Security about serialized object.
SoonAnn Lim
Ranch Hand
Posts: 155
posted 15 years ago
Hi all,
I am writing a simple client server application. Client application will send a serialized object (an object that implements Serializable interface) to the server. Server will recover the information on this object and do further procesing. Server also send by the same object to client after processing, client will get an update object with more and new information. If client is run via internet, how secured is this architecture? I don't encrypt the object at this point. If serialized object is unsecure, then i may consider to encrypt it before sending via the internet.
Thanks.
I am writing a simple client server application. Client application will send a serialized object (an object that implements Serializable interface) to the server. Server will recover the information on this object and do further procesing. Server also send by the same object to client after processing, client will get an update object with more and new information. If client is run via internet, how secured is this architecture? I don't encrypt the object at this point. If serialized object is unsecure, then i may consider to encrypt it before sending via the internet.
Thanks.
Peter den Haan
author
Ranch Hand
Ranch Hand
Posts: 3252
posted 15 years ago
A serialized object is totally unprotected and insecure. If you need to transfer one over the net or any other untrusted medium, then I would suggest either using a secure channel such as SSL/TLS (using JSSE), or wrapping the object inside a javax.crypto.SealedObject (part of JCE).
Both JSSE and JCE are included in J2SDK 1.4, and downloadable as add-ons for earlier versions.
- Peter
Both JSSE and JCE are included in J2SDK 1.4, and downloadable as add-ons for earlier versions.
- Peter
