1. Core Libraries
  2. Serialization Filtering
  3. Creating Custom Filters
  4. Reading a Stream of Serialized Objects

Reading a Stream of Serialized Objects

You can set a custom filter on one ObjectInputStream, or, to apply the same filter to every stream, set a JVM-wide filter. If an ObjectInputStream doesn’t have a filter defined for it, the JVM-wide filter is called, if there is one.

While the stream is being decoded, the following actions occur:

  • For each new object in the stream and before the object is instantiated and deserialized, the filter is called when it encounters a class for the first time. (Subsequent instances of the same class aren't filtered.)
  • For each class in the stream, the filter is called with the resolved class. It is called separately for each supertype and interface in the stream.
  • The filter can examine each class referenced in the stream, including the class of objects to be created, supertypes of those classes, and their interfaces.
  • For each array in the stream, whether it is an array of primitives, array of strings, or array of objects, the filter is called with the array class and the array length.
  • For each reference to an object already read from the stream, the filter is called so it can check the depth, number of references, and stream length. The depth starts at 1 and increases for each nested object and decreases when each nested call returns.
  • The filter is not called for primitives or for java.lang.String instances that are encoded concretely in the stream.
  • The filter returns a status of accept, reject, or undecided.
  • Filter actions are logged if logging is enabled.

Unless a filter rejects the object, the object is accepted.