...
| Code Block | ||
|---|---|---|
| ||
public final class Hometown implements Serializable {
// ... all methods the same except the following:
// writeObject() correctly enforces checks during serialization
private void writeObject(ObjectOutputStream out) throws IOException {
performSecurityManagerCheck();
out.writeObject(town);
}
// readObject() correctly enforces checks during deserialization
private void readObject(ObjectInputStream in) throws IOException {
in.defaultReadObject();
// If the deserialized name does not match the default value normally
// created at construction time, duplicate the checks
if (!UNKNOWN.equals(town)) {
performSecurityManagerCheck();
validateInput(town);
}
}
}
|
Refer to guideline rule SEC08-J. Protect sensitive operations with security manager checks to learn about implementing the performSecurityManagerCheck() method. As with guideline rule void SER04-J. Validate deserialized objects, it is important to protect against the finalizer attack.
...
Search for vulnerabilities resulting from the violation of this guideline rule on the CERT website.
Bibliography
...