DeserializationPermission Proposal

David M. Lloyd david.lloyd at
Tue Feb 9 15:04:07 UTC 2016

On 02/08/2016 10:19 PM, Peter Firmstone wrote:
> Why not, just prior to instantiating an object just prior to deserializing, add each class' ProtectionDomain in the objects hierarchy to an AccessControlContext and pass this to the SecurityManager's two argument checkPermission call?
> This permission could never be granted to a principal, it is only ever a code trust concern.  This would allow an administrator to minimise the attack surface of Serializable classes.

I think rather than using the ProtectionDomain of the objects in the 
serialization stream, would it not make more sense to capture and use 
(exclusively) the access control context of the entity which is 
constructing the stream?  The reason I say this is that it's very 
possible for a less-privileged object to have references to 
more-privileged objects and vice-versa; also, in some cases you're 
predicating the success of deserialization upon the order in which 
objects are deserialized.

For example, if I have a four-object graph of A, B, C, and D, in a 
diamond like this:


If B's class does not have privileges to construct D, deserialization 
will fail, even if C does.  On the other hand, if B has permission to 
construct D, but C doesn't, C can escape its restriction by relying on B 
to have already deserialized the object.

But by using one permission set - the captured context of the creator of 
the stream, or perhaps the captured context of the "root" readObject() 
call, you cannot change the authorization outcome of the deserialization 
just by fiddling with the bits.  A graph in this case is either valid or 


More information about the core-libs-dev mailing list