...
Ideally, extending a class or interface that implements Serializable should be avoided. When this is not possible, undue serialization of the subclass can be prohibited by throwing a NotSerializableException from a custom writeObject() or readResolve() method, defined in the subclass SensitiveClass. It is also required to declare the methods final to prevent a malicious subclass from overriding them.
| Code Block | ||
|---|---|---|
| ||
class SensitiveClass extends Exception { // ... private final Object readResolve() throws NotSerializableException { throw new NotSerializableException(); } } |
Risk Assessment
If sensitive data can be serialized, it may be transmitted over an insecure link, or stored in an insecure medium, or disclosed inappropriately.
...