当前页面: 在线文档首页 > JDK 5 Documentation v1.2.2, Java 2 SDK 英文文档
CONTENTS | PREV | NEXT
Copyright © 1997-1998 Sun Microsystems, Inc. All Rights Reserved.
Java Object Serialization Specification: - Security in Object Serialization - JDK 5 Documentation v1.2.2, Java 2 SDK 英文文档
| CONTENTS | PREV | NEXT | Java Object Serialization Specification |
A.2 Design Goals
The goal for object serialization is to be as simple as possible and yet still be consistent with known security restrictions; the simpler the system is, the more likely it is to be secure. The following points summarize how security in object serialization has been implemented:
- Only objects implementing the
java.io.Serializableorjava.io.Externalizableinterfaces can be serialized. there are mechanisms for not serializing certain fields and certain classes.- The serialization package cannot be used to recreate the same object, and no object is ever overwritten by a deserialize operation. All that can be done with the serialization package is to create new objects, initialized in a particular fashion.
- While deserializing an object might cause code for the class of the object to be loaded, that code loading is protected by all of the usual JavaTM code verification and security management guarantees. Classes loaded because of deserialization are no more or less secure than those loaded in any other fashion.
- Externalizable objects expose themselves to being overwritten because the
readExternalmethod is public.
CONTENTS | PREV | NEXT
Copyright © 1997-1998 Sun Microsystems, Inc. All Rights Reserved.