A Serializable class can overload the Serializable.readObject()readResolve() must treat the serialized data as potentially malicious and must refrain from performing potentially dangerous operations, unless the programmer has expressly whitelisted the class for the particular deserialization at hand. When deserialization is performed without a whitelist, it is a violation of this rule to perform any should refrain from performing potentially dangerous operations.
...