CONTENTS | PREV | NEXT | Java Object Serialization Specification |
The object serialization system allows a bytestream to be produced from a graph of objects, sent out of the JavaTM environment (either saved to disk or transmitted over the network) and then used to recreate an equivalent set of new objects with the same state.What happens to the state of the objects outside of the environment is outside of the control of the JavaTM system (by definition), and therefore is outside the control of the security provided by the system. The question then arises: once an object has been serialized, can the resulting byte array be examined and changed in a way that compromises the security of the Java program that deserializes it? The intent of this section is to address these security concerns.