On 22/01/14 13:57, Florian Weimer wrote:
On 01/14/2014 01:26 AM, mark.reinh...@oracle.com wrote:
Posted: http://openjdk.java.net/jeps/187
There's another aspect of the current approach to serialization that is
not mentioned: the type information does not come from the calling
context, but exclusively from the input stream.
Have you overlooked resolveClass [1], or are you looking for additional
context?
-Chris.
[1]
http://download.java.net/jdk8/docs/api/java/io/ObjectInputStream.html#resolveClass-java.io.ObjectStreamClass-
> This means that all
serializable classes can be instantiated, and not just those the context
is prepared to deal with. I don't know if this is worth changing, but I
do think it's something to consider.
