In Effective Java Programming Language Guide, Joshua Bloch wrote many thoughts about serialization. Here is a summary of some precautions recommended:
- If you do not get to the effort to design a custom serialized form, but merely accept the default, the class's private and package instance fields becomes part of its exported API. In this way, it decreases the flexibility to change a class's implementation once it has been released.
- Serial versions UIDs are automatically generated based on the name of the class, the names of their interfaces, and of all public and protected members. If a change is made to the class but you do not provide a custom serial UID the compatibility will be broken.
- Serialization is a extralinguistic mechanism, deserialization is a hidden constructor. All the invariants for an object should be checked in the process of deserializing an object, as a constructor would do.
- Classes design for inheritance should rarely implement serializable. Doing otherwise places a burden into the programmer extending the class.
- Inner classes should rarely implement Serializable. Their synthetics fields and names are not specified.
- The default serialization process deals with the physical representation of an object. It also describes the topology of the objects referenced from the object to be serialized. But what is really important to serialize is the logical data of the object.
- Disadvantages of using the default serialization when the physical representation of an object differs greatly form the logical:
- It permanently ties the exported API to the internal representation
- It can consume excessive time or space
- it can overflows.
- A stream of bytes to be deserialized could have been tampered with to change the immutability of an object, or to provide references to private data. This is a security risk. To avoid it, checks the validity (invariants) of the deserialized object within the readObject method. Also is critical to defensively copy any field containing an object reference that a client must not posses.
- Typesafe enum and singletons should use readResolve to ensure their characteristics when deserialized.
Click below links to know more
Comments
Post a Comment