java - Is it possible to serialize anonymous class without outer class? -
i made little research on web , reviewed related topics on site, answers contradictory: people said not possible, others said possible, dangerous.
the goal pass object of anonymous class parameter of rmi method. due rmi requirements, class must serializable. here's no problem, easy create class serializable.
but know instances of inner classes hold reference outer class (and anonymous classes inner classes). because of this, when serialize instance of inner class, instance of outer class serialized field. here's place problems come: outer class not serializable, , what's more of import - not want serialize it. want send instance of anonymous class.
easy illustration - rmi service method accepts runnable:
public interface rpcservice { object call(serializablerunnable runnable); } and here how i'd phone call method
void call() { myrpcservice.call(new serializablerunnable() { @override public object run { system.out.println("it worked!"); } } } as can see, want send "action" other side - scheme describes code, should run on scheme b. sending script in java.
i can see unsafe consequences, if possible: illustration if access field or captured final variable of outer class runnable - we'll trouble, because caller instance not present. on other hand, if utilize safe code in runnable (compiler can check it), don't see reasons forbid action.
so if knows, how writeobject() , readobject() methods should overriden in anonymous class or how create reference outer class transient or explain why impossible in java, helpful.
upd yet of import thing consider: outer class not nowadays in environment execute method (system b), that's why info should excluded avoid noclassdeffounderror.
you seek making caller.call() static method.
however, anonymous class still need available in context in deserialize serialized instance. unavoidable.
(it hard imagine situation anonymous class available enclosing class isn't.)
so, if can show, how can override writeobject , readobject methods in anonymous class ...
if create caller.call() static, if named class, think. (i'm sure can find examples of yourself.)
indeed, (modulo anonymous class availability issue) works. here, static main method substitutes static classer.call() method. programme compiles , runs, showing anonymous class declared in static method can serialized , deserialized.
import java.io.*; public class bar { private interface foo extends runnable, serializable {} public static void main (string[] args) throws interruptedexception, ioexception, classnotfoundexception { runnable foo = new foo() { @override public void run() { system.out.println("lala"); } }; thread t = new thread(foo); t.start(); t.join(); bytearrayoutputstream baos = new bytearrayoutputstream(); objectoutputstream oos = new objectoutputstream(baos); oos.writeobject(foo); oos.close(); foo foofoo = (foo) new objectinputstream( new bytearrayinputstream(baos.tobytearray())).readobject(); t = new thread(foofoo); t.start(); t.join(); } } another of import thing remember about: caller class not nowadays in environment, executes method, i'd exclude info during serialization avoid noclassdeffounderror.
there no way avoid that. reason deserialization in remote jvm complaining class descriptor includes reference outer class. deserializing side needs resolve reference if managed clobber reference, , if never explicitly or implicitly used synthetic variable in deserialized object.
the problem remote jvm's classloader needs know type of outer class when loads classfile inner class. needed verification. needed reflection. needed garbage collector.
there no workaround.
(i'm not sure if applies static inner class ... suspect does.)
attempting serialize anonymous runnable instance without outer class refers not serialization problem, possibility of arbitrary code execution in environment. nice see jls reference, describing question.
there no jls reference this. serialization , classloaders not specified in jls. (class initialization ... different issue.)
it possible run arbitrary code on remote scheme via rmi. need implement rmi dynamic class loading accomplish this. here reference:
http://www.cis.upenn.edu/~bcpierce/courses/629/jdkdocs/guide/rmi/spec/rmi-arch.doc.html#280note adding dynamic class loading remote classes rmi introduces important security issues. , have consider issues classloader leaks.
java serialization rmi anonymous-class
No comments:
Post a Comment