From 305d7765812d5bc3db3da6f7b67f46abb018802e Mon Sep 17 00:00:00 2001 From: Roger Riggs Date: Wed, 23 Nov 2016 11:47:29 -0500 Subject: [PATCH] 8169645: ObjectInputFilter Config spec is ambiguous regarding overriding the filter via System properties Reviewed-by: bpb --- .../share/classes/java/io/ObjectInputFilter.java | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/jdk/src/java.base/share/classes/java/io/ObjectInputFilter.java b/jdk/src/java.base/share/classes/java/io/ObjectInputFilter.java index 9707725854a..e222f47c41a 100644 --- a/jdk/src/java.base/share/classes/java/io/ObjectInputFilter.java +++ b/jdk/src/java.base/share/classes/java/io/ObjectInputFilter.java @@ -194,11 +194,17 @@ public interface ObjectInputFilter { * When setting the filter, it should be stateless and idempotent, * reporting the same result when passed the same arguments. *

- * The filter is configured using the {@link java.security.Security} - * property {@code jdk.serialFilter} and can be overridden by - * the System property {@code jdk.serialFilter}. - * - * The syntax is the same as for the {@link #createFilter(String) createFilter} method. + * The filter is configured during the initialization of the {@code ObjectInputFilter.Config} + * class. For example, by calling {@link #getSerialFilter() Config.getSerialFilter}. + * If the system property {@code jdk.serialFilter} is defined, it is used + * to configure the filter. + * If the system property is not defined, and the {@link java.security.Security} + * property {@code jdk.serialFilter} is defined then it is used to configure the filter. + * Otherwise, the filter is not configured during initialization. + * The syntax for each property is the same as for the + * {@link #createFilter(String) createFilter} method. + * If a filter is not configured, it can be set with + * {@link #setSerialFilter(ObjectInputFilter) Config.setSerialFilter}. * * @since 9 */