...
In addition to constructors, do not call overridable methods from the clone(), readObject() and readObjectNoData() methods as it would allow attackers to obtain partially initialized instances of classes. (See guidelines MET07-J. Do not invoke overridable methods on the clone under construction and SER11-J. Do not invoke overridable methods from the readObject method.) It is also insecure to call an overridden method from the finalize() method. This can prolong the subclass' life and in fact, render the finalization call useless (See the example in guideline OBJ08MET18-J. Avoid using finalizers.) Additionally, if the subclass's finalizer has terminated key resources, invoking its methods from the superclass may lead one to observe the object in an inconsistent state and in the worst case result in a NullPointerException.
...