Module java.base
Package java.io

Class ObjectInputFilter.Config

java.lang.Object
java.io.ObjectInputFilter.Config
Enclosing interface:
ObjectInputFilter

public static final class ObjectInputFilter.Config extends Object
A utility class to set and get the JVM-wide deserialization filter factory, the static JVM-wide filter, or to create a filter from a pattern string. The static filter factory and the static filter apply to the whole Java runtime, or "JVM-wide", there is only one of each. For a complete description of the function and use refer to ObjectInputFilter.

The JVM-wide deserialization filter factory and the static JVM-wide filter can be configured from system properties during the initialization of the ObjectInputFilter.Config class.

If the Java virtual machine is started with the system property jdk.serialFilter, its value is used to configure the filter. If the system property is not defined, and the Security property jdk.serialFilter is defined then it is used to configure the filter. The filter is created as if createFilter is called, if the filter string is invalid the initialization fails and subsequent attempts to get the filter, set a filter, or create an ObjectInputStream throw IllegalStateException. Deserialization is not possible with an invalid serial filter. If the system property jdk.serialFilter or the Security property jdk.serialFilter is not set the filter can be set with Config.setSerialFilter. Setting the jdk.serialFilter with System.setProperty does not set the filter. The syntax for the property value is the same as for the createFilter method.

If the Java virtual machine is started with the system property jdk.serialFilterFactory or the Security property of the same name, its value names the class to configure the JVM-wide deserialization filter factory. If the system property is not defined, and the Security property jdk.serialFilterFactory is defined then it is used to configure the filter factory. If it remains unset, the filter factory is a builtin filter factory compatible with previous versions.

The class must be public, must have a public zero-argument constructor, implement the BinaryOperator<ObjectInputFilter> interface, provide its implementation and be accessible via the application class loader. If the filter factory constructor is not invoked successfully subsequent attempts to get the factory, set the factory, or create an ObjectInputStream throw IllegalStateException. Deserialization is not possible with an invalid serial filter factory. The filter factory configured using the system or security property during initialization can NOT be replaced with Config.setSerialFilterFactory. This ensures that a filter factory set on the command line is not overridden accidentally or intentionally by the application.

Setting the jdk.serialFilterFactory with System.setProperty does not set the filter factory. The syntax for the system property value and security property value is the fully qualified class name of the deserialization filter factory.

Since:
9