On Thu, Sep 10, 2009 at 2:11 AM, George Georgovassilis < g.georgovassi...@gmail.com> wrote:
> I was under the impression that IsSerializable had been deprecated de > facto. John, does IsSerializable currently override the serialization > policy or this this a proposed behavior? > It doesn't override it -- the legacy serialization policy, which is what is used if no *.gwt.rpc file is found, allows anything marked IsSerializable to be serialized. Allowing Serializable is a security risk in this case, since many classes are marked as Serializable that should not be returned, and simply instantiating one of them might provide an attack vector if a malicious client knew it was on the server's classpath. IsSerializable doesn't have this problem because it is only used for GWT, so if the developer marked it in such a way they are explicitly saying it is ok for GWT to serialize. -- John A. Tamplin Software Engineer (GWT), Google --~--~---------~--~----~------------~-------~--~----~ http://groups.google.com/group/Google-Web-Toolkit-Contributors -~----------~----~----~----~------~----~------~--~---