Summary

Invalid system property jdk.serialFilter set on the command line should cause ExceptionInInitializerError.

Problem

The original behavior of setting an invalid system property value for jdk.serialFilter on the command line was to log the invalid filter string and continue. This allows the application to start without the protection of the serial filter and the logged message may be missed or ignored.

Solution

Specify that if the jdk.serialFilter value is invalid, that an ExceptionInInitializerError is thrown. This behavior is similar to the specified behavior if the jdk.serialFilterFactory value is invalid and cannot be initialized.

Specification

Two lines are added to java.lang.ObjectInputFilter.Config class javadoc that specify the initialization of the filter from the command line property jdk.serialFilter.

  * <p>If the Java virtual machine is started with the system property
  * {@systemProperty jdk.serialFilter}, its value is used to configure the filter.
  * If the system property is not defined, and the {@link java.security.Security} property
  * {@code jdk.serialFilter} is defined then it is used to configure the filter.
+ * The filter is created as if {@link #createFilter(String) createFilter} is called;
+ * if the filter string is invalid, an {@link ExceptionInInitializerError} is thrown.
  * Otherwise, the filter is not configured during initialization and
  * can be set with {@link #setSerialFilter(ObjectInputFilter) Config.setSerialFilter}.
  * Setting the {@code jdk.serialFilter} with {@link System#setProperty(String, String)
  * System.setProperty} <em>does not set the filter</em>.
  * The syntax for the property value is the same as for the
  * {@link #createFilter(String) createFilter} method.

This CSR is necessary to cover the implementation change made in JDK-8269336: Malformed jdk.serialFilter incorrectly handled