...
When extension of a serializable class by an unserializable class is necessary, inappropriate serialization of the subclass can be prohibited by throwing NotSerializableException from custom writeObject(), readObject(), and readObjectNoData() methods, defined in the nonserializable subclass. These custom methods must be declared private or final to prevent a malicious subclass from overriding them, see SER01-J. Do not deviate from the proper signatures of serialization methods for more information.
| Code Block | ||
|---|---|---|
| ||
class SensitiveClass extends Number {
// ...
protectedprivate final Object writeObject(java.io.ObjectOutputStream out) throws NotSerializableException {
throw new NotSerializableException();
}
protectedprivate final Object readObject(java.io.ObjectInputStream in) throws NotSerializableException {
throw new NotSerializableException();
}
protectedprivate final Object readObjectNoData(java.io.ObjectInputStream in) throws NotSerializableException {
throw new NotSerializableException();
}
}
|
...