9.9. Signing Objects
Recall the earlier discussion about the need to protect an object when it is in serialized state and during transit. In fact, quite a few situations exist in which the authenticity of an object and its state must be assured. Following are three examples.
An object acting as an authentication or authorization token is passed around internally to any Java runtime as part of the security system functions. Such a token must be unforgeable, and any innocent or malicious modification to its state must be detected.
An object is transported across machines (JVMs), and its authenticity still needs to be verified.
An object’s state is stored outside the Java runtime, for example, onto a disk for JVM restarting purposes.