...
It is still possible for an attacker to obtain uninitialized instances of SensitiveClass by catching NotSerializableException or by using a finalizer attack, see OBJ11-J. Be wary of letting constructors throw exceptions for more information. Therefore any object of an unserializable class that extends a serializable class must always validate its fields invariants before executing any methods. That is, any object of such a class must inspect its fields, its actual type (to prevent it being a malicious subclass), and any invariants it possess (such as being a malicious second object of a singleton class).
Exceptions
SER03-EX0: Sensitive data that has been properly encrypted may be serialized.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="825567c30b499a34-08e4dc12-452a478f-bae6b095-7e4abf78bb48025616047557"><ac:plain-text-body><![CDATA[ | [[Bloch 2005 | AA. References#Bloch 05]] | Puzzle 83. Dyslexic monotheism | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="25e16d8600c09a7a-39bf64b4-4ec04d9f-8b38a68e-4ed63dd172004e9c4e874da7"><ac:plain-text-body><![CDATA[ | [[Bloch 2001 | AA. References#Bloch 01]] | Item 1. Enforce the singleton property with a private constructor | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a3fcf52a9e57a0f4-200c5f28-41744a79-b6a3a0a9-deed5be9f9066cf75043a97a"><ac:plain-text-body><![CDATA[ | [[Greanier 2000 | AA. References#Greanier 00]] | [Discover the Secrets of the Java Serialization API | http://java.sun.com/developer/technicalArticles/Programming/serialization/] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="de7e7a26ca0f8ba0-8356d02c-492e49f9-9746856c-9b29ea6ebb712cf3a0a1f565"><ac:plain-text-body><![CDATA[ | [[Harold 1999 | AA. References#Harold 99]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="732c7065efb65419-ec89c147-405d4ea1-974fbaad-1d60d4e1dbee90e92d7c13ac"><ac:plain-text-body><![CDATA[ | [[JLS 2005 | AA. References#JLS 05]] | [Transient Modifier | http://java.sun.com/docs/books/jls/third_edition/html/classes.html#37020] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="89a1ef9d67dcb32d-47251386-416647af-9afc957c-ce63a25c955632c6aca97913"><ac:plain-text-body><![CDATA[ | [[Long 2005 | AA. References#Long 05]] | Section 2.4, Serialization | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="31398abd7c38e5a1-2c704641-419e4869-951dac0f-41384b04386ddccbb0b8cec1"><ac:plain-text-body><![CDATA[ | [[Sun 2006 | AA. References#Sun 06]] | Serialization Specification, A.4, Preventing Serialization of Sensitive Data | ]]></ac:plain-text-body></ac:structured-macro> |
...