Regarding AdbaType.JAVA_OBJECT

Douglas Surber douglas.surber at
Mon Sep 17 19:36:49 UTC 2018

JAVA_OBJECT is included in AdbaType solely because it is in JDBCTypes and JDBCType. How and if it is implemented is entirely up to the database vendor and/or driver implementer. Or we can remove it.


> On Sep 17, 2018, at 12:08 PM, Alexander Kjäll <alexander.kjall at> wrote:
> Hi
> I would like to ask about how the JAVA_OBJECT type is supposed to be
> implemented.
> One way to do it would be to use java's built in serialization, but
> that's impossible without creating a serialization security hole in
> the driver, same if I serialize it to xml/json and let arbitrary types
> be deserialized.
> One way to maybe implement it without security holes is to let the end
> user register classes that are allowed, but that feels very clunky.
> I'm also questioning the usefulness of this feature in regard to all
> the serialization security holes java are suffering from, is it really
> needed or can it be dropped?
> best regards
> Alexander Kjäll

More information about the jdbc-spec-discuss mailing list