Tuesday, 10 May 2016

Make your classes nonserializeable

Serialization is dangerous because it allows adversaries to get their hands on the internal state of objects. An adversary can serialize one of your objects into a byte array that can be read. This allows the adversary to inspect the full internal state of object, including any fields marked private, and including the internal state of any objects reference.

To prevent this, we can make object impossible to serialize. To achieve this goal, we will throw IOException from writeObject() method:

private final void writeObject(ObjectOutputStream out) throws java.io.IOException {
     throw new java.io.IOException("Object cannot be serialized");

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...