is it possible to read member values from java objects that were se开发者_高级运维rialized to disc without the classes of the objects?
i think this is a big NO, ITS NOT POSSIBLE -- but I'd like to know for sure.
Sure it is possible - you just have to reimplement anything that ObjectInputStream does, skipping the parts you don't want.
The Java Object Serialization Specification contains a chapter Object Serialization Stream Protocol, which contains everything you need to know.
So, if your question is Can I be sure that nobody can access the content of my objects without deserializing the whole objects, the answer is No. See also the appendix A Security in Object Serialization, which elaborates this a bit.
精彩评论