DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Java

Java

Made by DeepSource
Use Analyzer

readResolve should be protected for non-final classes JAVA-W1097

Anti-pattern
Major
 Autofix

The readResolve method provides additional control of how an object is deserialized.

If this method is made private for a non-final class, any child classes which are deserialized may end up missing deserialization logic that is implemented only in the parent class's private readResolve method.

The autofix for this issue will replace the private modifier with a protected modifier. If you instead wish to make the declaring class final, avoid applying the autofix.

Bad Practice

public class SomeClass implements Serializable {
    private Object readResolve() {
        // ...
    }
}

Recommended

If the class should not have any child classes, make it final.

public final class SomeClass implements Serializable {
    private Object readResolve() {
        // ...
    }
}

If the class is allowed to be inherited, make the readResolve method protected.

public class SomeClass implements Serializable {
    protected Object readResolve() {
        // ...
    }
}