142. Tackling context-specific deserialization filters
JDK 17 enriched the deserialization filter capabilities with the implementation of JEP 415, Context-Specific Deserialization Filters.
Practically, JDK 17 added the so-called Filter Factories. Depending on the context, a Filter Factory can dynamically decide what filters to use for a stream.
Applying a Filter Factory per application
If we want to apply a Filter Factory to a single run of an application, then we can rely on the jdk.serialFilterFactory
system property. Without touching the code, we use this system property at the command line as in the following example:
java -Djdk.serialFilterFactory=FilterFactoryName YourApp
The FilterFactoryName
is the fully qualified name of the Filter Factory, which is a public class that can be accessed by the application class loader, and it was set before the first deserialization.
Applying a Filter Factory to all applications in a process
To apply a Filter...