Re: Tips: What is the magic Serializable interface does in Java?



Lew wrote:
Furthermore, serialization imposes an additional public interface on a class, one which circumvents the usual protections of accessibility (e.g., 'private'). This is a huge development and maintenance responsibility on a class, as is maintaining serializability between successive API versions. What a PITA that would be for a class that would never need it.

Arne Vajhøj wrote:
Serializable does not have any methods, so there are no "private"
anything that becomes accessible.

That is neither true nor relevant. Serialization of a class makes the private members of that class, whatever they may be, accessible through the serialization / deserialization mechanism itself.

Serialization involves many methods that are not part of the Serializable interface, such as readObject() for example.
<http://java.sun.com/javase/6/docs/api/java/io/Serializable.html>

Clever use of these mechanisms can allow a malicious programmer to write a class that will crack the private members of a serialized object, unless the class's author took great care to prevent it.

Read Joshua Bloch's excellent /Effective Java/ for details.

--
Lew
.