CONTENTS | PREV | NEXT | Java Object Serialization Specification |
The goal for object serialization is to be as simple as possible and yet still be consistent with known security restrictions; the simpler the system is, the more likely it is to be secure. The following points summarize how security in object serialization has been implemented:
- Only objects implementing the
java.io.Serializable
orjava.io.Externalizable
interfaces can be serialized. there are mechanisms for not serializing certain fields and certain classes.- The serialization package cannot be used to recreate the same object, and no object is ever overwritten by a deserialize operation. All that can be done with the serialization package is to create new objects, initialized in a particular fashion.
- While deserializing an object might cause code for the class of the object to be loaded, that code loading is protected by all of the usual Javatm code verification and security management guarantees. Classes loaded because of deserialization are no more or less secure than those loaded in any other fashion.
- Externalizable objects expose themselves to being overwritten because the
readExternal
method is public.