Caching lambda proxy classes

Brian Goetz brian.goetz at
Tue Mar 12 10:40:27 PDT 2013

Correct.  You can consider any serializable lambda to be an implicitly 
public named method, whose name is only available to hackers :(

(This is true for any serializable class too -- it has an implicit 
public constructor that can set the fields directly, also only available 
to hackers.)

On 3/12/2013 1:32 PM, Peter Levart wrote:
> On 03/12/2013 06:14 PM, Brian Goetz wrote:
>>> A question: What's so special in the $deserializeLambda$ method that it
>>> has to be generated in each capturing class? The MethodHandles.Lookup?
>> Security.  Anyone can create a serialized bytestream that effectively
>> says "take this private method of a random class, and turn it into a
>> lambda."  We wish to only proceed with lambda conversion for
>> combinations of (SAM, method) that *actually* were intended to be
>> lambdas.
> Ah, yes. So one has to be very careful what serializable lambdas he
> creates in server code, for example, since that gives a potential hacker
> an opportunity to forge a stream to create instances of SAM types that
> he would not be able to create otherwise (for example, passing forged
> stream to RMI server methods accepting SAM types)...
> Regards, Peter

More information about the lambda-dev mailing list