Menu
Possible Duplicate:
Why Java needs Serializable interface?
According to Serializability in Java docs :
Serializability of a class is enabled by the class implementing the java.io.Serializable interface. Classes that do not implement this interface will not have any of their state serialized or deserialized. All subtypes of a serializable class are themselves serializable. The serialization interface has no methods or fields and serves only to identify the semantics of being serializable
Why doesn't the Object already implement Serializable? Members that we wouldn't want to be serializable may be made as transient. Why prevent the default Serializability?
204
A Java object is serializable if its class or any of its superclasses implements either the java. io. Serializable interface or its subinterface, java. io.
In Java, a NotSerializableException exception is thrown when an instance of a class must implement the Serializable interface. The exception is thrown by either the serialization runtime, or by the instance of the class. The argument for the NotSerializableException is the name of the class.
Implement the Serializable interface when you want to be able to convert an instance of a class into a series of bytes or when you think that a Serializable object might reference an instance of your class. Serializable classes are useful when you want to persist instances of them or send them over a wire.
If our class does not implement Serializable interface, or if it is having a reference to a non- Serializable class, then the JVM will throw NotSerializableException . All transient and static fields do not get serialized.
All subtypes of a serializable class are themselves serializable.
In other words: all classes you ever create, were or will be created are all serializable. transient only excludes fields, not whole classes.
This is a potential security hole - by coincidence you can serialize e.g. your DataSource with database credentials inside - if the creator of this particular DataSource implementation forgot to make such fields transient. It's surprisingly easy to serialize random Java object, e.g. through inner classes holding implicit reference to outer this.
It's just safer to use white-list of classes which you explicitly want and allow to serialize as opposed to carefully examining your code, making sure no fields you do not desire are ever serialized.
Moreover you can no longer say: MySuperSecretClass is not serializable (by simply not implementing Serializable) - you can only exclude the guts (fields).
91
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
