...
Extending a class or interface that implements Serializable should be avoided whenever possible. For instance, a nonserializable class could contain an instance of a serializable class, and delegate method calls to the serializable class.
When extension of such a serializable class by an unserializable class is necessary, inappropriate serialization of the subclass can be prohibited by throwing NotSerializableException from a custom writeObject() or , readObject() method, and readObjectNoData() methods, defined in the nonserializable subclass SensitiveClass. Note that the custom writeObject() or readObject() These custom methods must be declared private or final to prevent a malicious subclass from overriding them.
| Code Block | ||
|---|---|---|
| ||
class SensitiveClass extends Number {
// ...
private Object readObjectprotected final Object writeObject(java.io.ObjectOutputStream out) throws NotSerializableException {
throw new NotSerializableException();
}
protected final Object readObject(java.io.ObjectInputStream in) throws NotSerializableException {
throw new NotSerializableException();
}
protected final Object readObjectNoData(java.io.ObjectInputStream in) throws NotSerializableException {
throw new NotSerializableException();
}
}
|
It is still possible for an attacker to obtain uninitialized instances of SensitiveClass by catching NotSerializableException or by using a finalizer attack, see OBJ11-J. Be wary of letting constructors throw exceptions for more information. Therefore an unserializable class that extends a serializable class must always validate itself before executing any methods.
Exceptions
SER03:EX0: Sensitive data that has been properly encrypted may be serialized.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9f152f0c12bc2095-ff048d91-43894043-ba2685b9-a15d0153b1e41183f4d6c94b"><ac:plain-text-body><![CDATA[ | [[Bloch 2005 | AA. References#Bloch 05]] | Puzzle 83. Dyslexic monotheism | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f7146c6e2ca721da-f40bb068-48e24fe5-80f68eb7-63b9e4868ace299b174bfd14"><ac:plain-text-body><![CDATA[ | [[Bloch 2001 | AA. References#Bloch 01]] | Item 1. Enforce the singleton property with a private constructor | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c4dd5713c103b911-99845b02-46294587-a1c79ce2-ba1084f3fad47c0d009c3086"><ac:plain-text-body><![CDATA[ | [[Greanier 2000 | AA. References#Greanier 00]] | [Discover the Secrets of the Java Serialization API | http://java.sun.com/developer/technicalArticles/Programming/serialization/] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e1bdab4fb98a559d-be986563-475f4f8c-a0e0b1a8-76cf56c37202182b1385ed19"><ac:plain-text-body><![CDATA[ | [[Harold 1999 | AA. References#Harold 99]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f10be2a103d9852e-88273045-44ce4b4c-8d1eb154-e1b909b75493d498922ef145"><ac:plain-text-body><![CDATA[ | [[JLS 2005 | AA. References#JLS 05]] | [Transient Modifier | http://java.sun.com/docs/books/jls/third_edition/html/classes.html#37020] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3cfd451a61ee69dc-76b3075e-42c04321-8a9eb806-f33fda66a3efcc72835d9171"><ac:plain-text-body><![CDATA[ | [[Long 2005 | AA. References#Long 05]] | Section 2.4, Serialization | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8a7757d8d29eb625-374a89af-431a4a06-87c2a30a-c3989ddfcc76ce4899a5df01"><ac:plain-text-body><![CDATA[ | [[Sun 2006 | AA. References#Sun 06]] | Serialization Specification, A.4, Preventing Serialization of Sensitive Data | ]]></ac:plain-text-body></ac:structured-macro> |
...