Thanks Ray, that's comforting to hear, after having built an application on the assumption that IsSerializable is a recommended way to do gwt-rpc. Not that it would be a huge problem... just probably a day of refactoring and adding @SupressWarning annotations.
Thanks again :) Nathan Wells On Thu, Sep 10, 2009 at 7:21 AM, John Tamplin <[email protected]> wrote: > On Thu, Sep 10, 2009 at 2:11 AM, George Georgovassilis < > [email protected]<https://mail.adaptivecomputing.com/zimbra?app=mail&view=compose&[email protected]> > > wrote: > >> I was under the impression that IsSerializable had been deprecated de >> facto. John, does IsSerializable currently override the serialization >> policy or this this a proposed behavior? >> > > It doesn't override it -- the legacy serialization policy, which is what is > used if no *.gwt.rpc file is found, allows anything marked IsSerializable to > be serialized. Allowing Serializable is a security risk in this case, since > many classes are marked as Serializable that should not be returned, and > simply instantiating one of them might provide an attack vector if a > malicious client knew it was on the server's classpath. > > IsSerializable doesn't have this problem because it is only used for GWT, > so if the developer marked it in such a way they are explicitly saying it is > ok for GWT to serialize. > > -- > John A. Tamplin > Software Engineer (GWT), Google > > > > --~--~---------~--~----~------------~-------~--~----~ http://groups.google.com/group/Google-Web-Toolkit-Contributors -~----------~----~----~----~------~----~------~--~---
