What happens to the state of the objects outside of the environment is outside of the control of the Java system (by definition), and therefore outside the control of the security provided by the system. The question then arises, once an object has been serialized, can the resulting byte array be examined and changed, perhaps injecting viruses into Java programs? The intent of this appendix is to address these security concerns.
transient
, which prevents them from being serialized. Note that this is not a new or overloaded meaning for the transient
keyword.If a resource like a file handle were not declared
transient
, the object could be altered while in its serialized state, enabling it to have improper access to resources after it is deserialized.
This is important even if one is not worried about security; it is possible that disk files can be corrupted and serialized data be invalid. So checking such invariants is more than just a security measure, it is a validity measure. However, the only place it can be done is in the code for the particular class, since there is no way the serialization package can determine what invariants should be maintained or checked.
The implementation allows encryption, both by allowing the classes to have their own special methods for serialization/deserialization and by using the stream abstraction for serialization, so the output can be fed into some other stream or filter.
Copyright © 1996 Sun Microsystems, Inc., 2550 Garcia Ave., Mtn. View, CA 94043-1100 USA. All rights reserved.