What's the best way to prevent Serialization?
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Bob_Lee
Posted On:   Thursday, October 24, 2002 08:33 AM

What's the best way to prevent serialization without making your class final?

Should I store a non-serializable object? For example:

			
private Object STOP_SERIALIZATION = new Object();


Or, should I do something like this:

			
protected final Object writeReplace() {
throw new UnsupportedOperationException();
}

Re: What's the best way to prevent Serialization?

Posted By:   Christopher_Schultz  
Posted On:   Thursday, October 24, 2002 12:53 PM

If you simply do not declare your object to be Serializable, then serialization will be prevented.



As you mentioned, someone can subclass your class and serialize that object. The two techniques that you provide seem like reasonable prevention mechanisms.



Why do you want to prevent serialization in the first place? If there is sensitive data that you are worried will be serialized and possibly stolen, then you could mark those sensitive fields as transient, and therefore will not be serialized.



Since you want to prevent serialization in the first place, making the serialized copy of the object invalid (by omitting sensitive data) should not be a concern.



Hope that helps,

-chris
About | Sitemap | Contact