JEP 187: Serialization 2.0
Florian Weimer
fweimer at redhat.com
Wed Jan 22 13:57:20 UTC 2014
On 01/14/2014 01:26 AM, mark.reinhold at oracle.com wrote:
> Posted: http://openjdk.java.net/jeps/187
There's another aspect of the current approach to serialization that is
not mentioned: the type information does not come from the calling
context, but exclusively from the input stream. This means that all
serializable classes can be instantiated, and not just those the context
is prepared to deal with. I don't know if this is worth changing, but I
do think it's something to consider.
--
Florian Weimer / Red Hat Product Security Team
More information about the core-libs-dev
mailing list