0

What is the point to a serializable class? To my understanding its so that you can send objects across a network and know that on both ends that the object will be verified that it is the correct object. For example, if I have a server with a serializable class and want to send data to an app via object output stream, I can use the serializable class with the same UID on both ends to verify that the object is legitimate and not hacked? Please correct me if I'm wrong but that's how I am understanding the documentation on the serializable interface

darkman9333
  • 131
  • 1
  • 2
  • 12
  • 3
    No, the point is not security. A man in the middle could easily replace your object with another one. The point is simply... to be able to transform object graphs to bytes and vice-versa, in a very easy way. – JB Nizet Jun 08 '16 at 20:23
  • A serializable class can be written and read from a file automatically by java (as long as it has access to the class). This allows things like a JMS Queue to write classes to a file when the message containing the class is on the queue. – DwB Jun 08 '16 at 20:51

2 Answers2

2

Security and Serialization both are different.

Java serialization is to convert the objects to bytes. Period.

The optional UID field is to assure the serialized and deserialized object (structure) versions match.

Serialization is useful to convert an object into a file and reload it back into an object later in future, and of course you can send that file (stream) over the network also.

Community
  • 1
  • 1
K139
  • 3,654
  • 13
  • 17
  • The main reason that I asked is because I have a server sided program which collects user info from a client and stores it in a database. The client (which is an android app) can then request information from the database which the server converts each users data into objects. I was worried about sending a `List` over an ObjectOutputStream, and how it would look on the client side when its sent from server to client @K139 – darkman9333 Jun 08 '16 at 20:35
  • @Darkman9333 Did you consider using REST services? Why you want to send serialized classes? – K139 Jun 08 '16 at 20:38
  • I was pointed in the direction of REST services but I guess the whole idea was that I didn't want to rely on 3rd party databases and what not (not that I don't trust them with data, just that I was more doing this for the learning experience) – darkman9333 Jun 08 '16 at 20:39
  • @Darkman9333 well, then as long as your client accepts the stream (or) file, and converts back it into the object structure, it should be fine. – K139 Jun 08 '16 at 20:41
  • Okay so on the client side I just have to create a class with the same structure(variables and methods)? – darkman9333 Jun 08 '16 at 20:55
  • @Darkman9333 Yes, please refer http://www.oracle.com/technetwork/java/serial-137074.html#receive. – K139 Jun 08 '16 at 20:56
0

You're correct, but you can think of it more broadly.

  • You can convert a serializable class to bytes

  • You can add an object of this type to a serializable collection and it will be properly serialized (e.g. you can make a list of them and serialize the list if the list is serializable)

By the way, the serialVersionUID is optional. It will generate one on its own, though it will be a bit more fragile - if you change, for example, a method signature, the jvm will translate this to an altered signature and believe that the class is now incompatible with previous serialized versions, even if you haven't changed data fields. If you create your own you're essentially overriding this mechanism.

Steve B.
  • 55,454
  • 12
  • 93
  • 132
  • so in order to ensure that the object is the same on both ends, both receiving and sending ends should have the same serialVersionUID? – darkman9333 Jun 08 '16 at 20:29
  • Some IDE's will warn you if it's missing, but it's still optional. If you leave it out the jvm will generate one, based on the fields, method signatures, etc etc. If you're sending this over the network, on the receiving end, your jvm will still need a class definition to serialize the bytes into, so it will use that to generate a svid. If you include your own your serialization will still work as long as the fields match (it is also, purportedly, negligibly faster). Note that if you want to use this for networking most dedicated libs (e.g. thrift) are much faster than base jvm serialization. – Steve B. Jun 08 '16 at 20:36
  • Really one should study the sections on Serializable in _Effective Java_, by Joshua Bloch. – Lew Bloch Jun 08 '16 at 21:21