static variables- serializing static variables doesn't make sense and may create bugs in program.
please see this link http://forums.sun.com/thread.jspa?threadID=710356&messageID=4112234
security - If a class contains information which has to be secured from outside world, like password as text or employee salaries, a malicious program might be able to read them from the serialized byte stream. Declaring those members transient will prevent them from being written to serialized output.
versioning - whenever a class is compiled java stores the version number in class. If you attempt to send a serialized object to a running program that expects older version of the object then java will throw exception. 'Incompatible version' can be prevented by by sharing the JAR files between the programs that send serialized objects back and forth.
You can serialise passwords.
You can serialise connections which are supposed to be closed and have the, reopen after your application terminates.
Bound to be lots more; in fact Effective Java describes several problems with serialisation.
Originally posted by Campbell Ritchie:
You can deserialise a singleton and have several instances.
Fortunately that can be resolved using one single method:
Just like readObject and writeObject this is a special method used in (de)serializing).
Originally posted by Patricia Samuel:
Thanks. Nice Explanation.
Static Variables are not subject to be serialize unless we don't do it explicitly. In normal scenario, Is there any benefit of using transient keyword before static variable declaration?
static and transient both mean the field won't be serialized, so static transient is never necessary - static (kind of) implies transient.
When we deserialise an object
1. A class not implementing serialize interface and its subclass implementing serialization , constructor of super class will be called during deserialization.
2. In addition to the above it does not call constructor if superclass implements serialize interface.
If above 2 statements are correct -
What if a superclass does not have a parameterless constructor in the case it does not implement Serialize interface? Will it show a run time error?