Serialization and Deserialization in Java with Examples

Introduction to Java Serialization

Bridging the gap between transient in-memory data and persistent storage is a key feature of Java, achieved through a process known as Serialization. This powerful capability allows the transformation of the state of an object into a byte stream. Consequently, this byte stream can be stored in a file, saved to a database, or even transmitted over a network, all while being platform-independent.

At its core, Serialization serves as a crucial JVM utility. It meticulously converts the intricate web of associated objects into a simplified byte stream. This process allows data to navigate from the JVM’s memory into external systems smoothly, opening up a wide array of possibilities.

Understanding the importance of this unique feature, we quickly realize its broad range of applications. Spanning across various spheres, from distributed computing to J2EE application servers, it plays a pivotal role.

One prominent use case of Serialization is within Remote Method Invocation (RMI). This functionality enables a method from one object to be invoked within another JVM. To facilitate this inter-JVM communication, objects must undergo Serialization, allowing them to traverse the network seamlessly before being reassembled through Deserialization. 

Furthermore, this feature proves vital for certain J2EE functionalities such as HTTP session replication, failover, and clustering. It is also helpful in instances where data need to be persisted in files. 

In the broader landscape, Serialization plays a critical role in technologies like Enterprise Java Beans (EJB) and Java Message Services (JMS). Here, objects are often detached and reattached to different data sources.

To sum up, understanding Serialization is vital for a Java developer. Its capability to convert intricate object structures into a transferable format forms the backbone of several high-level services, making it a fundamental part of the Java ecosystem.

What is serialisation in Java?

Serialization in java refers to the process of converting an object into a byte stream, which can be easily stored in a file or transmitted over a network. This enables the object’s state to be saved and restored at a later time or to be transferred between different Java applications running on different machines.

The byte stream created during serialization includes not only the object’s data but also information about the object’s class, including its name, signature, and other metadata. This ensures that the object can be correctly reconstructed when deserialized, even if the class definition might have changed since the object was originally serialized.

Java provides built-in support for serialization through the java.io.Serializable interface. To make an object serializable, you simply need to have the class implement this interface. It acts as a marker interface, meaning it does not have any methods that need to be implemented. When an object is serialized, Java’s serialization mechanism automatically handles the process, including saving the state of the object’s instance variables and associated class information.

Here’s a basic example of a serializable class in Java:

import java.io.Serializable;

public class Person implements Serializable {
    private String name;
    private int age;

    // Constructors, getters, setters, and other methods here...

    // Serializable classes should define a serialVersionUID to help with versioning.
    private static final long serialVersionUID = 123456789L;
}

SERIALISATION IN JAVA

Useful Java Resources

How Does Serialization in Java Work?

As we journey into the inner workings of Serialization in Java, we find it is both a fascinating and intuitive process. Central to this process is a built-in Java interface known as the Serializable interface. This plays a key role in transforming the state of an object into a sequence of bytes, which can be easily stored or transmitted. 

In essence, Serialization in Java involves a series of steps to convert an object into a format that can be restored later. The process starts when an object is passed to the ObjectOutputStream’s `writeObject()` method. The ObjectOutputStream explores the object and its corresponding graph, converting it into a byte stream.

But where does the Serializable interface fit into all this? The Serializable interface in Java is a marker interface, which means it does not contain any methods. When an object’s class implements this interface, it gives the Java Virtual Machine (JVM) a green signal that this object can be serialized. 

Here’s a simple illustration of a class implementing Serializable:

import java.io.Serializable;

public class Employee implements Serializable {

   private String name;

   private String department;

   // rest of the class

}

In the example above, the Employee class implements the Serializable interface, indicating that an object of Employee can be serialized.

When an object is serialized, information about its class, including the class name, its superclass, and the interfaces it implements, are also recorded. This metadata, coupled with the object’s non-transient and non-static fields, forms the serialized byte stream.

During the deserialization process, the stored information is used to create a new instance of the object. The process reinstates the state of the serialized object by using the recorded information about the class and its field values.

In conclusion, the Serialization process in Java is an intricate interplay between the JVM, the Serializable interface, and the ObjectOutputStream. By delving deeper into these elements, developers can harness the full potential of Serialization, achieving greater control over the lifecycle of their Java objects.

The Role of serialVersionUID in Java Serialization

Navigating the world of Java Serialization, we encounter a crucial component known as `serialVersionUID.` This unique identifier plays a significant role in maintaining the compatibility of classes during the serialization and deserialization process.

The `serialVersionUID` is a unique identifier for each serializable class. It aids in version controlling of the serialized classes and ensures that the same class (version) on the deserialization end can successfully deserialize the object. If the `serialVersionUID` of the class doesn’t match with the `serialVersionUID` of the serialized object, the deserialization process will result in an `InvalidClassException.`

Consider this illustration of how `serialVersionUID` is used in a class:

import java.io.Serializable;

public class Employee implements Serializable {

   private static final long serialVersionUID = 1L;

   private String name;

   private String department;

   // rest of the class

}

In this example, the Employee class assigns a unique `serialVersionUID` value. This specific value will be associated with every instance of the Employee class that gets serialized, ensuring compatibility during deserialization.

