...
None of these issues, however, apply to static member classes.
Noncompliant Code Example
In this noncompliant code example, the fields contained within the outer class are also serialized when the inner class is serialized.
| Code Block | ||
|---|---|---|
| ||
public class OuterSer implements Serializable {
private int ssn;
class InnerSer implements Serializable {
protected String name;
//...
}
}
|
Compliant Solution
This compliant solution discourages implementing the Serializable interface in the InnerSer class.
| Code Block | ||
|---|---|---|
| ||
public class OuterSer implements Serializable {
private int ssn;
class InnerSer {
protected String name;
//...
}
}
|
Compliant Solution
It is allowable to declare the inner class as static to prevent its serialization.
| Code Block | ||
|---|---|---|
| ||
public class OuterSer implements Serializable {
private int ssn;
static class InnerSer {
protected String name;
//...
}
}
|
Risk Assessment
Attempts to serialize inner classes can cause instances of the outer class to be serialized and also introduce platform dependencies.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SER33- J | medium | likely | low | P18 | L1 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[API 06|AA. Java References#API 06]\] \[[JLS 05|AA. Java References#JLS 05]\] [Section 8.1.3, Inner Classes and Enclosing Instances|http://java.sun.com/docs/books/jls/third_edition/html/classes.html] \[[Sun 06|AA. Java References#Sun 06]\] "Serialization specification: \[[Bloch 08|AA. Java References#Bloch 08]\] Item 74: "Implement serialization judiciously" |
...