2828import java .util .Objects ;
2929
3030/**
31- * Assists with the serialization process and performs additional functionality based
32- * on serialization.
31+ * Performs additional functionality for serialization.
3332 *
3433 * <ul>
3534 * <li>Deep clone using serialization</li>
3635 * <li>Serialize managing finally and IOException</li>
3736 * <li>Deserialize managing finally and IOException</li>
3837 * </ul>
3938 *
40- * <p>This class throws exceptions for invalid {@code null} inputs.
41- * Each method documents its behavior in more detail.</p>
39+ * <p>
40+ * This class throws exceptions for invalid {@code null} inputs. Each method documents its behavior in more detail.
41+ * </p>
42+ * <p>
43+ * If you want to secure deserialization with a whitelist or blacklist, please use Apache Commons IO's
44+ * {@link org.apache.commons.io.serialization.ValidatingObjectInputStream ValidatingObjectInputStream}.
45+ * </p>
46+ * <p>
47+ * #ThreadSafe#
48+ * </p>
4249 *
43- * <p>#ThreadSafe#</p>
50+ * @see org.apache.commons.io.serialization.ValidatingObjectInputStream
4451 * @since 1.0
4552 */
4653public class SerializationUtils {
@@ -140,13 +147,18 @@ public static <T extends Serializable> T clone(final T object) {
140147 * Without Generics in this declaration, the call site must type cast and can cause the same ClassCastException.
141148 * Note that in both cases, the ClassCastException is in the call site, not in this method.
142149 * </p>
150+ * <p>
151+ * If you want to secure deserialization with a whitelist or blacklist, please use Apache Commons IO's
152+ * {@link org.apache.commons.io.serialization.ValidatingObjectInputStream ValidatingObjectInputStream}.
153+ * </p>
143154 *
144155 * @param <T> the object type to be deserialized.
145156 * @param objectData
146157 * the serialized object, must not be null.
147158 * @return the deserialized object.
148159 * @throws NullPointerException if {@code objectData} is {@code null}.
149160 * @throws SerializationException (runtime) if the serialization fails.
161+ * @see org.apache.commons.io.serialization.ValidatingObjectInputStream
150162 */
151163 public static <T > T deserialize (final byte [] objectData ) {
152164 Objects .requireNonNull (objectData , "objectData" );
@@ -172,12 +184,17 @@ public static <T> T deserialize(final byte[] objectData) {
172184 * Note that in both cases, the ClassCastException is in the call site, not in this method.
173185 * </p>
174186 *
187+ * <p>
188+ * If you want to secure deserialization with a whitelist or blacklist, please use Apache Commons IO's
189+ * {@link org.apache.commons.io.serialization.ValidatingObjectInputStream ValidatingObjectInputStream}.
190+ * </p>
191+ *
175192 * @param <T> the object type to be deserialized.
176- * @param inputStream
177- * the serialized object input stream, must not be null.
193+ * @param inputStream the serialized object input stream, must not be null.
178194 * @return the deserialized object.
179195 * @throws NullPointerException if {@code inputStream} is {@code null}.
180196 * @throws SerializationException (runtime) if the serialization fails.
197+ * @see org.apache.commons.io.serialization.ValidatingObjectInputStream
181198 */
182199 @ SuppressWarnings ("resource" ) // inputStream is managed by the caller
183200 public static <T > T deserialize (final InputStream inputStream ) {
0 commit comments