...
| Code Block | ||
|---|---|---|
| ||
public class Point {
private transient double x;
private transient double y;
public Point(double x, double y) {
this.x = x;
this.y = y;
}
public Point()
{
//no argument constructor
}
}
import java.io.Serializable;
import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
public class Coordinates extends Point implements Serializable {
public static void main(String[] args)
{
try {
Point p = new Point(5,2);
FileOutputStream fout = new FileOutputStream("point.ser");
ObjectOutputStream oout = new ObjectOutputStream(fout);
oout.writeObject(p);
oout.close();
}
catch (Exception e) {System.err.println(e);}
}
}
|
Other ruses solutions include custom implementation of writeObject, writeReplace and writeExternal methods such that sensitive fields are not written to the serialized stream or alternatively, conducting proper validation checks while de-serializingdeserializing. Yet another remediation is to define the serialPersistentFields array field and ensuring ensure that sensitive fields are not added to the array. Sometimes it is necessary to prevent a serializable object (whose superclass implements serializable) from getting serialized. This can be achieved by throwing a NotSerializableException from the custom writeObject() method.
...