mirror of
https://gitflic.ru/project/openide/openide.git
synced 2025-12-16 14:23:28 +07:00
50 lines
1.6 KiB
HTML
50 lines
1.6 KiB
HTML
<html>
|
|
<body>
|
|
Reports classes that may be serialized or deserialized.
|
|
<p>
|
|
A class may be serialized if it supports the <code>Serializable</code> interface,
|
|
and its <code>readObject()</code> and <code>writeObject()</code> methods are not defined to always
|
|
throw an exception. Serializable classes may be dangerous in code intended for secure use.
|
|
</p>
|
|
<p><b>Example:</b></p>
|
|
<pre><code>
|
|
class DeserializableClass implements Serializable { // the class doesn't contain 'writeObject()' method throwing an exception
|
|
private int sensitive = 736326;
|
|
|
|
private void readObject(ObjectInputStream in) {
|
|
throw new Error();
|
|
}
|
|
}
|
|
</code></pre>
|
|
<p>After the quick-fix is applied:</p>
|
|
<pre><code>
|
|
class DeserializableClass implements Serializable {
|
|
private int sensitive = 736326;
|
|
|
|
private void readObject(ObjectInputStream in) {
|
|
throw new Error();
|
|
}
|
|
|
|
private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {
|
|
throw new java.io.NotSerializableException("DeserializableClass");
|
|
}
|
|
}
|
|
</code></pre>
|
|
<!-- tooltip end -->
|
|
<p>
|
|
Use the following options to configure the inspection:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
List classes whose inheritors should not be reported by this inspection.
|
|
This is meant for classes that inherit
|
|
<code>Serializable</code> from a superclass but are not intended for serialization.
|
|
Note that it still may be more secure to add <code>readObject()</code> and <code>writeObject()</code> methods
|
|
which always throw an exception, instead of ignoring those classes.
|
|
</li>
|
|
<li>
|
|
Whether to ignore serializable anonymous classes.
|
|
</li>
|
|
</ul>
|
|
</body>
|
|
</html> |