I was trying to get my head around the FilterInThread example in JEP 415
(https://openjdk.org/jeps/415) and the JavaDoc for the ObjectInputFilter
(https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/io/ObjectInputFilter.html)
For example, let's assume we have three filters. The first allow
ArrayList, the second allows Integer, the third restricts arrays to not
be larger than 1000.
ObjectInputFilter allowArrayList = ObjectInputFilter.allowFilter(
Set.of(ArrayList.class, Object.class)::contains, UNDECIDED
);
ObjectInputFilter allowInteger = ObjectInputFilter.allowFilter(
Set.of(Number.class, Integer.class)::contains, UNDECIDED
);
ObjectInputFilter restrictLargeArrays =
ObjectInputFilter.Config.createFilter("maxarray=1000");
Let's say that we create a FilterInThread instance and install that as
our factory. Furthermore, we set the allowArrayList as the global serial
filter. When we call filterInThread.doWithSerialFilter() we pass in the
allowInteger filter. Lastly, during the actual deserialization, we call
setObjectInputFilter() on the ObjectInputStream with the
restrictLargeArrays filter. Ideally, I would want the final filter to
look like this:
rejectUndecidedClass(merge(restrictLargeArrays,merge(allowInteger,allowArrayList)))
However, in the FilterInThread example, we add the
rejectUndecidedClass() wrapper around each of the steps. Thus we would
get something like:
rejectUndecidedClass(merge(restrictLargeArrays,rejectUndecidedClass(merge(allowInteger,rejectUndecidedClass(allowArrayList)))))
Thus we could never allow any classes except for ArrayList.
Regards
Heinz
--
Dr Heinz M. Kabutz (PhD CompSci)
Author of "The Java™ Specialists' Newsletter" - www.javaspecialists.eu
Java Champion - www.javachampions.org
JavaOne Rock Star Speaker
Tel: +30 69 75 595 262
Skype: kabutz
