The serialization Serialization and deserialization features can be exploited to bypass security manager checks. A serializable class may install contain security manager checks in its constructors for various reasons, including preventing untrusted code from modifying the internal state of the class. Such security manager checks must be replicated at all points where a class instance can be constructed. Because deserialization acts like a constructor, all the relevant methods must contain all relevant security checks. If the So if a class enables a caller to retrieve sensitive internal state contingent upon security checks, the same checks must be replicated during deserialization. This ensures that an attacker cannot extract sensitive information by deserializing the object.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="40829a2ad4bf8f16-b0279713-45e94596-8e4ab1a4-eb25a244e3ce4e3919927d16"><ac:plain-text-body><![CDATA[ | [[Long 2005 | AA. Bibliography#Long 05]] | Section 2.4, Serialization | ]]></ac:plain-text-body></ac:structured-macro> |
...