So, what’s the role of `serialVersionUID` in Java Serialization? It is the guardian of object version control. Its proper implementation maintains the integrity and uniformity of serialized classes, providing a seamless serialization and deserialization experience. With the understanding and correct use of `serialVersionUID,` developers can ensure the compatibility and integrity of their serialized objects across different JVMs.

Implementing Serialization in Java – A Step-by-Step Guide

Let’s explore how to implement Java Serialization through a simple, practical example. We will start with a `Person` class, serialize an object of this class, and then save it in a file.

Step 1: Defining the Serializable class

Our `Person` class will implement the `Serializable` interface:

import java.io.Serializable;

public class Person implements Serializable {

    private static final long serialVersionUID = 1L;

    private String name;

    private int age;

    public Person(String name, int age) {

        this.name = name;

        this.age = age;

    }

    public String toString() {

        return "Person{name=" + name + ", age=" + age + "}";

    }

}

The `Person` class implements the `Serializable` interface in this code, making it eligible for serialization. The `serialVersionUID` provides a unique identifier for the class.

Step 2: Serializing the Object

Next, we will create an object of the `Person` class, serialize it, and write it to a file.

import java.io.FileOutputStream;

import java.io.IOException;

import java.io.ObjectOutputStream;

public class SerializePerson {

    public static void main(String[] args) {

        Person john = new Person("John Doe", 30);

        try {

            FileOutputStream fileOut = new FileOutputStream("person.ser");

            ObjectOutputStream out = new ObjectOutputStream(fileOut);

            out.writeObject(john);

            out.close();

            fileOut.close();

            System.out.println("Serialized data is saved in person.ser");

        } catch (IOException i) {

            i.printStackTrace();

        }

    }

}

In the `SerializePerson` class, we first create a new `Person` object, `john.` We then create `FileOutputStream` and `ObjectOutputStream` objects. The `ObjectOutputStream`’s `writeObject()` method is used to serialize the `john` object, which is then written to the `person.ser` file.

Running this class would output: `Serialized data is saved in person.ser`

Implementing Java Serialization is, therefore, a straightforward process. It primarily involves defining a `Serializable` class and using the `ObjectOutputStream` class to serialize objects of this class. A proper understanding of these steps enables Java developers to effectively harness the power of serialization, bringing enhanced flexibility and utility to their applications.

Deserialization in Java: The Counterpart of Serialization

Deserialization in Java is the reverse process of Serialization. It involves reconstructing the object from the serialized state. This process is fundamental for retrieving the original data from the byte stream, helping to restore the state of serialized objects.

To reverse the process of Serialization, Java uses the `ObjectInputStream` class. Its `readObject()` method reads the byte stream from a source (usually a file) and converts it back into the corresponding object.

Let’s delve into this concept with an example. In the previous section, we serialized a `Person` object and stored it in the `person.ser` file. Now, we will deserialize this object.

import java.io.FileInputStream;

import java.io.IOException;

import java.io.ObjectInputStream;

public class DeserializePerson {

    public static void main(String[] args) {

        Person john = null;

        try {

            FileInputStream fileIn = new FileInputStream("person.ser");

            ObjectInputStream in = new ObjectInputStream(fileIn);

            john = (Person) in.readObject();

            in.close();

            fileIn.close();

        } catch (IOException i) {

            i.printStackTrace();

            return;

        } catch (ClassNotFoundException c) {

            System.out.println("Person class not found");

            c.printStackTrace();

            return;

        }

        System.out.println("Deserialized Person...");

        System.out.println(john);

    }

}

In this Java Deserialization example, we first create a `FileInputStream` object for the `person.ser` file, which contains the serialized `Person` object. We then create an `ObjectInputStream` and call its `readObject()` method, which returns an object that we cast back to a `Person` object. The `readObject()` method can throw a `ClassNotFoundException,` so we need to catch that exception too.

When you run this class, you’ll see something like this:

`Deserialized Person…`

`Person{name=John Doe, age=30}`

Through Deserialization, we successfully retrieved the `Person` object from its serialized state in the `person.ser` file.

To conclude, Deserialization is a vital process in Java, acting as the counterpart to Serialization. It is the key to unlocking serialized objects’ original form and data, offering developers the power to persist and retrieve objects as needed.

Externalizable in Java: A Deep Dive

While delving into the realm of object persistence in Java, another intriguing interface that surfaces is the Externalizable interface. As an extension to the Serializable interface, the Externalizable interface provides more control over the serialization process.

The Externalizable interface in Java contains two methods: `writeExternal()` and `readExternal().` These methods must be overridden by the class implementing this interface, providing the explicit mechanism for custom serialization and deserialization processes.

