Object Serialization

Object Serialization

Overview

Reading and writing objects is a process called object serialization. Objects are serialized by by writing them to a java.io.ObjectInputStream and then reading them in again using a java.io.ObjectOutputStream.

Write to an ObjectOutputStream

The following constructs a Date object and then serializes that object:

FileOutputStream out = new FileOutputStream("timestamp.log"); ObjectOutputStream s = new ObjectOutputStream(out); s.writeObject("Today"); s.writeObject(new Date()); s.flush();

This code serializes the object to a file named timestamp.log and the string Today and a Date object are serialized using the writeObject method of ObjectOutputStream.
ObjectOutputStream implements the DataOutput interface that defines many methods for writing primitive data types, such as writeInt, writeFloat, or writeUTF. You can use these methods to write primitive data types to an ObjectOutputStream.
The writeObject method throws a NotSerializableException if it's given an object that is not serializable. An object is serializable only if its class implements the Serializable interface.

Read from an ObjectInputStream

Once you've written objects and primitive data types to a stream, you'll likely want to read them out again and reconstruct the objects. This is also straightforward. Here's code that reads in the String and the Date objects that were written to the file above.

FileInputStream in = new FileInputStream("timestamp.log"); ObjectInputStream s = new ObjectInputStream(in); String today = (String)s.readObject(); Date date = (Date)s.readObject();

Like ObjectOutputStream, ObjectInputStream must be constructed on another stream. In this example, the objects were archived in a file, so the code constructs an ObjectInputStream on a FileInputStream. Next, the code uses ObjectInputStream's readObject method to read the String and the Date objects from the file. The objects must be read from the stream in the same order in which they were written. Note that the return value from readObject is an object that is cast to and assigned to a specific type.
The readObject method deserializes the next object in the stream and traverses its references to other objects recursively to deserialize all objects that are reachable from it. In this way, it maintains the relationships between the objects.
ObjectInputStream stream implements the DataInput interface that defines methods for reading primitive data types. The methods in DataInput parallel those defined in DataOutput for writing primitive data types. They include methods such as readInt, readFloat, and readUTF. Use these methods to read primitive data types from an ObjectInputStream.

Enabling Object Serialization

If you want to serialize the instances of one of the classes, the class must implement the Serializable interface. The good news is that Serializable is an empty interface. That is, it doesn't contain any method declarations; its purpose is simply to identify classes whose objects are serializable.

Implementing the Serializable Interface

Here's the complete definition of the Serializable interface:
package java.io; public interface Serializable { // there's nothing in here! };

To make instances of classes serializable, add implements Serializable to the class declaration like this:

public class MySerializableClass implements Serializable { ... }

You don't have to write any methods. The serialization of instances of this class are handled by the defaultWriteObject method of ObjectOutputStream. This method automatically writes out everything required to reconstruct an instance of the class, including the following:

Class of the object
Class signature
Values of all non-transient and non-static members, including members that refer to other objects

You can deserialize any instance of the class with the defaultReadObject method in ObjectInputStream.
For many classes, this default behavior is good enough. However, default serialization can be slow, and a class might want more explicit control over the serialization.

Customizing Serialization

You can customize serialization for the classes by providing two methods for it: writeObject and readObject. The writeObject method controls what information is saved and is typically used to append additional information to the stream. The readObject method either reads the information written by the corresponding writeObject method or can be used to update the state of the object after it has been restored.
The writeObject method must be declared exactly as shown in the following example and should call the stream's defaultWriteObject as the first thing it does to perform default serialization. Any special arrangements can be handled afterwards:

private void writeObject( ObjectOutputStream s) throws IOException { s.defaultWriteObject(); // customized serialization code }

The readObject method must read in everything written by writeObject in the same order in which it was written.
Also, the readObject method can perform calculations or update the state of the object.
Here's the readObject method that corresponds to the writeObject method just shown:
private void readObject(ObjectInputStream s) throws IOException { s.defaultReadObject(); // customized deserialization code ... // followed by code to update the object, if necessary }

The readObject method must be declared exactly as shown.
The writeObject and readObject methods are responsible for serializing only the immediate class. Any serialization required by the superclasses is handled automatically. However, a class that needs to explicitly coordinate with its superclasses to serialize itself can do so by implementing the Externalizable interface.

Implementing the Externalizable Interface

For complete, explicit control of the serialization process, a class must implement the Externalizable interface. For Externalizable objects, only the identity of the object's class is automatically saved by the stream. The class is responsible for writing and reading its contents, and it must coordinate with its superclasses to do so.
Here's the complete definition of the Externalizable interface that extends Serializable:
package java.io; public interface Externalizable extends Serializable { public void writeExternal ObjectOutput(out) throws IOException; public void readExternal ObjectInput(in) throws IOException, java.lang.ClassNotFoundException; }

The following holds for an Externalizable class:

It must implement the java.io.Externalizable interface.
It must implement a writeExternal method to save the state of the object. Also, it must explicitly coordinate with its supertype to save its state.
It must implement a readExternal method to read the data written by the writeExternal method from the stream and restore the state of the object. It must explicitly coordinate with the supertype to restore its state.
If externally defined format is being written, the writeExternal and readExternal methods are solely responsible for that format.

The writeExternal and readExternal methods are public and carry the risk that a client may be able to write or read information in the object other than by using its methods and fields. These methods must be used only when the information held by the object is not sensitive or when exposing that information would not present a security risk.

Protecting Sensitive Information

When developing a class that provides controlled access to resources, you must take care to protect sensitive information and functions. During deserialization, the private state of the object is restored. For example, a file descriptor contains a handle that provides access to an operating system resource. Being able to forge a file descriptor would allow some forms of illegal access, since restoring state is done from a stream. Therefore the serializing runtime must take the conservative approach and not trust the stream to contain only valid representations of objects. To avoid compromising a class, you must provide either that the sensitive state of an object must not be restored from the stream or that it must be reverified by the class.
Several techniques are available to protect sensitive data in classes. The easiest is to mark fields that contain sensitive data as private transient. transient and static fields are not serialized or deserialized. Marking the field will prevent the state from appearing in the stream and from being restored during deserialization. Since writing and reading (of private fields) cannot be superseded outside of the class, the class's transient fields are safe.
Particularly sensitive classes should not be serialized. To accomplish this, the object should not implement either the Serializable or Externalizable interface.
Some classes may find it beneficial to allow writing and reading but to specifically handle and revalidate the state as it is deserialized. The class should implement writeObject and readObject methods to save and restore only the appropriate state. If access should be denied, throwing a NotSerializableException will prevent further access.