Has the OpenJDK team ever considered the option of completely removing serialization without any replacement? Serialization 1.0 has proven to be quite dangerous because it's included with the JVM by default, even if you don't intend to use it. Unlike libraries like Jackson that you can choose to include, serialization is just there. Recently, newer JDKs allow you to disable serialization using serialization filters, which enhances security. Will there be a way to disable serialization 2.0 in a similar fashion?
3 Answers
To add to that, the reason Serialization 1.0 is considered so dangerous is that it's included in the JVM regardless. Even if you didn’t intend for your app to use it, things like RMI and JMX might still be using it under the hood, leading to unintended vulnerabilities. So the concern is valid.
Yes, there have been discussions about removing serialization altogether. Developers like Brian Goetz have invested a lot of time figuring out how to mitigate the issues with Serialization 1.0. You raised a great question about disabling Serialization 2.0. Just to clarify, the real concern isn't serialization itself—it’s deserialization that's often problematic. Deserialization turns external data into objects, and you can do that without needing either version of serialization. Unless they incorporate a filter for Serialization 2.0, you probably won't have the ability to deactivate it entirely the way you could with the SecurityManager.
I'm not sure I understand your point. Using built-in serialization is a choice, just like opting for libraries like Fury or Kryo.
That makes sense! So, it's mainly about managing what's coming in, right?