"An inner class is a nested class that is not explicitly or implicitly declared {{static}}" \[[JLS 2005|AA. Bibliography#JLS 05]\]. Serialization of inner classes (including local and anonymous classes) is error prone. According to the Serialization Specification \[[Sun 2006|AA. Bibliography#Sun 06]\] |
javac (or other Java TM compilers) to implement inner classes are implementation dependent and may vary between compilers; differences in such fields can disrupt compatibility as well as result in conflicting default serialVersionUID values. The names assigned to local and anonymous inner classes are also implementation dependent and may differ between compilers.static members other than compile-time constant fields, they cannot use the serialPersistentFields mechanism to designate serializable fields.Externalizable. The Externalizable interface requires the implementing object to manually save and restore its state using the writeExternal() and readExternal() methods.Consequently, programs are forbidden to serialize inner classes.
Note, however, that none of the above issues apply to static member classes. Consequently, serialization of static member classes is permitted.
In this noncompliant code example, the fields contained within the outer class are also serialized when the inner class is serialized.
public class OuterSer implements Serializable {
private int rank;
class InnerSer implements Serializable {
protected String name;
//...
}
}
|
This compliant solution omits implementation of the Serializable interface in the InnerSer class.
public class OuterSer implements Serializable {
private int rank;
class InnerSer {
protected String name;
//...
}
}
|
It is allowable to declare the inner class as static to prevent its serialization. It is also permissible for a static inner class to implement Serializable.
public class OuterSer implements Serializable {
private int rank;
static class InnerSer implements Serializable {
protected String name;
//...
}
}
|
Attempts to serialize inner classes can introduce platform dependencies and can cause serialization of instances of the outer class.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
SER06-J |
medium |
likely |
low |
P18 |
L1 |
Detection of inner classes that implement serialization appears to be straightforward.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="188bab09-42fe-4af4-93f1-3d05c4eb0b26"><ac:plain-text-body><![CDATA[ |
[[API 2006 |
AA. Bibliography#API 06]] |
|
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e4c4344d-487a-4e9c-bbc9-0b45559940c0"><ac:plain-text-body><![CDATA[ |
[[Bloch 2008 |
AA. Bibliography#Bloch 08]] |
Item 74: "Implement serialization judiciously" |
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4ffbfef4-18e2-4590-808a-d47270928442"><ac:plain-text-body><![CDATA[ |
[[JLS 2005 |
AA. Bibliography#JLS 05]] |
[Section 8.1.3, Inner Classes and Enclosing Instances |
http://java.sun.com/docs/books/jls/third_edition/html/classes.html] |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1fd1875c-e72d-45cc-8683-5d6e8835fdf0"><ac:plain-text-body><![CDATA[ |
[[Sun 2006 |
AA. Bibliography#Sun 06]] |
"Serialization specification" |
]]></ac:plain-text-body></ac:structured-macro> |
16. Serialization (SER) SER07-J. Make defensive copies of private mutable components during deserialization