On Fri, 28 May 2021 15:58:17 GMT, Daniel Fuchs <dfu...@openjdk.org> wrote:
>> Roger Riggs has updated the pull request with a new target base due to a >> merge or a rebase. The incremental webrev excludes the unrelated changes >> brought in by the merge/rebase. The pull request contains 13 additional >> commits since the last revision: >> >> - Merge branch 'master' into 8264859-context-filter-factory >> - Added test for rejectUndecidedClass array cases >> Added test for preventing disabling filter factory >> Test cleanup >> - Editorial updates to review comments. >> Simplify the builtin filter factory implementation. >> Add atomic update to setting the filter factory. >> Clarify the description of OIS.setObjectInputFilter. >> Cleanup of the example code. >> - Editorial updates >> Updated java.security properties to include jdk.serialFilterFactory >> Added test cases to SerialFilterFactoryTest for java.security properties >> and >> enabling of the SecurityManager with existing policy permission files >> Corrected a test that OIS.setObjectInputFilter could not be called twice. >> Removed a Factory test that was not intended to be committed >> - Moved utility filter methods to be static on ObjectInputFilter >> Rearranged the class javadoc of OIF to describe the parts of >> deserialization filtering, filters, composite filters, and the filter >> factory. >> And other review comment updates... >> - Refactored tests for utility functions to SerialFilterFunctionTest.java >> Deleted confused Config.allowMaxLimits() method >> Updated example to match move of methods to Config >> Added test of restriction on setting the filterfactory after a OIS has >> been created >> Additional Editorial updates >> - Move merge and rejectUndecidedClass methods to OIF.Config >> As default methods on OIF, their implementations were not concrete and >> not trustable >> - Review suggestions included; >> Added @implSpec for default methods in OIF; >> Added restriction that the filter factory cannot be set after an >> ObjectInputStream has been created and applied the current filter factory >> - Editorial javadoc updated based on review comments. >> Clarified behavior of rejectUndecidedClass method. >> Example test added to check status returned from file. >> - Editorial updates to review comments >> Add filter tracing support >> - ... and 3 more: >> https://git.openjdk.java.net/jdk/compare/62744b1b...0930f0f8 > > src/java.base/share/classes/java/io/ObjectInputFilter.java line 638: > >> 636: if (filterString != null) { >> 637: configLog.log(INFO, >> 638: "Creating deserialization filter from {0}", >> filterString); > > Just double checking that you really want an `INFO` message here. With the > default logging configuration, `INFO` messages will show up on the console. That is unchanged in the PR, though DEBUG might be more appropriate. > src/java.base/share/classes/java/io/ObjectInputFilter.java line 719: > >> 717: * @throws SecurityException if there is security manager and >> the >> 718: * {@code SerializablePermission("serialFilter")} is not >> granted >> 719: * @throws IllegalStateException if the filter has already been >> set {@code non-null} > > `* @throws IllegalStateException if the filter has already been set {@code > non-null}` > > Is there a typo/word missing ? non-null is unnecessary. ------------- PR: https://git.openjdk.java.net/jdk/pull/3996