infernap12/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2026-03-22 21:59:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

8066640: clarify security checks in ObjectInputStream.enableResolveObject and ObjectOutputStream.enableReplaceObject

Browse Source 
Reviewed-by: chegar, darcy
This commit is contained in:
Stuart Marks 2017-03-15 17:17:16 -07:00
parent a4e17d73f1
commit 62c773700e
2 changed files with 24 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
jdk/src/java.base/share/classes/java/io/ObjectInputStream.java
View File

@ -812,23 +812,24 @@ public class ObjectInputStream
}
/**
* Enable the stream to allow objects read from the stream to be replaced.
* When enabled, the resolveObject method is called for every object being
* Enables the stream to do replacement of objects read from the stream. When
* enabled, the {@link #resolveObject} method is called for every object being
* deserialized.
*
* <p>If <i>enable</i> is true, and there is a security manager installed,
* <p>If object replacement is currently not enabled, and
* {@code enable} is true, and there is a security manager installed,
* this method first calls the security manager's
* <code>checkPermission</code> method with the
* <code>SerializablePermission("enableSubstitution")</code> permission to
* ensure it's ok to enable the stream to allow objects read from the
* stream to be replaced.
* {@code checkPermission} method with the
* {@code SerializablePermission("enableSubstitution")} permission to
* ensure that the caller is permitted to enable the stream to do replacement
* of objects read from the stream.
*
* @param enable true for enabling use of <code>resolveObject</code> for
* @param enable true for enabling use of {@code resolveObject} for
* every object being deserialized
* @return the previous setting before this method was invoked
* @throws SecurityException if a security manager exists and its
* <code>checkPermission</code> method denies enabling the stream
* to allow objects read from the stream to be replaced.
* {@code checkPermission} method denies enabling the stream
* to do replacement of objects read from the stream.
* @see SecurityManager#checkPermission
* @see java.io.SerializablePermission
*/

24
jdk/src/java.base/share/classes/java/io/ObjectOutputStream.java
View File

@ -589,22 +589,24 @@ public class ObjectOutputStream
}
/**
* Enable the stream to do replacement of objects in the stream. When
* enabled, the replaceObject method is called for every object being
* Enables the stream to do replacement of objects written to the stream. When
* enabled, the {@link #replaceObject} method is called for every object being
* serialized.
*
* <p>If <code>enable</code> is true, and there is a security manager
* installed, this method first calls the security manager's
* <code>checkPermission</code> method with a
* <code>SerializablePermission("enableSubstitution")</code> permission to
* ensure it's ok to enable the stream to do replacement of objects in the
* stream.
* <p>If object replacement is currently not enabled, and
* {@code enable} is true, and there is a security manager installed,
* this method first calls the security manager's
* {@code checkPermission} method with the
* {@code SerializablePermission("enableSubstitution")} permission to
* ensure that the caller is permitted to enable the stream to do replacement
* of objects written to the stream.
*
* @param enable boolean parameter to enable replacement of objects
* @param enable true for enabling use of {@code replaceObject} for
* every object being serialized
* @return the previous setting before this method was invoked
* @throws SecurityException if a security manager exists and its
* <code>checkPermission</code> method denies enabling the stream
* to do replacement of objects in the stream.
* {@code checkPermission} method denies enabling the stream
* to do replacement of objects written to the stream.
* @see SecurityManager#checkPermission
* @see java.io.SerializablePermission
*/