...
In this compliant solution, the readObject() method throws an exception unless the deserialization is protected by a whitelist. Note that this compliant solution for SER13-J is complementary to the compliant solution in SER12-J. Prevent deserialization of untrusted data. In the that compliant solution for SER12-J, the source code location that invokes deserialization is modified to use a custom subclass of ObjectInputStream. This subclass which overrides the resolveClass() method to check whether the class of the serialized object is whitelisted before that class's readObject() method gets called. In contrast, in the following compliant solution, the presence of a whitelist is checked inside the readObject() method of the dangerous serializable class. We do not need to verify that the whitelist actually contains the class, because if it did not, the readObject() method would never get executed.
...