On Mon, 22 Nov 2021 19:57:25 GMT, Roger Riggs <rri...@openjdk.org> wrote:
> The effects of an invalid `jdk.serialFilter` property are not completely
> documented. If the value of the system property jdk.serialFilter is invalid,
> deserialization should not be possible and it should be clear in the
> specification.
>
> Specify an implementation specific exception is thrown in the case where
> deserialization is invoked after reporting the invalid jdk.serialFilter.
src/java.base/share/classes/java/io/ObjectInputFilter.java line 530:
> 528: * and the initialization fails; subsequent attempts to use the
> configuration or
> 529: * serialization will fail with an implementation specific exception.
> 530: * If the system property {@code jdk.serialFilter} is not set on the
> command line
Hello Roger,
Thank you for rearranging these lines. It reads much more clearly. One tiny
final question - this new line now states `If the system property {@code
jdk.serialFilter} is not set on the command line it can be set with ....`.
However, this property if not set on the command line could have instead been
set as a `java.security.Security` property (in a file). The javadoc does
mention this a few lines back. So do you think this new line should be reworded
to something like `If the filter is neither set as a system property on the
command line nor as a security property then it can be set with...`
-------------
PR: https://git.openjdk.java.net/jdk/pull/6508
