> On Aug 21, 2018, at 8:57 PM, Sean Mullan <sean.mul...@oracle.com> wrote:
>
> On 8/20/18 11:06 PM, Weijun Wang wrote:
>
>
>> That said, I think "before it is returned" is useful. How about this?
>> * In this example, an {@link ObjectInputFilter} is used during
>> * deserialization of the original object before it is returned. If {@link
>> #getObject()} is
>> * called, the {@link ObjectInputFilter.Config#getSerialFilter()
>> * system filter} is used instead.
>
> Better, but I might be a bit more specific about the purpose of the filter.
> How about:
>
> "In this example, an {@link ObjectInputFilter} is passed in to {@link
> #getObject(ObjectInputFilter)} and used during deserialization to validate
> the contents of the object before it is returned. If {@link #getObject()} is
> called, the {@link ObjectInputFilter.Config#getSerialFilter()
> system filter} is used instead.
OK. I would like to emphasis "the original object". This word is used in the
class spec to differentiate with the "signed object".
>
> Also, I think the specification of the getObject() method should be updated
> to say that the system filter is used to validate the deserialized object. I
> realize that this was a previous side-effect of adding the system filter and
> not part of this change, but this did change the behavior of this method, so
> I think it should be added to the specification while you are making changes.
> The CSR will also need to be updated with this change.
I can.
In fact, I have always wanted to add a new @throws if the filter rejects the
stream. The problem is that even ObjectInputStream::readObject does not clearly
list one.
*Roger*: According to ObjectInputStream::setObjectInputFilter it's
InvalidClassException. Can I say "@throws InvalidClassException if the (system)
filter returns REJECTED while deserializing the original object"?
Thanks
Max
>
> --Sean
