Insights and updates on Java SE and OpenJDK from the Java Platform Group Product Management Team

  • February 14, 2017

Filter Incoming Serialization Data - a little of JDK 9 goodness available now in current release families

Aurelio Garcia-Ribeyro
Director of Product Management
One of the new features developed for JDK 9, JEP 290: Filter Incoming Serialization Data, has been back-ported to JDK 8, 7, and 6.

The option of filtering incoming serialization data adds one more layer of protection and robustness to object serialization.  By using the filtering mechanism, developers can constrain the classes that can be deserialized by an application.   Like most security features this new feature is not meant to replace current secure coding practices but to add to those practices.  

The feature is available in JDK 9 early access builds but since we wanted users of current versions to have this capability it has already been back ported to the JDK and JRE updates released with the Jan 2017 Critical Patch Update (8u121, 7u131, and 6u141).   See the release notes for the corresponding releases for further information. 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.