Re: Tips: What is the magic Serializable interface does in Java?



Lew wrote:
Furthermore, serialization imposes an additional public interface on a class, one which circumvents the usual protections of accessibility (e.g., 'private'). This is a huge development and maintenance responsibility on a class, as is maintaining serializability between successive API versions. What a PITA that would be for a class that would never need it.

Arne Vajhøj wrote:
Serializable does not have any methods, so there are no "private"
anything that becomes accessible.

That is neither true nor relevant. Serialization of a class makes the private members of that class, whatever they may be, accessible through the serialization / deserialization mechanism itself.

Serialization involves many methods that are not part of the Serializable interface, such as readObject() for example.
<http://java.sun.com/javase/6/docs/api/java/io/Serializable.html>

Clever use of these mechanisms can allow a malicious programmer to write a class that will crack the private members of a serialized object, unless the class's author took great care to prevent it.

Read Joshua Bloch's excellent /Effective Java/ for details.

--
Lew
.



Relevant Pages

  • Re: Tips: What is the magic Serializable interface does in Java?
    ... a class, one which circumvents the usual protections of accessibility. ... private members of that class, whatever they may be, accessible through the serialization / deserialization mechanism itself. ...
    (comp.lang.java.programmer)
  • Re: Tips: What is the magic Serializable interface does in Java?
    ... Some objects, e.g. ones controlling ... physical devices or that have OS handles are not going to be ... Furthermore, serialization imposes an additional public interface on a class, one which circumvents the usual protections of accessibility. ...
    (comp.lang.java.programmer)