chaokunyang commented on code in PR #2485:
URL: https://github.com/apache/fory/pull/2485#discussion_r2324281703
##########
java/fory-core/src/main/java/org/apache/fory/resolver/ClassResolver.java:
##########
@@ -2311,4 +2313,24 @@ private Class<? extends Serializer>
getMetaSharedDeserializerClassFromGraalvmReg
}
return null;
}
+
+ private void registerModuleSerializers() {
+ try {
+ ServiceLoader<SerializerRegistration> loader =
Review Comment:
If someone provide a malicious jar, he can register maliciousr serializer
into Fory. How about using Class.forName to load `SerializerRegistration`. Or
just let users invoke registration by themselfs, like what we provided for
scala and kotlin:
```scala
import org.apache.fory.Fory
import org.apache.fory.serializer.scala.ScalaSerializers
val fory = Fory.builder().withScalaOptimizationEnabled(true).build()
// Register optimized fory serializers for scala
ScalaSerializers.registerSerializers(fory)
```
it's a design choice, SPI is much more elegant. But I'm worried this API may
be abused by some users
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
