...
| Code Block | ||
|---|---|---|
| ||
public final class Hometown implements Serializable {
// ... all methods the same except the following:
// writeObject() correctly enforces checks during serialization
private void writeObject(ObjectOutputStream out) throws IOException {
performSecurityManagerCheck();
out.writeObject(town);
}
// readObject() correctly enforces checks during deserialization
private void readObject(ObjectInputStream in) throws IOException {
in.defaultReadObject();
// If the deserialized name does not match the default value normally
// created at construction time, duplicate the checks
if (!UNKNOWN.equals(town)) {
performSecurityManagerCheck();
validateInput(town);
}
}
}
|
Refer to rule SEC08SEC03-J. Protect sensitive operations with security manager checks to learn about implementing the performSecurityManagerCheck() method. As with rule void SER04-J. Validate deserialized objects, it is important to protect against the finalizer attack.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="28628a815092ff09-4b8acbe4-47c74ffd-a3feb645-d795c8fb8a15ccc9918de1c8"><ac:plain-text-body><![CDATA[ | [[Long 2005 | AA. Bibliography#Long 05]] | Section 2.4, Serialization | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="66e3a5f997259c06-897a0a19-418b4911-84d58a6a-b894cdb6dad23b9eb8933570"><ac:plain-text-body><![CDATA[ | [[SCG 2007 | AA. Bibliography#SCG 07]] | Guideline 5-3 Duplicate the SecurityManager checks enforced in a class during serialization and deserialization | ]]></ac:plain-text-body></ac:structured-macro> |
...