Oracle Corporation
Constructor accessibility checks for deserialization

Abstract:

Techniques for performing constructor accessibility checks during deserialization are disclosed. A system receives a command that requires deserializing a serialized object of a target type. The system determines an ancestor type of the target type. Without calling any constructors and regardless of whether the ancestor type is serializable, the system determines whether a constructor of the ancestor type is accessible to the target type. The system deserializes the serialized object only after determining that the constructor of the ancestor type is accessible to the target type.