What are the security considerations for serialization?
Location: http://www.jguru.com/faq/view.jsp?EID=57249 Created: May 25, 2000 Modified: 2000-05-25 23:59:27.342 Author: Tim Rohaly (http://www.jguru.com/guru/viewbio.jsp?EID=10) The Java runtime environment has many features that contribute to security and robustness in a program. For example, the runtime environment enforces access permissions to private, protected, or “default” members. But when you serialize your objects, you are in effect removing them from the runtime environment, thereby exposing them to access that would normally not be allowed – e.g. anyone can come along and read the contents of a private variables from a serialized object. This is why it is important to consider security when you are designing your classes for serialization. Java provides a number of mechanisms to protect your serialized code: • The first is the obvious step that classes need to be explicitly declared as implementing Serializable or Externalizable – your class cannot be serialized without a con
