当前页面: 在线文档首页 > JDK 5 Documentation v1.4.1, Java 2 SDK 英文文档
CONTENTS | PREV | NEXT
Copyright © 1997-2001 Sun Microsystems, Inc. All Rights Reserved.
Java Object Serialization Specification: - Security in Object Serialization - JDK 5 Documentation v1.4.1, Java 2 SDK 英文文档
| CONTENTS | PREV | NEXT | Java Object Serialization Specification |
A.2 Design Goals
The goal for object serialization is to be as simple as possible and yet still be consistent with known security restrictions; the simpler the system is, the more likely it is to be secure. The following points summarize the security measures present in object serialization:
- Only objects implementing the
java.io.Serializableorjava.io.Externalizableinterfaces can be serialized. Mechanisms are provided which can be used to prevent the serialization of specific fields (typically, those containing sensitive or unneeded data).- The serialization package cannot be used to recreate or reinitialize objects. Deserializing a byte stream may result in the creation of new objects, but will not overwrite or modify the contents of existing objects.
- Although deserializing an object may trigger downloading of code from a remote source, the downloaded code is restricted by all of the usual JavaTM code verification and security mechanisms. Classes loaded as a side-effect of deserialization are no more or less secure than those loaded in any other fashion.
CONTENTS | PREV | NEXT
Copyright © 1997-2001 Sun Microsystems, Inc. All Rights Reserved.