One of the new features developed for JDK 9, JEP 290: Filter Incoming Serialization Data
, has been back-ported to JDK 8, 7, and 6.
The option of filtering incoming serialization data adds one more layer of protection and robustness to object serialization. By using the filtering mechanism, developers can constrain the classes that can be deserialized by an application. Like most security features this new feature is not meant to replace current secure coding practices
but to add to those practices.
The feature is available in JDK 9 early access builds but since we wanted users of current versions to have this capability it has already been back ported to the JDK and JRE updates released with the Jan 2017 Critical Patch Update
(8u121, 7u131, and 6u141). See the release notes
for the corresponding releases for further information.