Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8277571

Document that setting an invalid property `jdk.serialFilter` disables deserialization

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Withdrawn
    • Icon: P3 P3
    • tbd
    • core-libs
    • None
    • behavioral
    • minimal
    • The risk is minimal, it is documenting extended error reporting.
    • Java API, System or security property
    • SE

      Summary

      Document that an invalid value of system property jdk.serialFilter on the command line prevents use of deserialization until the property is corrected.

      Problem

      The effects of an invalid jdk.serialFilter property are not completely documented. If the value of the system property jdk.serialFilter is invalid, deserialization should not be possible and it should be clear in the specification.

      A java.lang.ExceptionInInitializerError is thrown when creating the filter from the property value. If that exception is caught and ignored, deserialization should not be possible without a filter. The ExceptionInInitializerError prevents the java.io.ObjectInputFilter.Config class from being fully initialized; subsequent references to ObjectInputFilter.Config, including calling it from ObjectInputStream, result in java.lang.NoClassDefFoundError. To give some flexibility in the implementation, an exception should be documented, but not the specific exception.

      Solution

      Specify an implementation specific exception is thrown in the case where deserialization is invoked after an invalid jdk.serialFilter system property value is reported as an ExceptionInInitializerError.

      Specification

      The class javadoc of java.io.ObjectInputFilter.Config is updated:

      --- a/src/java.base/share/classes/java/io/ObjectInputFilter.java
+++ b/src/java.base/share/classes/java/io/ObjectInputFilter.java
@@ -524,9 +524,11 @@ public interface ObjectInputFilter {
      * If the system property is not defined, and the {@link java.security.Security} property
      * {@code jdk.serialFilter} is defined then it is used to configure the filter.
      * The filter is created as if {@link #createFilter(String) createFilter} is called;
-     * if the filter string is invalid, an {@link ExceptionInInitializerError} is thrown.
-     * Otherwise, the filter is not configured during initialization and
-     * can be set with {@link #setSerialFilter(ObjectInputFilter) Config.setSerialFilter}.
+     * if the filter string is invalid, an {@link ExceptionInInitializerError} is thrown
+     * and the initialization fails; subsequent attempts to use the configuration or
+     * serialization will fail with an implementation specific exception.
+     * If the system property {@code jdk.serialFilter} is not set on the command line
+     * it can be set with {@link #setSerialFilter(ObjectInputFilter) Config.setSerialFilter}.
      * Setting the {@code jdk.serialFilter} with {@link System#setProperty(String, String)
      * System.setProperty} <em>does not set the filter</em>.
      * The syntax for the property value is the same as for the

            rriggs Roger Riggs
            kganapureddy Krushnareddy Ganapureddy
            Iris Clark
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: