ABSTRACT

To use serialPersistentFields correctly, it must be declared private, static, and final.

EXPLANATION

The Java Object Serialization Specification allows developers to manually define Serializable fields for a class by specifying them in the serialPersistentFields array. This feature will only work if serialPersistentFields is declared as private, static, and final.

Example 1: The following declaration of serialPersistentFields will not be used to define Serializable fields because it is not private, static, and final.


class List implements Serializable {
public ObjectStreamField[] serialPersistentFields = { new ObjectStreamField("myField", List.class) };
...
}

REFERENCES

[1] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 485

[2] Sun Microsystems, Inc. Java Sun Tutorial