Page History

...

Note, however, that none of the above issues apply to static member classes. Consequently, serialization of static member classes is permitted.

Noncompliant Code Example

In this noncompliant code example, the fields contained within the outer class are also serialized when the inner class is serialized.

Code Block

bgColor	#FFcccc

public class OuterSer implements Serializable {
  private int rank;
  class InnerSer implements Serializable {
    protected String name;
    //...
  }
}

Compliant Solution

This compliant solution omits implementation of the Serializable interface in the InnerSer class.

Code Block

bgColor	#ccccff

public class OuterSer implements Serializable {
  private int rank;
  class InnerSer {
    protected String name;
    //...
  }
}

Compliant Solution

It is allowable to declare the inner class as static to prevent its serialization. It is also permissible for a static inner class to implement Serializable.

Code Block

bgColor	#ccccff

public class OuterSer implements Serializable {
  private int rank;
  static class InnerSer implements Serializable {
    protected String name;
    //...
  }
}

Risk Assessment

Attempts to serialize inner classes can introduce platform dependencies and can cause serialization of instances of the outer class.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
SER06-J	medium	likely	low	P18	L1

Automated Detection

Detection of inner classes that implement serialization appears to be straightforward.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="00be74d2142489b5-f45fa201-4f0a416f-9a44baee-8f08a4a96b6092f49822ece0"><ac:plain-text-body><![CDATA[	[[API 2006	AA. Bibliography#API 06]]		]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="eb937fbad8246545-211eaf48-46bf4067-a84b827f-b37261c36886f0d9cbf217e5"><ac:plain-text-body><![CDATA[	[[Bloch 2008	AA. Bibliography#Bloch 08]]	Item 74: "Implement serialization judiciously"	]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a5c58bea4319beae-29582e56-413c4e0f-8b699c26-60f5016267eba541ea6d78b4"><ac:plain-text-body><![CDATA[	[[JLS 2005	AA. Bibliography#JLS 05]]	[Section 8.1.3, Inner Classes and Enclosing Instances	http://java.sun.com/docs/books/jls/third_edition/html/classes.html]	]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="09d9e9d070fa33e8-c753d2d4-44a34e28-b4d6b115-3fafe6e7dd43380edd74131f"><ac:plain-text-body><![CDATA[	[[Sun 2006	AA. Bibliography#Sun 06]]	"Serialization specification"	]]></ac:plain-text-body></ac:structured-macro>

...

Space shortcuts

Page tree

Versions Compared

Old Version 37

New Version 38

Key

Noncompliant Code Example

Compliant Solution

Compliant Solution

Risk Assessment

Automated Detection

Related Vulnerabilities

Bibliography