CONTENTS | PREV | NEXT
A.2 Design Goals
The goal for object serialization is to be as simple as possible and yet still be consistent with known security restrictions; the simpler the system is, the more likely it is to be secure. The following points summarize the security measures present in object serialization:
- Only objects implementing the java.io.Serializable or java.io.Externalizable interfaces can be serialized. Mechanisms are provided which can be used to prevent the serialization of specific fields (typically, those containing sensitive or unneeded data).
- The serialization package cannot be used to recreate or reinitialize objects. Deserializing a byte stream may result in the creation of new objects, but will not overwrite or modify the contents of existing objects.
- Although deserializing an object may trigger downloading of code from a remote source, the downloaded code is restricted by all of the usual Java code verification and security mechanisms. Classes loaded as a side-effect of deserialization are no more or less secure than those loaded in any other fashion.
CONTENTS | PREV | NEXT