...
| Code Block | ||
|---|---|---|
| ||
public final class Hometown implements Serializable {
// ... all methods the same except the following:
// writeObject() correctly enforces checks during serialization
private void writeObject(ObjectOutputStream out) throws IOException {
performSecurityManagerCheck();
out.writeObject(town);
}
// readObject() correctly enforces checks during deserialization
private void readObject(ObjectInputStream in) throws IOException {
in.defaultReadObject();
// If the deserialized name does not match the default value normally
// created at construction time, duplicate the checks
if (!UNKNOWN.equals(town)) {
performSecurityManagerCheck();
validateInput(town);
}
}
}
|
Refer to rule SEC03 SEC04-J. Protect sensitive operations with security manager checks to learn about implementing the performSecurityManagerCheck() method. As with rule void SER04-J. Validate deserialized objects, it is important to protect against the finalizer attack.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b7e9aa3a8aa98c5a-b9cf1c57-47d24bf7-b4788cd8-a2f8a121278250b96677c2e6"><ac:plain-text-body><![CDATA[ | [[Long 2005 | AA. Bibliography#Long 05]] | Section 2.4, Serialization | ]]></ac:plain-text-body></ac:structured-macro> |
...