• Post Reply Bookmark Topic Watch Topic
  • New Topic

Cost of implementing Serialization  RSS feed

 
Patricia Samuel
Ranch Hand
Posts: 300
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Howdy!!
While going through the "Effective Java" , I got stuck with the following stanza
A second cost of implementing Serializable is that it increases the likelihood
of bugs and security holes
.


I am not able to understand it. Can anyone help me understanding this.

Thanks.
 
Venkata Kumar
Ranch Hand
Posts: 110
Firefox Browser Java MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
if not used properly, serialization causes problems. some of them are

static variables- serializing static variables doesn't make sense and may create bugs in program.
please see this link http://forums.sun.com/thread.jspa?threadID=710356&messageID=4112234

security - If a class contains information which has to be secured from outside world, like password as text or employee salaries, a malicious program might be able to read them from the serialized byte stream. Declaring those members transient will prevent them from being written to serialized output.

versioning - whenever a class is compiled java stores the version number in class. If you attempt to send a serialized object to a running program that expects older version of the object then java will throw exception. 'Incompatible version' can be prevented by by sharing the JAR files between the programs that send serialized objects back and forth.
 
Campbell Ritchie
Marshal
Posts: 56520
172
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can deserialise a singleton and have several instances.
You can serialise passwords.
You can serialise connections which are supposed to be closed and have the, reopen after your application terminates.

Bound to be lots more; in fact Effective Java describes several problems with serialisation.
 
Patricia Samuel
Ranch Hand
Posts: 300
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks. Nice Explanation.

Static Variables are not subject to be serialize unless we don't do it explicitly. In normal scenario, Is there any benefit of using transient keyword before static variable declaration?
 
Rob Spoor
Sheriff
Posts: 21131
87
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Campbell Ritchie:
You can deserialise a singleton and have several instances.

Fortunately that can be resolved using one single method:

Just like readObject and writeObject this is a special method used in (de)serializing).

Originally posted by Patricia Samuel:
Thanks. Nice Explanation.

Static Variables are not subject to be serialize unless we don't do it explicitly. In normal scenario, Is there any benefit of using transient keyword before static variable declaration?

static and transient both mean the field won't be serialized, so static transient is never necessary - static (kind of) implies transient.
 
Patricia Samuel
Ranch Hand
Posts: 300
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One more query related to serialization.

When we deserialise an object
1. A class not implementing serialize interface and its subclass implementing serialization , constructor of super class will be called during deserialization.
2. In addition to the above it does not call constructor if superclass implements serialize interface.

If above 2 statements are correct -

What if a superclass does not have a parameterless constructor in the case it does not implement Serialize interface? Will it show a run time error?

Thanks
 
Rob Spoor
Sheriff
Posts: 21131
87
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Try it out and see for yourself
But the answer is yes, you get an exception.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!