Yes,
He can grab it from a form, transform to byte array, create ByteArrayInputStream than use ZipInputStream and ObjectInputStream, read the object, than cast it to a HashMap and get this values
If you really conserned about this, you could encrypt a result
string on a way to your page and decrypt it when you get it back.