serialization proxy pattern
- Both the enclosing class and its serialization proxy must be declared to implement Serializable.
public class User implements Serializable {
...
private static class SerializationProxy implements Serializable {
...
}
}
- the writeReplace method translates an instance of the enclosing class to its serialization proxy prior to serialization.
public class User implements Serializable {
...
private static class SerializationProxy implements Serializable {
...
}
// 2. writeReplace
private Object writeReplace() {
return new SerializationProxy(this);
}
}
- to guarantee that such an attack would fail, merely add this readObject method to the enclosing class.
public class User implements Serializable {
...
private static class SerializationProxy implements Serializable {
...
}
private Object writeReplace() {
return new SerializationProxy(this);
}
// 3. readObject
private void ReadObject(ObjectInputStream stream) throws InvalidObjectException {
throw new InvalidObjectException("Proxy required");
}
}
- the readResolve method creates an instance of the enclosing class using only its public API and therein lies the beauty of the pattern.
public class User implements Serializable {
...
private static class SerializationProxy implements Serializable {
...
// 4. readResolve
private Object readResolve() {
return new User(id, name);
}
}
private Object writeReplace() {
return new SerializationProxy(this);
}
private void ReadObject(ObjectInputStream stream) throws InvalidObjectException {
throw new InvalidObjectException("Proxy required");
}
}
本文介绍了Java中的序列化代理模式,通过`writeReplace`和`readResolve`方法确保序列化过程的安全性。`writeReplace`方法将实例转换为序列化代理类,而`readObject`方法则确保在反序列化时使用公共API创建新的对象,从而防止非法攻击。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
