8231422: Setting JEP 290 Filter via System Property May Be Ignored

Reviewed-by: smarks, rhalade

src/java.base/share/classes/java/io/ObjectInputFilter.java

@@ -35,6 +35,7 @@ import java.util.Optional;
 import java.util.function.Function;
 
 import jdk.internal.access.SharedSecrets;
+import jdk.internal.util.StaticProperty;
 
 /**
  * Filter classes, array lengths, and graph metrics during deserialization.
@@ -205,15 +206,17 @@ public interface ObjectInputFilter {
      * <p>
      * The filter is configured during the initialization of the {@code ObjectInputFilter.Config}
      * class. For example, by calling {@link #getSerialFilter() Config.getSerialFilter}.
-     * If the system property {@systemProperty jdk.serialFilter} is defined, it is used
-     * to configure the filter.
-     * If the system property is not defined, and the {@link java.security.Security}
-     * property {@code jdk.serialFilter} is defined then it is used to configure the filter.
-     * Otherwise, the filter is not configured during initialization.
+     * If the system property {@systemProperty jdk.serialFilter} is defined on the command line,
+     * it is used to configure the filter.
+     * If the system property is not defined on the command line, and the
+     * {@link java.security.Security} property {@code jdk.serialFilter} is defined
+     * then it is used to configure the filter.
+     * Otherwise, the filter is not configured during initialization and
+     * can be set with {@link #setSerialFilter(ObjectInputFilter) Config.setSerialFilter}.
+     * Setting the {@code jdk.serialFilter} with {@link System#setProperty(String, String)
+     * System.setProperty} <em>does not set the filter</em>.
      * The syntax for each property is the same as for the
      * {@link #createFilter(String) createFilter} method.
-     * If a filter is not configured, it can be set with
-     * {@link #setSerialFilter(ObjectInputFilter) Config.setSerialFilter}.
      *
      * @since 9
      */
@@ -256,7 +259,7 @@ public interface ObjectInputFilter {
         static {
             configuredFilter = AccessController
                     .doPrivileged((PrivilegedAction<ObjectInputFilter>) () -> {
-                        String props = System.getProperty(SERIAL_FILTER_PROPNAME);
+                        String props = StaticProperty.jdkSerialFilter();
                         if (props == null) {
                             props = Security.getProperty(SERIAL_FILTER_PROPNAME);
                         }

src/java.base/share/classes/jdk/internal/util/StaticProperty.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -42,6 +42,7 @@ public final class StaticProperty {
     private static final String USER_HOME = initProperty("user.home");
     private static final String USER_DIR  = initProperty("user.dir");
     private static final String USER_NAME = initProperty("user.name");
+    private static final String JDK_SERIAL_FILTER = System.getProperty("jdk.serialFilter");
 
     private StaticProperty() {}
 
@@ -104,4 +105,17 @@ public final class StaticProperty {
     public static String userName() {
         return USER_NAME;
     }
+
+    /**
+     * Return the {@code jdk.serialFilter} system property.
+     *
+     * <strong>{@link SecurityManager#checkPropertyAccess} is NOT checked
+     * in this method. The caller of this method should take care to ensure
+     * that the returned property is not made accessible to untrusted code.</strong>
+     *
+     * @return the {@code user.name} system property
+     */
+    public static String jdkSerialFilter() {
+        return JDK_SERIAL_FILTER;
+    }
 }