...
Undue serialization of the subclass can be prohibited by throwing a NotSerializableException from a custom writeObject() method or the readResolve() method, defined in the subclass SensitiveClass. Ideally, extending a class or interface that implements Serializable should be avoided. It is also required to declare the methods final to prevent a malicious subclass from overriding the method.
| Code Block | ||
|---|---|---|
| ||
private final Object readResolve() throws NotSerializableException {
throw new NotSerializableException();
}
|
...