A DESCRIPTION OF THE REQUEST :
Security sandbox protect ObjectInputStream is weakness, only control two parameters 
1.	enableSubclassImplementation  2.	enableSubstitution
Actually ObjectInputStream should introduce the protection for class name while deserialize the object. 
We can't depend on the checking the object to make the security for deseialize object.
test obj = (test) objectInputStream.readObject();

If deliver the viruses serialize object to ObjectInputStream, it had been executed.
EX.
Class viruses implements Serializable {
	private void readObject(java.io.ObjectInputStream s) {
			s.defaultReadObject();
	    	System.out.println("Execute");
	}
}
However the "execute" message will be printed although it isn't test object.





JUSTIFICATION :
CVE-2015-7501
Spring framework RCE leak
If use basic ObjectInputStream deserialize the object, can't make sure the process is safe.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Not test class will reject
ACTUAL -
viruses  class execute the readObject method

CUSTOMER SUBMITTED WORKAROUND :
protected Class<?> resolveClass(ObjectStreamClass desc)
	        throws IOException, ClassNotFoundException{
		SecurityManager sm = System.getSecurityManager();
        if (sm != null) {
            sm.checkPermission(
                    new SerializablePermission("accessClass."+desc.getName()));
        }
        return super.resolveClass(desc);
} 
Add the class protection in the security manager.