Hari,
ObjectOutputStream uses
Java's reflection capability which allows any class to look into the fields and methods of another class. The class java.lang.Class actually has methods for setting the field values of another class!!! You right, this does seem to violate the principal that one class can not access private members of another class. However, using normal object to object interaction is not affected. 'private' variables help us programmers enforce encapsulation - there not for implementing security.