0

What is the point to a serializable class? To my understanding its so that you can send objects across a network and know that on both ends that the object will be verified that it is the correct object. For example, if I have a server with a serializable class and want to send data to an app via object output stream, I can use the serializable class with the same UID on both ends to verify that the object is legitimate and not hacked? Please correct me if I'm wrong but that's how I am understanding the documentation on the serializable interface

Improve this question
2
  • 3
    No, the point is not security. A man in the middle could easily replace your object with another one. The point is simply... to be able to transform object graphs to bytes and vice-versa, in a very easy way. Commented Jun 8, 2016 at 20:23
  • A serializable class can be written and read from a file automatically by java (as long as it has access to the class). This allows things like a JMS Queue to write classes to a file when the message containing the class is on the queue. Commented Jun 8, 2016 at 20:51

2 Answers 2

Reset to default
2

Security and Serialization both are different.

Java serialization is to convert the objects to bytes. Period.

The optional UID field is to assure the serialized and deserialized object (structure) versions match.

Serialization is useful to convert an object into a file and reload it back into an object later in future, and of course you can send that file (stream) over the network also.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

The main reason that I asked is because I have a server sided program which collects user info from a client and stores it in a database. The client (which is an android app) can then request information from the database which the server converts each users data into objects. I was worried about sending a List<User> over an ObjectOutputStream, and how it would look on the client side when its sent from server to client @K139
@Darkman9333 Did you consider using REST services? Why you want to send serialized classes?
I was pointed in the direction of REST services but I guess the whole idea was that I didn't want to rely on 3rd party databases and what not (not that I don't trust them with data, just that I was more doing this for the learning experience)
@Darkman9333 well, then as long as your client accepts the stream (or) file, and converts back it into the object structure, it should be fine.
Okay so on the client side I just have to create a class with the same structure(variables and methods)?
|
0

You're correct, but you can think of it more broadly.

  • You can convert a serializable class to bytes

  • You can add an object of this type to a serializable collection and it will be properly serialized (e.g. you can make a list of them and serialize the list if the list is serializable)

By the way, the serialVersionUID is optional. It will generate one on its own, though it will be a bit more fragile - if you change, for example, a method signature, the jvm will translate this to an altered signature and believe that the class is now incompatible with previous serialized versions, even if you haven't changed data fields. If you create your own you're essentially overriding this mechanism.

Improve this answer

3 Comments

so in order to ensure that the object is the same on both ends, both receiving and sending ends should have the same serialVersionUID?
Some IDE's will warn you if it's missing, but it's still optional. If you leave it out the jvm will generate one, based on the fields, method signatures, etc etc. If you're sending this over the network, on the receiving end, your jvm will still need a class definition to serialize the bytes into, so it will use that to generate a svid. If you include your own your serialization will still work as long as the fields match (it is also, purportedly, negligibly faster). Note that if you want to use this for networking most dedicated libs (e.g. thrift) are much faster than base jvm serialization.
Really one should study the sections on Serializable in Effective Java, by Joshua Bloch.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.