| CONTENTS | PREV | NEXT | Java Object Serialization Specification |
The goal for object serialization is to be as simple as possible and yet still be consistent with known security restrictions; the simpler the system is, the more likely it is to be secure. The following points summarize the security measures present in object serialization:
- Only objects implementing the
java.io.Serializableorjava.io.Externalizableinterfaces can be serialized. Mechanisms are provided which can be used to prevent the serialization of specific fields (typically, those containing sensitive or unneeded data).- The serialization package cannot be used to recreate or reinitialize objects. Deserializing a byte stream may result in the creation of new objects, but will not overwrite or modify the contents of existing objects.
- Although deserializing an object may trigger downloading of code from a remote source, the downloaded code is restricted by all of the usual JavaTM code verification and security mechanisms. Classes loaded as a side-effect of deserialization are no more or less secure than those loaded in any other fashion.