public class DeSerializationPermission extends BasicPermission
DeSerializationPermission is different to other permissions, where other Permissions guard something, and all domains on the call stack must have the Permission, DeSerializationPermission is only checked against the domains representing the class hierarchy of an object about to be de-serialized. It is about trusting the classes of the object to check all invariants while reading a stream from an untrusted source. This also allows a developer to utilize libraries, while minimizing the available classes that can participate in atomic de-serialization.
There are only four types:
Permissions should only be granted to domains that are trusted to read in a serial stream from an untrusted data source.
No permission is required for stateless objects that implement Serializable.
MARSHALLED - MarshalledObject allows any Serialized object to be transferred over a stream, it is often used to compare the serial form of objects, however because MarshalledObject allows any Serializable class to be deserialized, it would be unsafe to unmarshal a MarshalledObject instance, so this permission should only be granted for cases where MarshalledObject is not unmarshalled.
| Constructor and Description |
|---|
DeSerializationPermission(String type)
The ProtectionDomain of a class that is de-serializing (reading object input)
from an
AtomicMarshalInputStream requires permission to do so. |
equals, getActions, hashCode, implies, newPermissionCollectioncheckGuard, getName, toStringpublic DeSerializationPermission(String type)
AtomicMarshalInputStream requires permission to do so.type - one of the following
AtomicSerial or AtomicExternalExternalizableMarshalledInstance or MarshalledObjectProxy, dynamically generated proxy's already have this permission.Copyright © 2016–2018 The Apache Software Foundation. All rights reserved.