From 62c773700ea1a43079e27e4e6563a9250afab07e Mon Sep 17 00:00:00 2001
From: Stuart Marks <smarks@openjdk.org>
Date: Wed, 15 Mar 2017 17:17:16 -0700
Subject: [PATCH] 8066640: clarify security checks in
 ObjectInputStream.enableResolveObject and
 ObjectOutputStream.enableReplaceObject

Reviewed-by: chegar, darcy
---
 .../classes/java/io/ObjectInputStream.java    | 21 ++++++++--------
 .../classes/java/io/ObjectOutputStream.java   | 24 ++++++++++---------
 2 files changed, 24 insertions(+), 21 deletions(-)

diff --git a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java
index ed033d685e9..5c36b7fec01 100644
--- a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java
+++ b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java
@@ -812,23 +812,24 @@ public class ObjectInputStream
     }
 
     /**
-     * Enable the stream to allow objects read from the stream to be replaced.
-     * When enabled, the resolveObject method is called for every object being
+     * Enables the stream to do replacement of objects read from the stream. When
+     * enabled, the {@link #resolveObject} method is called for every object being
      * deserialized.
      *
-     * <p>If <i>enable</i> is true, and there is a security manager installed,
+     * <p>If object replacement is currently not enabled, and
+     * {@code enable} is true, and there is a security manager installed,
      * this method first calls the security manager's
-     * <code>checkPermission</code> method with the
-     * <code>SerializablePermission("enableSubstitution")</code> permission to
-     * ensure it's ok to enable the stream to allow objects read from the
-     * stream to be replaced.
+     * {@code checkPermission} method with the
+     * {@code SerializablePermission("enableSubstitution")} permission to
+     * ensure that the caller is permitted to enable the stream to do replacement
+     * of objects read from the stream.
      *
-     * @param   enable true for enabling use of <code>resolveObject</code> for
+     * @param   enable true for enabling use of {@code resolveObject} for
      *          every object being deserialized
      * @return  the previous setting before this method was invoked
      * @throws  SecurityException if a security manager exists and its
-     *          <code>checkPermission</code> method denies enabling the stream
-     *          to allow objects read from the stream to be replaced.
+     *          {@code checkPermission} method denies enabling the stream
+     *          to do replacement of objects read from the stream.
      * @see SecurityManager#checkPermission
      * @see java.io.SerializablePermission
      */
diff --git a/jdk/src/java.base/share/classes/java/io/ObjectOutputStream.java b/jdk/src/java.base/share/classes/java/io/ObjectOutputStream.java
index bff6f8311ee..06845442958 100644
--- a/jdk/src/java.base/share/classes/java/io/ObjectOutputStream.java
+++ b/jdk/src/java.base/share/classes/java/io/ObjectOutputStream.java
@@ -589,22 +589,24 @@ public class ObjectOutputStream
     }
 
     /**
-     * Enable the stream to do replacement of objects in the stream.  When
-     * enabled, the replaceObject method is called for every object being
+     * Enables the stream to do replacement of objects written to the stream.  When
+     * enabled, the {@link #replaceObject} method is called for every object being
      * serialized.
      *
-     * <p>If <code>enable</code> is true, and there is a security manager
-     * installed, this method first calls the security manager's
-     * <code>checkPermission</code> method with a
-     * <code>SerializablePermission("enableSubstitution")</code> permission to
-     * ensure it's ok to enable the stream to do replacement of objects in the
-     * stream.
+     * <p>If object replacement is currently not enabled, and
+     * {@code enable} is true, and there is a security manager installed,
+     * this method first calls the security manager's
+     * {@code checkPermission} method with the
+     * {@code SerializablePermission("enableSubstitution")} permission to
+     * ensure that the caller is permitted to enable the stream to do replacement
+     * of objects written to the stream.
      *
-     * @param   enable boolean parameter to enable replacement of objects
+     * @param   enable true for enabling use of {@code replaceObject} for
+     *          every object being serialized
      * @return  the previous setting before this method was invoked
      * @throws  SecurityException if a security manager exists and its
-     *          <code>checkPermission</code> method denies enabling the stream
-     *          to do replacement of objects in the stream.
+     *          {@code checkPermission} method denies enabling the stream
+     *          to do replacement of objects written to the stream.
      * @see SecurityManager#checkPermission
      * @see java.io.SerializablePermission
      */