...
A non-serializable or serializable class can be extended and its subclass can be made serializable or becomes so automatically. During deserialization of the subclass, the JVM calls the no-argument constructor of the most derived superclass that does not implement java.io.Serializable either directly or indirectly. In the code snippet that immediately follows, class A's no-argument constructor is called when C is deserialized since A does not implement Serializable. Subsequently, Object's constructor is invoked. This procedure cannot be carried out programmatically, therefore the JVM generates the equivalent bytecode at runtime. Typically, when the superclass's constructor is called by a subclass, the subclass remains on the stack. However, in deserialization this does not happen. Only the unvalidated bytecode is present. This allows any security checks within the superclass's constructor to be bypassed.
| Code Block |
|---|
class A { // has Object as superclass
A(int x) { }
A() { }
}
class B extends A implements Serializable {
D(int x) { super(x); }
}
class C extends class B {
E(int x) { super(x); }
}
|
's constructor (for instance, if class A derives from class B which in turn derives from class C, class C's constructor will be executed when A is deserialized. If B implements Serializable then A may not implement it) and proceeds to call Object's constructor. Subsequently, the fields of the subclass are deserialized. At this point, there is no subclass code on the stack and the most derived superclass's constructor is executed with no restrictions since doPrivileged() allows the immediate caller to exert its full privileges. Since Because the immediate caller java.util.Calendar is trusted, it exhibits full system privileges.
...