DeserializationPermission Proposal
Peter Firmstone
peter.firmstone at zeus.net.au
Tue Feb 9 04:19:54 UTC 2016
Why not, just prior to instantiating an object just prior to deserializing, add each class' ProtectionDomain in the objects hierarchy to an AccessControlContext and pass this to the SecurityManager's two argument checkPermission call?
This permission could never be granted to a principal, it is only ever a code trust concern. This would allow an administrator to minimise the attack surface of Serializable classes.
Just a thought,
Peter.
Sent from my Samsung device.
More information about the core-libs-dev
mailing list