|
|
Start of Tutorial > Start of Trail > Start of Lesson |
Search
Feedback Form |
An object is serializable only if its class implements theSerializableinterface. Thus, if you want to serialize the instances of one of your classes, the class must implement theSerializableinterface. The good news is thatSerializableis an empty interface. That is, it doesn't contain any method declarations; its purpose is simply to identify classes whose objects are serializable.
Here's the complete definition of theSerializableinterface:Making instances of your classes serializable is easy. You just add thepackage java.io; public interface Serializable { // there's nothing in here! };implements Serializableclause to your class declaration like this:You don't have to write any methods. The serialization of instances of this class are handled by thepublic class MySerializableClass implements Serializable { ... }defaultWriteObjectmethod ofObjectOutputStream. This method automatically writes out everything required to reconstruct an instance of the class, including the following:You can deserialize any instance of the class with the
- Class of the object
- Class signature
- Values of all non-
transientand non-staticmembers, including members that refer to other objectsdefaultReadObjectmethod inObjectInputStream.For many classes, this default behavior is good enough. However, default serialization can be slow, and a class might want more explicit control over the serialization.
You can customize serialization for your classes by providing two methods for it:writeObjectandreadObject. ThewriteObjectmethod controls what information is saved and is typically used to append additional information to the stream. ThereadObjectmethod either reads the information written by the correspondingwriteObjectmethod or can be used to update the state of the object after it has been restored.The
writeObjectmethod must be declared exactly as shown in the following example and should call the stream'sdefaultWriteObjectas the first thing it does to perform default serialization. Any special arrangements can be handled afterwards:Theprivate void writeObject(ObjectOutputStream s) throws IOException { s.defaultWriteObject(); // customized serialization code }readObjectmethod must read in everything written bywriteObjectin the same order in which it was written. Also, thereadObjectmethod can perform calculations or update the state of the object. Here's thereadObjectmethod that corresponds to thewriteObjectmethod just shown:Theprivate void readObject(ObjectInputStream s) throws IOException { s.defaultReadObject(); // customized deserialization code ... // followed by code to update the object, if necessary }readObjectmethod must be declared exactly as shown.The
writeObjectandreadObjectmethods are responsible for serializing only the immediate class. Any serialization required by the superclasses is handled automatically. However, a class that needs to explicitly coordinate with its superclasses to serialize itself can do so by implementing theExternalizableinterface.
For complete, explicit control of the serialization process, a class must implement theExternalizableinterface. ForExternalizableobjects, only the identity of the object's class is automatically saved by the stream. The class is responsible for writing and reading its contents, and it must coordinate with its superclasses to do so.Here's the complete definition of the
Externalizableinterface that extendsSerializable:The following holds for anpackage java.io; public interface Externalizable extends Serializable { public void writeExternal(ObjectOutput out) throws IOException; public void readExternal(ObjectInput in) throws IOException, java.lang.ClassNotFoundException; }Externalizableclass:The
- It must implement the
java.io.Externalizableinterface.- It must implement a
writeExternalmethod to save the state of the object. Also, it must explicitly coordinate with its supertype to save its state.- It must implement a
readExternalmethod to read the data written by thewriteExternalmethod from the stream and restore the state of the object. It must explicitly coordinate with the supertype to restore its state.- If externally defined format is being written, the
writeExternalandreadExternalmethods are solely responsible for that format.writeExternalandreadExternalmethods are public and carry the risk that a client may be able to write or read information in the object other than by using its methods and fields. These methods must be used only when the information held by the object is not sensitive or when exposing that information would not present a security risk.
When developing a class that provides controlled access to resources, you must take care to protect sensitive information and functions. During deserialization, the private state of the object is restored. For example, a file descriptor contains a handle that provides access to an operating system resource. Being able to forge a file descriptor would allow some forms of illegal access, since restoring state is done from a stream. Therefore the serializing runtime must take the conservative approach and not trust the stream to contain only valid representations of objects. To avoid compromising a class, you must provide either that the sensitive state of an object must not be restored from the stream or that it must be reverified by the class.Several techniques are available to protect sensitive data in classes. The easiest is to mark fields that contain sensitive data as private
transient.transientandstaticfields are not serialized or deserialized. Marking the field will prevent the state from appearing in the stream and from being restored during deserialization. Since writing and reading (of private fields) cannot be superseded outside of the class, the class'stransientfields are safe.Particularly sensitive classes should not be serialized. To accomplish this, the object should not implement either the
SerializableorExternalizableinterface.Some classes may find it beneficial to allow writing and reading but to specifically handle and revalidate the state as it is deserialized. The class should implement
writeObjectandreadObjectmethods to save and restore only the appropriate state. If access should be denied, throwing aNotSerializableExceptionwill prevent further access.
|
|
Start of Tutorial > Start of Trail > Start of Lesson |
Search
Feedback Form |
Copyright 1995-2004 Sun Microsystems, Inc. All rights reserved.