On Mon, 30 Jan 2023 21:20:55 GMT, Chris Plummer <cjplum...@openjdk.org> wrote:
>> It's "not everything else". >> >> https://docs.oracle.com/en/java/javase/19/core/serialization-filtering1.html >> >> "If a class name doesn’t match any filter, then it is allowed. If you want >> to allow only certain class names, then your filter must reject everything >> that doesn’t match. To reject all class names other than those specified, >> include !* as the last pattern in a class filter." > > Ok. It would be good to clarify that in the comment above this filter. Also, > maybe put it on a new line. Otherwise at first glance it appears to have a > relationship to the class immediately before it. > > Does this mean that this filter list would serve no purpose if the !* was > omitted? I'm just curious as to why the !* is needed rather than it just > being default behavior that a class has to match a filter in the list. If a class is not matched, it is "undecided", mentioned at the end of the long comment. That is not a rejection, which that existing long comment does not state. For an actual rejection, we need the ! to match, so patterns generally end in !* It's the same or very similar comment as in conf/security/java.security I added a note about the !* at the end to clarify, as it is new to use the filter in this area, and yes put it on a new line. ------------- PR: https://git.openjdk.org/jdk20/pull/97
