Fading Coder

One Final Commit for the Last Sprint

Home > Tech > Content

Understanding Java Serialization and Deserialization Mechanisms

Tech May 18 3

Transmitting Objects Over Sockets

Transmitting raw object data over network sockets is a common requirement in distributed Java applications. If you attempt to send an object that does not implement a specific marker interface, the JVM will throw a runtime exception indicating that the object is not serializable.

To resolve this, the target class must implement the java.io.Serializable interface. This interface acts as a flag, informing the Java runtime that the object is permitted to be converted into a byte stream for transmission or storage.

import java.io.Serializable;

public class Employee implements Serializable {
    private static final long serialVersionUID = 1L;
    private String fullName;
    private int departmentId;

    // Constructors, getters, and setters
}

The Purpose of Serialization

Objects in Java exist within the memory heap of the Java Virtual Machine (JVM). Generally, these objects are transient; their lifecycle is tied to the JVM's execution. Once the JVM terminates, the objects in memory are lost.

However, real-world applications often require persisting object state beyond a single session or transmitting it to another machine. Serialization bridges this gap.

In simple terms:
Serialization is the process of converting an object's state into a byte stream, allowing it to be stored in a file, database, or sent over a network.
Deserialization is the reverse process, where the byte stream is reconstructed back into a live Java object with the same state.

Native Java Serialization API

Java provides built-in streams to handle this process:

  • java.io.ObjectOutputStream: This class handles the serialization. It contains the writeObject(Object obj) method, which transforms the provided object into a sequence of bytes and writes it to an underlying output stream.
  • java.io.ObjectInputStream: This class handles deserialization. Its readObject() method reads bytes from an input stream, reconstructs the object, and returns it.

For these methods to work, the object being read or written must implement the Serializable interface.

The Role of serialVersionUID

The serialVersionUID is a version identifier used during deserialization to verify that the sender and receiver have loaded compatible classes for the serialized object.

If a class defining an object does not explicitly declare a serialVersionUID, the Java serialization runtime will automatically calculate one based on various aspects of the class (such as field names, methods, and modifiers). This calculation is sensitive to compiler details and class structure changes.

Demonstrating Version Mismatch:

  1. Serialize an object to a file.
  2. Modify the class definition (e.g., add a field) without explicitly defining a serialVersionUID.
  3. Attempt to deserialize the file.
  4. Result: An InvalidClassException will occur because the auto-generated UID of the modified class no longer matches the UID stored in the file.

By explicitly defining a serialVersionUID (e.g., private static final long serialVersionUID = 1L;), you maintain control over versioning. The JVM will then treat versions with the same ID as compatible, even if minor structural changes (like adding a method or a field) have occurred.

The Transient Keyword

The transient keyword provides a mechanism to exclude specific fields from the serialization process. If a variable is marked as transient, its value is skipped during serialization. When the object is deserialized, transient fields are reset to their default values (e.g., 0 for integers, null for objects).

Custom Serialization Logic

Even if a field is marked transient, developers can still serialize it manually by implementing private methods within the class: writeObject and readObject.

These methods are invoked by the JVM via reflection during the serialization process, allowing custom logic to override the default behavior.

public class UserProfile implements Serializable {
    private String username;
    private transient String password; // Sensitive data

    private void writeObject(java.io.ObjectOutputStream out) throws IOException {
        out.defaultWriteObject(); // Serialize non-transient fields normally
        // Custom encryption/serialization for the transient field
        out.writeObject(encrypt(password));
    }

    private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException {
        in.defaultReadObject(); // Deserialize non-transient fields normally
        // Custom decryption/deserialization
        this.password = decrypt((String) in.readObject());
    }

    // Helper methods for encryption/decryption omitted for brevity
}

Why Implement Custom Serialization? (The HashMap Example)

Why would a framework like Java's HashMap use transient for its internal storage array and implement custom writeObject and readObject methods?

The primary goal of serialization is to reconstruct an object that is semantically identical to the original. In a HashMap, elements are stored in an array based on the hash code of their keys. The hash code calculation can vary between different JVM implementations or versions.

If the internal array were serialized directly, deserializing it on a different JVM might result in a broken map. Keys that previously mapped to index N might now map to index M due to different hash algorithms. Consequently, a lookup for a key might fail to find the data, even though it exists in the map, because it is looking in the wrong bucket.

The Solution:

  • The internal Entry[] table, size, and modCount are marked transient to prevent default serialization.
  • writeObject is implemented to write the total number of buckets, the total number of entries, and the key-value pairs themselves (ignoring their physical array positions).
  • readObject reconstructs the map by reading the key-value pairs and re-calculating their hash codes and positions based on the current JVM's implementation, creating a new internal array.

This guarantees that the deserialized HashMap behaves consistently, regardless of the platform differences.

Key Takeaways

  • Java serialization persists the state of an object (data), not its behavior (methods).
  • If a superclass implements Serializable, its subclasses are automatically serializable.
  • Serialization traverses the object graph. If an object references another, the referenced object must also implement Serializable (or a NotSerializableException will be thrown), enabling deep serialization.
  • The transient keyword excludes fields from the default serialization process.
  • Fields marked transient can still be serialized by defining custom writeObject and readObject methods.
Tags: Java
Back to List

Prev: Java Concurrency: Understanding JUC Atomic Classes, CAS, and Unsafe

Next: Linux Cron Job Scheduling and Management

Related Articles

Understanding Strong and Weak References in Java

Strong References Strong reference are the most prevalent type of object referencing in Java. When an object has a strong reference pointing to it, the garbage collector will not reclaim its memory. F...

Comprehensive Guide to SSTI Explained with Payload Bypass Techniques

Introduction Server-Side Template Injection (SSTI) is a vulnerability in web applications where user input is improper handled within the template engine and executed on the server. This exploit can r...

Implement Image Upload Functionality for Django Integrated TinyMCE Editor

Django’s Admin panel is highly user-friendly, and pairing it with TinyMCE, an effective rich text editor, simplifies content management significantly. Combining the two is particular useful for bloggi...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top