Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Sending objects - alternative approach to Serialization?  RSS feed

 
Michael Andro
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hey there,

I want to send objects via sockets. The standard approach seems to be using Java's Serialization.

However I got the input this would be really fragile and insecure. Security is not a problem at all, but I do not want to implement a fragile design which is hard to change afterwards,

Are there good alternatives? We thought of a home-brew serialization by a XML-Format. But this would end in the same way.

What to do?

Best regards!
 
Lester Burnham
Rancher
Posts: 1337
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The drawback of binary serialization (involving Object[In|Out]putStream) is that it's not generally compatible between different versions of the JVM, sometimes -I beleive- not even between minor releases.

If your objects follow JavaBeans conventions, then the java.beans.XMLEncoder and XMLDecoder classes may be sufficient, or maybe http://xstream.codehaus.org/ if more functionality is required.
 
Joe Ess
Bartender
Posts: 9406
12
Linux Mac OS X Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Michael Andro wrote:However I got the input this would be really fragile and insecure.


Lester is right about serialization being fragile because of JVM incompatibility (I'm not sure about minor versions either, though), however, any other data transmission technology is going to be insecure as well. I'd argue that XML is more insecure than serialization because it includes the metadata that would help someone reconstruct the object along with the data. If you want security, you'll have to look at encryption no matter what technology you choose.
As for serialization's fragility, aside from the JVM issue, any data transmission technology is going to suffer from the same problems with keeping the sender and receiver's interfaces on the same version, so that complaint is a wash.
Personally, I default to object serialization because it is the easiest to code and it is built into the JVM. If I had to choose something else, I'd probably go with Lester's suggestions. Using functionality from the JVM or a third party API is almost always better than rolling one's own because you get well-tested code and a community for support.
 
Michael Andro
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the worthy comments

I have read the section about Serialization in Effective Java, it comments really good when to use pure Serialization and when not and that it should be done most of the times hand-made.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!