...
This compliant solution is based on http://www.ibm.com/developerworks/library/se-lookahead/. It inspects the class of any object being deserialized, before its readObject() method is invoked. The code consequently throws an InvalidClassException unless the class of object (and of all sub-objects) is either a GoodClass1 or a GoodClass2. The WhitelistedObjectInputStream class here is compatible with the strategy employed by the compliant solution in SER13-J. Treat data to be deserialized as potentially malicious by default.
...