0

As a young developer I am facing an new type of issue I've never faced before. According to this article, Java plans to remove serialization and de-serialization due to security problems.

I am currently working on a project that uses serialization and de-serialization a lot. The exact date where it will be dropped by java has not been announced yet (to my knowledge at least). It's not a big project, but not using serialization anymore would change the entire architecture.

So my question is : should I anticipate it or should I wait for further details before changing the way my project work?

Thanks in advance.

souki
  • 1,305
  • 4
  • 23
  • 39
  • 2
    IMHO, don't anticipate, as you won't know exactly how it will be done. – DamCx May 30 '18 at 07:48
  • This is nothing to worry about at this point. Also the native java serialization should be interchangable with libraries such as jaxb or gson/json (at least codewise, the serialized form will be different of course). – f1sh May 30 '18 at 07:48
  • 1
    If Java _eventually_ removes serialization, that need not affect code written in a small project in an earlier version. On the other hand, if you're worried about security problems (or other problems with using Java serialization), there are good reasons to avoid using it. – khelwood May 30 '18 at 07:49
  • it seems everyone is saying that Oracle will remove Serialization support, except for Oracle themselves. – Stultuske May 30 '18 at 07:54
  • **What** 'exact date where it will be dropped by Java'? Where did you get the idea it was ever going to be dropped? – user207421 Jun 11 '18 at 06:08
  • @EJP no date were specified. I don't know If you read the link I provided in my question, but it's saying that it will be dropped. This link was shared by my boss, saying we should avoid serialization. I found it kind of premature, so I asked to have other opinions. I had never faced this kind of situation, so I asked the question. And I clearly specified "the eventual drop of serialization". – souki Jun 11 '18 at 07:43

1 Answers1

7

I'd avoid Java's serialization mechanism even if there weren't such a threat.

It's an old invention, riddled with not just security problems. It's Java specific, so not very good for integration with other platforms. The only good thing is that it's built-in.

There are plenty of libraries that provide binary and other serialization support (and more), and which aren't tied to the Java development cycle. They don't have the ghost of backwards compatibility haunting them either (at least as strong as Java's serialization).

Kayaman
  • 72,141
  • 5
  • 83
  • 121