You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 57 Next »

The readObject() method must not call any overridable methods. Invoking overridable methods from the readObject() method can provide the overriding method with access to the object's state before it is fully initialized. This premature access is possible because, in deserialization, readObject plays the role of object constructor and therefore object initialization is not complete until readObject exits.

Also see the related rule MET06-J. Do not invoke overridable methods in clone().

Noncompliant Code Example

This noncompliant code example invokes an overridable method from the readObject() method.

private void readObject(final ObjectInputStream stream)
                        throws IOException, ClassNotFoundException {
  overridableMethod(); 
  stream.defaultReadObject();
}

public void overridableMethod() {
  // ...
}

Compliant Solution

This compliant solution removes the call to the overridable method. When removing such calls is infeasible, declare the method private or final.

private void readObject(final ObjectInputStream stream)
                        throws IOException, ClassNotFoundException {
  stream.defaultReadObject();
}

Exceptions

SER09-EX0: The readObject() method may invoke the overridable methods defaultReadObject() and readFields() in class java.io.ObjectInputStream [SCG 2009].

Risk Assessment

Invoking overridable methods from the readObject() method can lead to initialization errors.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER09-J

low

probable

medium

P4

L3

Related Guidelines

Secure Coding Guidelines for the Java Programming Language, Version 3.0

Guideline 4-4. Prevent constructors from calling methods that can be overridden

Bibliography

[API 2006]

 

[Bloch 2008]

Item 17. Design and document for inheritance or else prohibit it


      13. Serialization (SER)      

  • No labels