Serializable class in secure context

Reports classes that may be serialized or deserialized.

A class may be serialized if it supports the Serializable interface, and its readObject() and writeObject() methods are not defined to always throw an exception. Serializable classes may be dangerous in code intended for secure use.

Example:

  class DeserializableClass implements Serializable { // the class doesn't contain 'writeObject()' method throwing an exception
    private int sensitive = 736326;

    private void readObject(ObjectInputStream in) {
        throw new Error();
    }
}

After the quick-fix is applied:

class DeserializableClass implements Serializable {
  private int sensitive = 736326;

  private void readObject(ObjectInputStream in) {
      throw new Error();
  }

  private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {
      throw new java.io.NotSerializableException("DeserializableClass");
  }
}

Use the following options to configure the inspection:

List classes whose inheritors should not be reported by this inspection. This is meant for classes that inherit Serializable from a superclass but are not intended for serialization. Note that it still may be more secure to add readObject() and writeObject() methods which always throw an exception, instead of ignoring those classes.
Whether to ignore serializable anonymous classes.

Inspection options

Option	Type	Default
Ignore subclasses of	StringList	[java.awt.Component, java.lang.Throwable, java.lang.Enum]
Ignore anonymous inner classes	Checkbox	false

Inspection Details
Available in:	IntelliJ IDEA 2023.3, Qodana for JVM 2023.3
Plugin:	Java, 233.SNAPSHOT

Last modified: 13 July 2023