Serializable class in secure context
Reports classes that may be serialized or deserialized.
A class may be serialized if it supports the Serializable interface, and its readObject() and writeObject() methods are not defined to always throw an exception. Serializable classes may be dangerous in code intended for secure use.
Example:
After the quick-fix is applied:
Locating this inspection
- By ID
Can be used to locate inspection in e.g. Qodana configuration files, where you can quickly enable or disable it, or adjust its settings.
-serial- Via Settings dialog
Path to the inspection settings via IntelliJ Platform IDE Settings dialog, when you need to adjust inspection settings directly from your IDE.
Use the following options to configure the inspection:
List classes whose inheritors should not be reported by this inspection. This is meant for classes that inherit
Serializablefrom a superclass but are not intended for serialization. Note that it still may be more secure to addreadObject()andwriteObject()methods which always throw an exception, instead of ignoring those classes.Whether to ignore serializable anonymous classes.
Inspection options
Here you can find the description of settings available for the Serializable class in secure context inspection, and the reference of their default values.
- Ignore subclasses of
Default value:
[java.awt.Component, java.lang.Throwable, java.lang.Enum]- Ignore anonymous classes
Default value:
Not selected
Suppressing Inspection
You can suppress this inspection by placing the following comment marker before the code fragment where you no longer want messages from this inspection to appear:
More detailed instructions as well as other ways and options that you have can be found in the product documentation:
Inspection Details | |
|---|---|
By default bundled with: |