Object serialization allows saving an object's state to be saved as a sequence of bytes and its reconstitution then reconstituted at a later time. The primary application of serialization is in Java Remote Method Invocation (RMI) wherein objects must be (un)packed and exchanged between distributed virtual machines. It also finds extensive use in Java Beans.
Java language's access control mechanisms cease to remain effective are ineffective after a class is serialized. Consequently, any sensitive data that was originally protected using access qualifiers (such as the private keyword) gets are exposed. Moreover, the security manager does not provide any checks to guarantee integrity of the serialized data.
...