< prev index next >

src/java.base/share/classes/java/io/ObjectInputStream.java

Print this page 
rev 49438 : 8197595: Serialization javadoc should link to security best practices
Reviewed-by: lancea, sean, ahgross


  35 import java.security.AccessController;
  36 import java.security.PrivilegedAction;
  37 import java.security.PrivilegedActionException;
  38 import java.security.PrivilegedExceptionAction;
  39 import java.util.Arrays;
  40 import java.util.Map;
  41 import java.util.Objects;
  42 import java.util.concurrent.ConcurrentHashMap;
  43 import java.util.concurrent.ConcurrentMap;
  44 
  45 import static java.io.ObjectStreamClass.processQueue;
  46 
  47 import jdk.internal.misc.SharedSecrets;
  48 import jdk.internal.misc.Unsafe;
  49 import sun.reflect.misc.ReflectUtil;
  50 
  51 /**
  52  * An ObjectInputStream deserializes primitive data and objects previously
  53  * written using an ObjectOutputStream.
  54  *








  55  * <p>ObjectOutputStream and ObjectInputStream can provide an application with
  56  * persistent storage for graphs of objects when used with a FileOutputStream
  57  * and FileInputStream respectively.  ObjectInputStream is used to recover
  58  * those objects previously serialized. Other uses include passing objects
  59  * between hosts using a socket stream or for marshaling and unmarshaling
  60  * arguments and parameters in a remote communication system.
  61  *
  62  * <p>ObjectInputStream ensures that the types of all objects in the graph
  63  * created from the stream match the classes present in the Java Virtual
  64  * Machine.  Classes are loaded as required using the standard mechanisms.
  65  *
  66  * <p>Only objects that support the java.io.Serializable or
  67  * java.io.Externalizable interface can be read from streams.
  68  *
  69  * <p>The method <code>readObject</code> is used to read an object from the
  70  * stream.  Java's safe casting should be used to get the desired type.  In
  71  * Java, strings and arrays are objects and are treated as objects during
  72  * serialization. When read they need to be cast to the expected type.
  73  *
  74  * <p>Primitive data types can be read from the stream using the appropriate




  35 import java.security.AccessController;
  36 import java.security.PrivilegedAction;
  37 import java.security.PrivilegedActionException;
  38 import java.security.PrivilegedExceptionAction;
  39 import java.util.Arrays;
  40 import java.util.Map;
  41 import java.util.Objects;
  42 import java.util.concurrent.ConcurrentHashMap;
  43 import java.util.concurrent.ConcurrentMap;
  44 
  45 import static java.io.ObjectStreamClass.processQueue;
  46 
  47 import jdk.internal.misc.SharedSecrets;
  48 import jdk.internal.misc.Unsafe;
  49 import sun.reflect.misc.ReflectUtil;
  50 
  51 /**
  52  * An ObjectInputStream deserializes primitive data and objects previously
  53  * written using an ObjectOutputStream.
  54  *
  55  * <p><strong>Warning: Deserialization of untrusted data is inherently dangerous
  56  * and should be avoided. Untrusted data should be carefully validated according to the
  57  * "Serialization and Deserialization" section of the
  58  * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}.
  59  * {@extLink serialization_filter_guide Serialization Filtering} describes best
  60  * practices for defensive use of serial filters.
  61  * </strong></p>
  62  *
  63  * <p>ObjectOutputStream and ObjectInputStream can provide an application with
  64  * persistent storage for graphs of objects when used with a FileOutputStream
  65  * and FileInputStream respectively.  ObjectInputStream is used to recover
  66  * those objects previously serialized. Other uses include passing objects
  67  * between hosts using a socket stream or for marshaling and unmarshaling
  68  * arguments and parameters in a remote communication system.
  69  *
  70  * <p>ObjectInputStream ensures that the types of all objects in the graph
  71  * created from the stream match the classes present in the Java Virtual
  72  * Machine.  Classes are loaded as required using the standard mechanisms.
  73  *
  74  * <p>Only objects that support the java.io.Serializable or
  75  * java.io.Externalizable interface can be read from streams.
  76  *
  77  * <p>The method <code>readObject</code> is used to read an object from the
  78  * stream.  Java's safe casting should be used to get the desired type.  In
  79  * Java, strings and arrays are objects and are treated as objects during
  80  * serialization. When read they need to be cast to the expected type.
  81  *
  82  * <p>Primitive data types can be read from the stream using the appropriate
< prev index next >