to be committed
>
> src/java.base/share/classes/java/io/ObjectInputStream.java line 1265:
>
>> 1263: * must return a non-null filter. It is not permitted to remove
>> filtering once established.
>> 1264: * See the {@linkplain ObjectInputFilter filter models} for
>> examples of composition and delegation.
>> 1265: *
>
> Hi Roger,
> When I first read this javadoc, I was a little confused and had to peek into
> the implementation. After that, I understood the above text, but without
> peeking and in-depth knowledge, I couldn't. The confusing part is the
> apparently conflicting claims made by 1st vs. 2nd paragraph. Both talk about
> setting the deserialization filter - the 1st just says "set the
> deserialization filter for the stream", and with the `setObjectInputFilter`
> method having a sole `filter` parameter, together these establish a simple
> picture - ah, just a setter method. But no, the 2nd paragraph talks about
> something entirely different which doesn't fit into the established picture.
> So would it be possible to rephrase that 1st paragraph somehow? Or what about
> starting with 2nd paragraph: "Set the deserialization filter for the stream
> to the filter returned by invoking ...." followed by 1st paragraph: "The
> filter can be set and only set once before reading any objects..."
Also a better wording for the following paragraph could be: "This method can
only be called once and before reading any objects with this ObjectInputStream"
Talking about "The filter can only be set once" is a little confusing, since
the filter may actually already be set to JVM-wide filter when this methods is
called to replace it with per-OIS filter.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3996
