When should we implement Serializable interface?
JavaSerializationJava Problem Overview
public class Contact implements Serializable {
private String name;
private String email;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getEmail() {
return email;
}
public void setEmail(String email) {
this.email = email;
}
}
- When should I implement
Serializableinterface? - Why do we do that?
- Does it give any advantages or security?
Java Solutions
Solution 1 - Java
-
From What's this "serialization" thing all about?:
> It lets you take an object or group of > objects, put them on a disk or send > them through a wire or wireless > transport mechanism, then later, > perhaps on another computer, reverse > the process: resurrect the original > object(s). The basic mechanisms are to > flatten object(s) into a > one-dimensional stream of bits, and to > turn that stream of bits back into the > original object(s). > > Like the Transporter on Star Trek, > it's all about taking something > complicated and turning it into a flat > sequence of 1s and 0s, then taking > that sequence of 1s and 0s (possibly > at another place, possibly at another > time) and reconstructing the original > complicated "something."
So, implement the
Serializableinterface when you need to store a copy of the object, send them to another process which runs on the same system or over the network. -
Because you want to store or send an object.
-
It makes storing and sending objects easy. It has nothing to do with security.
Solution 2 - Java
The answer to this question is, perhaps surprisingly, never, or more realistically, only when you are forced to for interoperability with legacy code. This is the recommendation in Effective Java, 3rd Edition by Joshua Bloch:
> There is no reason to use Java serialization in any new system you write
Oracle's chief architect, Mark Reinhold, is on record as saying removing the current Java serialization mechanism is a long-term goal.
Why Java serialization is flawed
Java provides as part of the language a serialization scheme you can opt in to, by using the Serializable interface. This scheme however has several intractable flaws and should be treated as a failed experiment by the Java language designers.
- It fundamentally pretends that one can talk about the serialized form of an object. But there are infinitely many serialization schemes, resulting in infinitely many serialized forms. By imposing one scheme, without any way of changing the scheme, applications can not use a scheme most appropriate for them.
- It is implemented as an additional means of constructing objects, which bypasses any precondition checks your constructors or factory methods perform. Unless tricky, error prone, and difficult to test extra deserialization code is written, your code probably has a gaping security weakness.
- Testing interoperability of different versions of the serialized form is very difficult.
- Handling of immutable objects is troublesome.
What to do instead
Instead, use a serialization scheme that you can explicitly control. Such as Protocol Buffers, JSON, XML, or your own custom scheme.
Solution 3 - Java
-
Implement the
Serializableinterface when you want to be able to convert an instance of a class into a series of bytes or when you think that aSerializableobject might reference an instance of your class. -
Serializableclasses are useful when you want to persist instances of them or send them over a wire. -
Instances of
Serializableclasses can be easily transmitted. Serialization does have some security consequences, however. Read Joshua Bloch's Effective Java.