Explicit Serialization API and Security

Stephen Colebourne scolebourne at joda.org
Tue Jan 6 11:13:32 UTC 2015


On 6 January 2015 at 10:25, Chris Hegarty <chris.hegarty at oracle.com> wrote:
> On 6 Jan 2015, at 08:31, Stephen Colebourne <scolebourne at joda.org> wrote:
>> I've thought on a number of occasions that what I wanted from
>> serializable was a merger of readObject and readResolve
>>
>> private Object readObjectAndResolve(ObjectInputStream in) throws IOException
>
> This is an interesting idea.
>
> Just so I understand, readObject is called down the inheritance hierarchy and can read, into locals, its classes serializable fields ( of course if can access its super types fields that are already set ), where as just a single readResolve call is made, if it is defined by or accessible (via inheritance) by the given class.

I tend to work with shallow/no hierarchies so I've not thought too
much about the detail. I'd imagine you'd want to have
readObjectAndResolve() be a static method called only on the class
being deserialized and not superclasses. The method itself would be
responsible for any superclass deserialization. (Static because there
is no instance to call it on and it should have no access to instance
variables). It may be that the input should not be ObjectInputStream,
but some simpler but related type.

Stephen



More information about the core-libs-dev mailing list