-
Type:
Bug
-
Resolution: Fixed
-
Priority:
P2
-
Affects Version/s: 9
-
Component/s: core-libs
-
b147
-
Verified
The spec states:
"The filter is configured using the Security property jdk.serialFilter and can be overridden by the System property jdk.serialFilter."
The spec doesn't mention nothing regarding impossibility of overriding after Config::getInputFilter was call.
Thus I can expect that Config::getSerialFilter will return different results after overriding and the following code will print "false", it prints "true".
Security.setProperty("jdk.serialFilter", FILTER1_STR);
ObjectInputFilter filter1 = Config.getSerialFilter();
System.setProperty("jdk.serialFilter", FILTER2_STR);
ObjectInputFilter filter2 = Config.getSerialFilter();
System.out.println(filter1 == filter2);
"The filter is configured using the Security property jdk.serialFilter and can be overridden by the System property jdk.serialFilter."
The spec doesn't mention nothing regarding impossibility of overriding after Config::getInputFilter was call.
Thus I can expect that Config::getSerialFilter will return different results after overriding and the following code will print "false", it prints "true".
Security.setProperty("jdk.serialFilter", FILTER1_STR);
ObjectInputFilter filter1 = Config.getSerialFilter();
System.setProperty("jdk.serialFilter", FILTER2_STR);
ObjectInputFilter filter2 = Config.getSerialFilter();
System.out.println(filter1 == filter2);