Pages

Tuesday, 10 May 2016

Make your classes nonserializeable

Serialization is dangerous because it allows adversaries to get their hands on the internal state of objects. An adversary can serialize one of your objects into a byte array that can be read. This allows the adversary to inspect the full internal state of object, including any fields marked private, and including the internal state of any objects reference.

To prevent this, we can make object impossible to serialize. To achieve this goal, we will throw IOException from writeObject() method:



private final voidwriteObject(ObjectOutputStream out) throws java.io.IOException {
     throw newjava.io.IOException("Object cannot be serialized");
}

No comments:

Post a Comment