Is implementing java.io.Serializable even in simple POJO Java classes a best practice?

Question

In general, is it a best practice to have simple POJO Java classes implement java.io.Serializable?

Answer 1

Generally not. Joshua Bloch says to implement Serializable judiciously. A summary of drawbacks that he describes:

• decreases flexibility of changing class implementation later - the serialized form is part of the class's API
• makes some bugs and security holes more likely - an attacker can access class internals within the serialized byte stream
• increases test burden - now you have to test serialization!
• burdens authors of subclasses - they have to make their subclasses Serializable too

Of course, sometimes you need a POJO to implement Serializable, say for RMI, but if the need isn't there, your code will be simpler and more secure without it.

Answer 2

Only if you need to be able to serialise them. It's not worth the effort otherwise.