Another way to solve this it is to only call readResolve/readObject(ObjectInputStream) under a different security policy (a different AccessControlContext from the caller). The problem is that both approaches (lookahead or security policy) require you to use a custom ObjectInputStream class.