Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is a good way to make a class unserializable?

Java contains a lot of classes (like in Swing) which implement the dreaded and error prone interface Serializable.

If you implement, say, a new TableModel by extending AbstractTableModel, the new model must be serializable but what if it contains internal data types which aren't serializable and which don't have to be since you don't plan to use this feature anyway?

In such a case, tools like Sonar go crazy. The either complain that "Class Foo defines non-transient non-serializable instance field bar".

So I make that field transient just to get "The field Foo.bar is transient but isn't set by deserialization"

Is it possible to say "No, this class isn't serializable, and I don't want it to be" in such a way that you don't get any errors in tools like Sonar?

like image 481
Aaron Digulla Avatar asked Oct 11 '12 07:10

Aaron Digulla


People also ask

How do you make a class non Serializable?

In order to prevent subclass from serialization we need to implement writeObject() and readObject() methods which are executed by JVM during serialization and deserialization also NotSerializableException is made to be thrown from these methods.

How can we prevent child class from serialization?

There is no direct way to prevent sub-class from serialization in java. One possible way by which a programmer can achieve this is by implementing the writeObject() and readObject() methods in the subclass and needs to throw NotSerializableException from these methods.

How do you make a class Serializable in Java?

To make a Java object serializable you implement the java. io. Serializable interface. This is only a marker interface which tells the Java platform that the object is serializable.


3 Answers

Quoting from this JavaRevisited article (see #8):

To avoid java serialization you need to implement writeObject() and readObject() method in your Class and need to throw NotSerializableException from those method.

So you just need to paste this into your class:

private void writeObject(java.io.ObjectOutputStream stream) throws java.io.IOException {
    throw new java.io.NotSerializableException( getClass().getName() );
}

private void readObject(java.io.ObjectInputStream stream) throws java.io.IOException, ClassNotFoundException {
    throw new java.io.NotSerializableException( getClass().getName() );
}
like image 100
skytreader Avatar answered Sep 30 '22 23:09

skytreader


implement writeObject() and readObject() methods to throw NotSerializableException

or

http://docs.oracle.com/javase/6/docs/platform/serialization/spec/security.html#4214

like image 34
urir Avatar answered Oct 01 '22 00:10

urir


You can use something like that?

@SuppressFBWarnings(justification = "This field need to be transient")
private transient SomeObject myTransientField;

You will suppress the Findbug warning. You also can specify the validation type you want to suprres like:

@SuppressFBWarnings("SE_TRANSIENT_FIELD_NOT_RESTORED")

The complete list is there: http://findbugs.sourceforge.net/bugDescriptions.html

like image 1
voiski Avatar answered Sep 30 '22 23:09

voiski