Reading and Writing |
An object is serializable only if its class implements theSerializable
interface. Thus, if you want to serialize the instances of one of your classes, the class must implement theSerializable
interface. The good news is thatSerializable
is an empty interface. That is, it doesn't contain any method declarations; it's purpose is simply to identify classes whose objects are serializable.Implementing the Serializable Interface
Here's the complete definition of theSerializable
interface:Making instances of your classes serializable is easy. You just add thepackage java.io; public interface Serializable { // there's nothing in here! };implements Serializable
clause to your class declaration like this:You don't have to write any methods. The serialization of instances of this class are handled by thepublic class MySerializableClass implements Serializable { ... }defaultWriteObject
method ofObjectOutputStream
. This method automatically writes out everything required to reconstruct an instance of the class, including the following:For many classes, this default behavior is good enough. However, default serialization can be slow, and a class might want more explicit control over the serialization.
- Class of the object
- Class signature
- Values of all non-
transient
and non-static
members, including members that refer to other objectsCustomizing Serialization
You can customize serialization for your classes by providing two methods for it:writeObject
andreadObject
. ThewriteObject
method controls what information is saved. It is typically used to append additional information to the stream. ThereadObject
method either reads the information written by the correspondingwriteObject
method or can be used to update the state of the object after it has been restored.The
writeObject
method must be declared exactly as shown in the following example. Also, it should call the stream'sdefaultWriteObject
as the first thing it does to perform default serialization. Any special arrangements can be handled afterwards:Theprivate void writeObject(ObjectOutputStream s) throws IOException { s.defaultWriteObject(); // customized serialization code }readObject
method must read in everything written bywriteObject
in the same order in which it was written. Also, thereadObject
method can perform calculations or update the state of the object in some way. Here's thereadObject
method that corresponds to thewriteObject
method just shown:Theprivate void readObject(ObjectInputStream s) throws IOException { s.defaultReadObject(); // customized deserialization code ... // followed by code to update the object, if necessary }readObject
method must be declared exactly as shown.The
writeObject
andreadObject
methods are responsible for serializing only the immediate class. Any serialization required by the superclasses is handle automatically. However, a class that needs to explicitly coordinate with its superclasses to serialize itself can do so by implementing theExternalizable
interface.Implementing the Externalizable Interface
For complete, explicit control of the serialization process, a class must implement theExternalizable
interface. ForExternalizable
objects, only the identity of the object's class is automatically saved by the stream. The class is responsible for writing and reading its contents, and it must coordinate with its superclasses to do so.Here's the complete definition of the
Externalizable
interface that extendsSerializable
:The following holds for anpackage java.io; public interface Externalizable extends Serializable { public void writeExternal(ObjectOutput out) throws IOException; public void readExternal(ObjectInput in) throws IOException, java.lang.ClassNotFoundException; }Externalizable
class:The
- It must implement the
java.io.Externalizable
interface.- It must implement a
writeExternal
method to save the state of the object. Also, it must explicitly coordinate with its supertype to save its state.- It must implement a
readExternal
method to read the data written by thewriteExternal
method from the stream and restore the state of the object. It must explicitly coordinate with the supertype to restore its state.- If externally defined format is being written, the
writeExternal
andreadExternal
methods are solely responsible for that format.writeExternal
andreadExternal
methods are public and carry the risk that a client may be able to write or read information in the object other than by using its methods and fields. These methods must be used only when the information held by the object is not sensitive or when exposing that information would not present a security risk.Protecting Sensitive Information
When developing a class that provides controlled access to resources, you must take care to protect sensitive information and functions. During deserialization, the private state of the object is restored. For example, a file descriptor contains a handle that provides access to an operating system resource. Being able to forge a file descriptor would allow some forms of illegal access, since restoring state is done from a stream. Therefore the serializing runtime must take the conservative approach and not trust the stream to contain only valid representations of objects. To avoid compromising a class, you must provide either that the sensitive state of an object must not be restored from the stream or that it must be reverified by the class.Several techniques are available to protect sensitive data in classes. The easiest is to mark fields that contain sensitive data as private
transient
.transient
andstatic
fields are not serialized or deserialized. Marking the field will prevent the state from appearing in the stream and from being restored during deserialization. Since writing and reading (of private fields) cannot be superseded outside of the class, the class'stransient
fields are safe.Particularly sensitive classes should not be serialized. To accomplish this, the object should not implement either the
Serializable
orExternalizable
interface.Some classes may find it beneficial to allow writing and reading but to specifically handle and revalidate the state as it is deserialized. The class should implement
writeObject
andreadObject
methods to save and restore only the appropriate state. If access should be denied, throwing aNotSerializableException
will prevent further access.
Reading and Writing |