Topic: What's the best way to prevent Serialization?

What's the best way to prevent Serialization?

1 posts in topic

Flat View

Thread View

Older Post First | Reply to Topic

TOPIC ACTIONS:

Print Topic

Posted By: Bob_Lee
Posted On: Thursday, October 24, 2002 08:33 AM

What's the best way to prevent serialization without making your class final?

Should I store a non-serializable object? For example:

			

			private Object STOP_SERIALIZATION = new Object();

Or, should I do something like this:

			

			protected final Object writeReplace() {
			

			throw new UnsupportedOperationException();
			

			}

Report | Quote This | Send private message | Reply | Print

Re: What's the best way to prevent Serialization?

Posted By: Christopher_Schultz
Posted On: Thursday, October 24, 2002 12:53 PM

If you simply do not declare your object to be Serializable, then serialization will be prevented.

As you mentioned, someone can subclass your class and serialize that object. The two techniques that you provide seem like reasonable prevention mechanisms.

Why do you want to prevent serialization in the first place? If there is sensitive data that you are worried will be serialized and possibly stolen, then you could mark those sensitive fields as transient, and therefore will not be serialized.

Since you want to prevent serialization in the first place, making the serialized copy of the object invalid (by omitting sensitive data) should not be a concern.

Hope that helps,

-chris

Report | Quote This | Send private message | Reply | Print