Home / I/O / Deserialization filters
I/O advanced

Deserialization filters

Restrict which classes can be deserialized to prevent attacks.

Code Comparison
✕ Java 8 
// Dangerous: accepts any class
ObjectInputStream ois =
    new ObjectInputStream(input);
Object obj = ois.readObject();
// deserialization attacks possible!
✓ Java 9+ 
ObjectInputFilter filter =
    ObjectInputFilter.Config
    .createFilter(
        "com.myapp.*;!*"
    );
ois.setObjectInputFilter(filter);
Object obj = ois.readObject();
Why the modern way wins
🛡️

Security

Prevent deserialization of unexpected/malicious classes.

📐

Fine-grained

Control depth, array size, references, and class patterns.

🏗️

JVM-wide

Set a global filter for all deserialization in the JVM.

Old Approach
Accept Everything
Modern Approach
ObjectInputFilter
Since JDK
9
Difficulty
advanced
JDK Support
Deserialization filters
Available

Widely available since JDK 9 (Sept 2017)

How it works

ObjectInputFilter lets you allowlist/denylist classes, limit object graph depth, array sizes, and reference counts. This defends against deserialization vulnerabilities without external libraries.

Related patterns

I/O beginner

InputStream.transferTo()

Java 8
byte[] buf = new byte[8192];
int n;
while ((n = input.read(buf)) != -1) {
    output.write(buf, 0, n);
}
Java 9+
input.transferTo(output);
Hover to see modern ➜
JDK 9+
I/O beginner

Modern HTTP client

Java 8
URL url = new URL("https://api.com/data");
HttpURLConnection con =
    (HttpURLConnection) url.openConnection();
con.setRequestMethod("GET");
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
// read lines, close streams...
Java 11+
var client = HttpClient.newHttpClient();
var request = HttpRequest.newBuilder()
    .uri(URI.create("https://api.com/data"))
    .build();
var response = client.send(
    request, BodyHandlers.ofString());
String body = response.body();
Hover to see modern ➜
JDK 11+
I/O beginner

Path.of() factory

Java 8
Path path = Paths.get("src", "main",
    "java", "App.java");
Java 11+
Path path = Path.of("src", "main",
    "java", "App.java");
Hover to see modern ➜
JDK 11+
Share 𝕏 🦋 in