Object serialization allows saving an object's state as a sequence of bytes and its reconstitution at some later time. The primary application of serialization is in Java Remote Method Invocation (RMI) wherein objects must be (un)packed and exchanged with other virtual machines. Usage in Java beans follows.
Java language's access control mechanisms cease to remain effective after a class is serialized. Any sensitive data protected using private access qualifiers gets exposed. Moreover, the security manager does not provide any checks to guarantee integrity of serialized data.
Non-Compliant Code Example
The data members of class coordinates are declared as private. the saveState and readState methods are used for serialization and de-serialization respectively. The coordinates (x,y) that are written to the data stream are now susceptible to malicious tampering.
public class coordinates {
private double x;
private double y;
public coordinates(double x, double y) {
this.x = x;
this.y = y;
}
public void saveState(OutputStream out) throws IOException {
DataOutputStream dout = new DataOutputStream(dout);
dout.writeDouble(x);
dout.writeDouble(y);
}
public void readState(InputStream in) throws IOException {
DataInputStream din = new DataInputStream(in);
this.x = din.readDouble(x);
this.y = din.readDouble(y);
}
}