...
In this non-compliant example, security manager checks are used within the constructor but are not replicated throughout, specifically, within the readObject and writeObject methods that are used in the serialization-deserialization process. This allows an attacker to maliciously create instances of the class that bypass security manager checks when deserialization is performed.
...