...
In this noncompliant code example, security manager checks are used within the constructor but are omitted from the writeObject() and readObject() methods that are used in the serialization-deserialization process. This allows untrusted code to maliciously create instances of the class. Despite the security manager checks, the data is not considered sensitive, as a sensitive serializable class would violate SER03-J. Do not serialize unencrypted, sensitive data.
We assume that AccessDeniedException and InvalidInputException are both security exceptions, and hence are not checked. So any method can throw them without requiring a throws declaration.
...