On 01/14/2014 01:26 AM, mark.reinh...@oracle.com wrote:
Posted: http://openjdk.java.net/jeps/187
There's another aspect of the current approach to serialization that is not mentioned: the type information does not come from the calling context, but exclusively from the input stream. This means that all serializable classes can be instantiated, and not just those the context is prepared to deal with. I don't know if this is worth changing, but I do think it's something to consider.
-- Florian Weimer / Red Hat Product Security Team
