Spec-Zone .ru
спецификации, руководства, описания, API
|
CONTENTS | PREV | NEXT | Java Object Serialization Specification |
The goal for object serialization is to be as simple as possible and yet still be consistent with known security restrictions; the simpler the system is, the more likely it is to be secure. The following points summarize the security measures present in object serialization:
- Only objects implementing the
java.io.Serializable
orjava.io.Externalizable
interfaces can be serialized. Mechanisms are provided which can be used to prevent the serialization of specific fields (typically, those containing sensitive or unneeded data).- The serialization package cannot be used to recreate or reinitialize objects. Deserializing a byte stream may result in the creation of new objects, but will not overwrite or modify the contents of existing objects.
- Although deserializing an object may trigger downloading of code from a remote source, the downloaded code is restricted by all of the usual JavaTM code verification and security mechanisms. Classes loaded as a side-effect of deserialization are no more or less secure than those loaded in any other fashion.