Hi Max,
On 8/14/2018 12:29 AM, Weijun Wang wrote:
On Aug 7, 2018, at 10:57 PM, Roger Riggs <roger.ri...@oracle.com> wrote:
Hi Max,
It may be useful to include in the descriptions a reminder that if no
ObjectInputFilter
is supplied the global filter is used. Details in ObjectInputStream.
The new getObject() methods with an ObjectInputFilter does not allow it to be
null, so it looks strange to mention this in the method spec.
True, the system filter would only apply to the original getObject()
method in which a serial filter is not supplied.
I'm thinking about these changes in the example part of the class spec:
* Signature.getInstance(algorithm, provider);
* if (so.verify(publickey, verificationEngine))
* try {
- * Object myobj = so.getObject();
+ * ObjectInputFilter myfilter = ...;
+ * Object myobj = so.getObject(myfilter);
* } catch (java.lang.ClassNotFoundException e) {};
* }</pre>
*
+ * In this example, the {@link ObjectInputFilter} object is used during
+ * deserialization to check the contents of the stream. If {@link #getObject()}
+ * is called, the {@link ObjectInputFilter.Config#getSerialFilter()
+ * initial process-wide filter} is used.
I copied the words from ObjectInputStream::getObjectInputFilter. Is this a formal name of
the "global filter"?
I've had a request to update the terminology, so 'system filter' will be
more appropriate.
[1] 8202675 <https://bugs.openjdk.java.net/browse/JDK-8202675> Replace
process-wide terminology in serial filtering to be consistent
Regards, Roger
Thanks, Roger
On 8/7/18 2:31 AM, Weijun Wang wrote:
Please review the code change at
webrev: http://cr.openjdk.java.net/~weijun/8193859/webrev.00/
where
JBS: https://bugs.openjdk.java.net/browse/JDK-8193859
CSR: https://bugs.openjdk.java.net/browse/JDK-8193887
Thanks
Max
