We can avoid serialising fields by using the transient keyword.
Is there any other way of doing that?
Asked
Active
Viewed 1.5k times
15
KV Prajapati
- 93,659
- 19
- 148
- 186
Biju CD
- 4,999
- 11
- 34
- 55
-
i got this question...asking whether we can do it through native .. – Biju CD Aug 18 '09 at 08:12
-
For what purpose? Why is transient not a good solution for your use-cases? – GaryF Aug 18 '09 at 08:13
-
@Bombe/@GaryF: curiosity is always a valid reason. – Robert Munteanu Aug 18 '09 at 08:19
-
@Biju The question is still, why? Why do it through native? @Robert-Muneanu Curiosity is always a valid reason to ask a question, but "You shouldn't do this" is often a valid answer to the question. – Imagist Aug 18 '09 at 09:16
-
no.no importance for..native..leave that native.. – Biju CD Aug 18 '09 at 12:30
4 Answers
20
http://java.sun.com/javase/6/docs/platform/serialization/spec/security.html
SUMMARY:Preventing Serialization of Sensitive Data Fields containing sensitive data should not be serialized; doing so exposes their values to any party with access to the serialization stream. There are several methods for preventing a field from being serialized:
- Declare the field as private transient.
- Define the serialPersistentFields field of the class in question, and omit the field from the list of field descriptors.
- Write a class-specific serialization method (i.e., writeObject or writeExternal) which does not write the field to the serialization stream (i.e., by not calling ObjectOutputStream.defaultWriteObject).
Here are some links.
Declaring serialPersistenetFields.
KV Prajapati
- 93,659
- 19
- 148
- 186
-
Declaring serialPersistenetFields - This is done using a special static final variable called serialPersistentFields. – KV Prajapati Aug 18 '09 at 08:50
-
Hi, how about declaring the field as `static final` (this is assuming that the value is a constant)? c.f. https://stackoverflow.com/a/36132646/1168041 – leeyuiwah Aug 28 '19 at 08:26
9
If for some reason transient doesn't suit, you can do the serialization directly by overriding the writeObject and readObject methods. Then you can include or omit any fields you need.
T.J. Crowder
- 1,031,962
- 187
- 1,923
- 1,875
8
This is what transient means as a a keyword. Its whole purpose is to stop the serialization of the data for whatever reason.
If you wanted a finer grain control over the process you can use the writeObject/readObject methods that the ObjectOutputStream/ObjectInputStream use as part of the serialization process, and you could combine that with some custom annotations or any logic you wanted.
private void readObject(java.io.ObjectInputStream stream)
throws IOException, ClassNotFoundException;
private void writeObject(java.io.ObjectOutputStream stream)
throws IOException
user207421
- 305,947
- 44
- 307
- 483
Paul Keeble
- 1,202
- 2
- 12
- 16
5
You can create your own protocol with the Externalizable interface, that in my opinion is a nicer than Serializable since it doesn't contains private methods hooked by the JVM (writeObject and readObject). Instead of implementing the Serializable interface, you can implement Externalizable, which contains two methods:
public void writeExternal(ObjectOutput out) throws IOException;
public void readExternal(ObjectInput in) throws IOException, ClassNotFoundException
Unlike using Serializable nothing is provided for free now, though. That is, the protocol is entirely in your hands, overring transient/non triansient fields, etc.
dfa
- 114,442
- 31
- 189
- 228