Explicit Serialization API and Security

Brian Goetz brian.goetz at oracle.com
Thu Jan 8 20:10:40 UTC 2015

> 1) Validate invariants
>      A clear and easy to understand mechanism that can validate the deserialized
>      fields. Does not prevent the use of final fields, as the serialization framework
>      will be responsible for setting them. Something along the lines of what David
>      suggested:
>        private static void validate(GetField fields) {
>            if (fields.getInt("lo") > fields.getInt("hi")) { ... }
>       }
>      This could be a “special” method, or annotation driven. TBD.
>      Note: the validate method is static, so the object instance is not required to
>      be created before running the validation.

Sort of...

This is true if the fields participating in the invariant are 
primitives.  But if they're refs, what do you do?  What if you want to 
validate something like

   count == list.size()   // fields are int count, List list

?  Then wouldn't GetField.getObject have to deserialize the object 
referred to by that field?

More information about the core-libs-dev mailing list