Details
-
Bug
-
Resolution: Fixed
-
P2
-
9
-
b147
-
Verified
Description
The spec states:
"The filter is configured using the Security property jdk.serialFilter and can be overridden by the System property jdk.serialFilter."
The spec doesn't mention nothing regarding impossibility of overriding after Config::getInputFilter was call.
Thus I can expect that Config::getSerialFilter will return different results after overriding and the following code will print "false", it prints "true".
Security.setProperty("jdk.serialFilter", FILTER1_STR);
ObjectInputFilter filter1 = Config.getSerialFilter();
System.setProperty("jdk.serialFilter", FILTER2_STR);
ObjectInputFilter filter2 = Config.getSerialFilter();
System.out.println(filter1 == filter2);
"The filter is configured using the Security property jdk.serialFilter and can be overridden by the System property jdk.serialFilter."
The spec doesn't mention nothing regarding impossibility of overriding after Config::getInputFilter was call.
Thus I can expect that Config::getSerialFilter will return different results after overriding and the following code will print "false", it prints "true".
Security.setProperty("jdk.serialFilter", FILTER1_STR);
ObjectInputFilter filter1 = Config.getSerialFilter();
System.setProperty("jdk.serialFilter", FILTER2_STR);
ObjectInputFilter filter2 = Config.getSerialFilter();
System.out.println(filter1 == filter2);