The serialization and deserialization features can be exploited to bypass security manager checks. A serializable class may install security manager checks in its constructors for various reasons, including preventing untrusted code from modifying the internal state of the class. Such security manager checks must be replicated at all points where a class instance can be constructed. Because deserialization acts like a constructor, all the relevant methods must contain all relevant security checks.
...
Despite the security manager checks, the data is not considered sensitive , as because a sensitive serializable class would violate SER03-J. Do not serialize unencrypted, sensitive data.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bc4d75dbca093936-fe3b1acb-4f774519-9b198832-6aa02d930beb276987895c23"><ac:plain-text-body><![CDATA[ | [[Long 2005 | AA. Bibliography#Long 05]] | Section 2.4, Serialization | ]]></ac:plain-text-body></ac:structured-macro> |
...