序列化方法不匹配所需签名¶
ID: java/wrong-object-serialization-signature
Kind: problem
Security severity:
Severity: warning
Precision: medium
Tags:
- reliability
- maintainability
- language-features
Query suites:
- java-security-and-quality.qls
使用方法 readObject、readObjectNoData 或 writeObject 定义自己的序列化协议的可序列化对象必须使用 Java 序列化框架所期望的签名。否则,将使用默认的序列化机制。
建议¶
确保可序列化类上的 readObject、readObjectNoData 和 writeObject 的签名与这些期望的签名匹配
private void readObject(java.io.ObjectInputStream in)
throws IOException, ClassNotFoundException;
private void readObjectNoData()
throws ObjectStreamException;
private void writeObject(java.io.ObjectOutputStream out)
throws IOException;
示例¶
在以下示例中,WrongNetRequest 使用错误的签名定义 readObject、readObjectNoData 和 writeObject。但是,NetRequest 正确地定义了它们。
class WrongNetRequest implements Serializable {
// BAD: Does not match the exact signature required for a custom
// deserialization protocol. Will not be called during deserialization.
void readObject(ObjectInputStream in) {
//...
}
// BAD: Does not match the exact signature required for a custom
// deserialization protocol. Will not be called during deserialization.
void readObjectNoData() {
//...
}
// BAD: Does not match the exact signature required for a custom
// serialization protocol. Will not be called during serialization.
protected void writeObject(ObjectOutputStream out) {
//...
}
}
class NetRequest implements Serializable {
// GOOD: Signature for a custom deserialization implementation.
private void readObject(ObjectInputStream in) {
//...
}
// GOOD: Signature for a custom deserialization implementation.
private void readObjectNoData() {
//...
}
// GOOD: Signature for a custom serialization implementation.
private void writeObject(ObjectOutputStream out) {
//...
}
}
参考¶
Java API 规范:Serializable.
Oracle 技术网络:Discover the secrets of the Java Serialization API.