On 09/07/2016 08:46, Simon Nash wrote:
I think this a very important point. If someone wanted to reimplement
Java serialization (java.io.ObjectOutputStream, etc.) as an external
library
(com.foo.ObjectOutputStream, etc.), the new restrictions on reflective
access in JDK 9 would prevent this.
If there are types in non-exported packages in the serial form then it
could be an issue. Some serialization libraries are based on Unsafe and
sun.reflect.ReflectionFactory, both "critical internal APIs" that
continue to be available via the jdk.unsupported module. More on this in
JEP 260 [1].
-Alan
[1] http://openjdk.java.net/jeps/260