Serialization is
dangerous because it allows adversaries to get their hands on the internal
state of objects. An adversary can serialize one of your objects into a byte
array that can be read. This allows the adversary to inspect the full internal
state of object, including any fields marked private, and including the
internal state of any objects reference.
To prevent this, we
can make object impossible to serialize. To achieve this goal, we will throw IOException from writeObject() method:
private final void
writeObject(ObjectOutputStream out) throws java.io.IOException {
throw new
java.io.IOException("Object cannot be
serialized");
}
No comments:
Post a Comment