Home  |   STIU  |   WOW  |   SCJP  |   SCDJWS   |   JEE FAQ  |   About US  |  
You are here: JEE FAQ » Java FAQ
FAQ
  Java FAQ
  JSP FAQ
  Servlet FAQ
 

Advertisement

XyzWs Java FAQ:
What are the precautions for implementing Serializable?


Printer-friendly version Printer-friendly version | Send this article to a friend Mail this to a friend

Previous Next vertical dots separating previous/next from contents/index/pdf Contents
Advertisement
XyzWs Java FAQ: What are the precautions for implementing Serializable?

What are the precautions for implementing Serializable?


In Effective Java Programming Language Guide, Joshua Bloch wrote many thoughts about serialization. Here is a summary of some precautions recommended:

  • If you do not get to the effort to design a custom serialized form, but merely accept the default, the class's private and package instance fields becomes part of its exported API. In this way, it decreases the flexibility to change a class's implementation once it has been released.
  • Serial versions UIDs are automatically generated based on the name of the class, the names of their interfaces, and of all public and protected members. If a change is made to the class but you do not provide a custom serial UID the compatibility will be broken.
  • Serialization is a extralinguistic mechanism, deserialization is a hidden constructor. All the invariants for an object should be checked in the process of deserializing an object, as a constructor would do.
  • Classes design for inheritance should rarely implement serializable. Doing otherwise places a burden into the programmer extending the class.
  • Inner classes should rarely implement Serializable. Their synthetics fields and names are not specified.
  • The default serialization process deals with the physical representation of an object. It also describes the topology of the objects referenced from the object to be serialized. But what is really important to serialize is the logical data of the object.
  • Disadvantages of using the default serialization when the physical representation of an object differs greatly form the logical:
    • It permanently ties the exported API to the internal representation
    • It can consume excessive time or space
    • it can overflows.
  • A stream of bytes to be deserialized could have been tampered with to change the immutability of an object, or to provide references to private data. This is a security risk. To avoid it, checks the validity (invariants) of the deserialized object within the readObject method. Also is critical to defensively copy any field containing an object reference that a client must not posses.
  • Typesafe enum and singletons should use readResolve to ensure their characteristics when deserialized.
Previous Next vertical dots separating previous/next from contents/index/pdf Contents

Support  | Feedback  | Help  
© Copyright 2005-2006 www.xyzws.com All rights reserved.