...
Allowing serialization or deserialization to bypass the security manager may result in classes being constructed without required security checks.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
SER04-J | High | Probable | High | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
Parasoft Jtest |
|
|
|
CERT. |
SER04.SCSER |
Enforce 'SecurityManager' checks in methods of 'Serializable' classes |
Related Guidelines
Guideline 8-4 / SERIAL-4: Duplicate the SecurityManager checks enforced in a class during serialization and deserialization |
Android Implementation Details
The java.security
package exists on Android for compatibility purposes only, and it should not be used.
Bibliography
Section 2.4, "Serialization" |
...
...