Let me elaborate on security a little bit. There are two kinds of serialization.
- In static serialization you invoke something like
MyClass.load(someInput)and only classes explicitly and statically referenced to by MyClasse get loaded. There is no reflection or loading classes by name. - In dynamic serialization, like Java Serialization, you invoke something like
someInput.readObject(). Any class name can appear on stream and it will get dynamically found on class path at run-time and get loaded.
Any dynamic serialization scheme is inherently insecure. There is no way to make it secure by limiting resurrection to constructors and/or public setters only, since in a big application there is always a chance of class somewhere on your classpath that does something weird and even if you limit loaded classes by whitelist, there are still issues. You can google about Java Serialization security issues.
However, dynamic serialization is extremely useful in closed-world settings. Every modern JVM-based big-data distributed-computing framework uses it.
We plan to support both static and dynamic serialization in Kotlin.