When comparing Serializable vs. Externalizable, the primary difference lies in the level of control offered to the developer. With Serializable, the JVM takes the reins of serialization, automatically serializing every non-transient and non-static field. However, Externalizable hands this control over to the developer, allowing for custom logic in the `writeExternal()` and `readExternal()` methods.

This fine-grained control can be beneficial in complex scenarios where specific serialization logic is required, making Externalizable a powerful tool in the Java developer’s toolkit.

Java Serialization with Inheritance: Scenarios and Solutions

Delving deeper into the subject of Java Serialization, it’s essential to understand how it works with Inheritance, a fundamental aspect of object-oriented programming in Java.

When it comes to Java Inheritance Serialization, if a superclass implements the Serializable interface, the subclass is automatically serializable. Serialization encompasses the entire object graph, capturing all superclass fields along with the subclass fields.

Consider this example:

import java.io.Serializable;

public class Employee implements Serializable {

   private static final long serialVersionUID = 1L;

   private String name;

   // rest of the class

}

public class Manager extends Employee {

   private String department;

   // rest of the class

}

In this case, `Manager` inherits from `Employee,` and `Employee` implements `Serializable.` Even though `Manager` does not explicitly implement `Serializable,` instances of `Manager` can be serialized because the superclass (`Employee`) implements `Serializable.`

However, things become tricky when the superclass does not implement `Serializable.` In this scenario, the superclass must have a no-arg constructor, which is called during the deserialization of the subclass. If the superclass doesn’t have a no-arg constructor, a `RuntimeException` will occur.

Understanding Java Serialization with Inheritance is crucial as it influences how you design your classes and their relationships. Knowing how to serialize subclasses and the potential pitfalls can help you avoid common mistakes and make your application more robust.

Java Serialization Security Concerns and Best Practices

While Java Serialization is a powerful tool, it also brings forth potential security concerns that developers need to be aware of. Among these, arbitrary object creation during deserialization is the most common issue, which can lead to serious vulnerabilities such as Remote Code Execution (RCE). 

The heart of the problem is that the deserialization process automatically executes any class in the byte stream without any validation or checks. A malicious user could craft a byte stream with embedded harmful code, which gets executed upon deserialization.

Additionally, serialized objects can leak sensitive information. If an attacker gains access to a serialized object containing confidential data, they can deserialize it and obtain this information.

Given these Java Serialization security concerns, here are some best practices:

1. Least Privilege: Only grant the minimal necessary permissions for serializable classes. Limiting access can prevent unauthorized actions even if a class is exploited.

2. Validation: Implement validation checks during deserialization. This can help ensure that only expected classes are deserialized.

3. Encryption: Encrypt sensitive data before serialization to prevent exposure of confidential information if an attacker gains access to serialized objects.

4. Alternatives: Consider safer alternatives to Java Serialization, such as converting objects to JSON or XML.

5. Avoid Deserialization of Untrusted Data: Never deserialize data received from an untrusted source. This is the most effective way to prevent deserialization attacks.

By adhering to these Java Serialization best practices, you can safeguard your application against potential vulnerabilities and security breaches, ensuring a secure and robust system.

Conclusion: The Power and Precautions of Java Serialization

As we conclude this comprehensive guide on Java Serialization, we’ve navigated through the intricacies of serialization, understanding its fundamental principles, use cases, and implementation. We’ve delved into its interplay with inheritance and explored the Serializable and Externalizable interfaces. Moreover, we’ve examined the potential security issues and best practices that secure the power of Java Serialization.

In summary, Java Serialization is an essential tool in a Java developer‘s toolkit. It enables highly flexible data storage and communication when employed correctly and cautiously. However, it is crucial to be mindful of its potential security implications and to follow best practices to ensure a robust, efficient, and secure application.

Check out these Software Development Programs

  1. E&ICT IIT Roorkee: Advanced Certificate Program in Full Stack Software Development
  2. Full-Stack Software Development Bootcamp Program

→ Explore this Curated Program for You ←

Avatar photo
Great Learning Editorial Team
The Great Learning Editorial Staff includes a dynamic team of subject matter experts, instructors, and education professionals who combine their deep industry knowledge with innovative teaching methods. Their mission is to provide learners with the skills and insights needed to excel in their careers, whether through upskilling, reskilling, or transitioning into new fields.

Full Stack Software Development Course from UT Austin

Learn full-stack development and build modern web applications through hands-on projects. Earn a certificate from UT Austin to enhance your career in tech.

4.8 ★ Ratings

Course Duration : 28 Weeks

Cloud Computing PG Program by Great Lakes

Enroll in India's top-rated Cloud Program for comprehensive learning. Earn a prestigious certificate and become proficient in 120+ cloud services. Access live mentorship and dedicated career support.

4.62 ★ (2,760 Ratings)

Course Duration : 8 months

Scroll to Top