134. Introducing JDK 9 deserialization filters
As you know from Chapter 4, Problem 94, deserialization is exposed to vulnerabilities that may cause serious security issues. In other words, between serialization–deserialization cycles, an untrusted process (attacker) can modify/alter the serialization form to execute arbitrary code, sneak in malicious data, and so on.
In order to prevent such vulnerabilities, JDK 9 has introduced the possibility of creating restrictions via filters meant to accept/reject deserialization based on specific predicates. A deserialization filter intercepts a stream that expects to be deserialized and applies to it one or more predicates that should be successfully passed in order to proceed with deserialization. If a predicate fails, then deserialization doesn’t even start and the stream is rejected.
There are two kinds of filters: