CONTENTS | PREV | NEXT | Java Object Serialization Specification |
The object serialization system allows a bytestream to be produced from a graph of objects, sent out of the Java(tm) environment (either saved to disk or sent over the network) and then used to recreate an equivalent set of new objects with the same state.What happens to the state of the objects outside of the environment is outside of the control of the Java(tm)system (by definition), and therefore is outside the control of the security provided by the system. The question then arises, once an object has been serialized, can the resulting byte array be examined and changed, perhaps injecting viruses into Java(tm) programs? The intent of this section is to address these security concerns.