On Wed, 19 Oct 2022 17:54:02 GMT, Kevin Walls <kev...@openjdk.org> wrote:
>> Set the management.properties >> "com.sun.management.jmxremote.serial.filter.pattern" value by default, to >> restrict types that can be deserialized. >> >> Use the example value from the Core Libraries guide (see section 2. >> Serialization Filtering / Built-in Filters / Filters for JMX), plus Subject >> which is needed when using authentication. >> >> The sun/management tests run OK with this change. The existing test >> sun/management/jmxremote/startstop/JMXStartStopTest.java will fail if the >> filter specified is made too restrictive. > > Kevin Walls has updated the pull request incrementally with one additional > commit since the last revision: > > Additional test with command-line filter setting. Thank you for reply, Kevin. Then it is better to create RN and review it before integration. Also, I do not have expertise to assess the default `ObjectInputFilter` completeness and security implications. How was this set of segments to be filtered by default identified? ------------- PR: https://git.openjdk.org/jdk/pull/10507
