Geek Answers Handbook

Java serialization

I doubt that I came across reading effective Java. I apologize if this is a simple and direct doubt. Thus, in article 74 - reasonably implement Serializable . He says that even after implementing good hiding information in your class, using private and packet private fields, is he inclined to lose efficiency? Regardless of what I read in the past, all serialization is done, converts the objects into a byte stream form, and after deserialization, the same object is saved back. How will he lose data hiding in this process?

+6
java serialization effective-java
source share
3 answers

You can access the value of the internal state of an object using serialization and deserialization.

By serializing an object, you can read the values โ€‹โ€‹of private fields that you should not otherwise do. Conversely, if you create a well-designed byte array that you deserialize into an instance, you can initialize it in an illegal state.

+4
source share

The problem of hiding data with serialization in the context of OOP is indicated by @candiru.

But there is another aspect: Serialization .

You can send a serialized file over the network so that it can be snooped, and things that should be private can be easily compromised.

Below is the content of the Bean class that I serialized (using the default method). I could view the contents by opening the serialized file in a text editor.

ยฌรญ sr SerializationPractice1 I ageL extrat Ljava/lang/String;L nameq ~ xp
pt SidKumarq ~ x

Now you can easily find below things without even knowing about the class:

  • Class Name: SerializationPractice1
  • String attribute named name - SidKumar

You may notice these things for sure; other details are not so clear. And the above information is correct.

0
source share

I really believe that serialization has the potential to provide private data to the outside world. And this is where externalization (using instances of type Externalizable is very convenient). By implementing the Externalizable writeExternal (...) interface, the developer has full control over the serialization process, and does not fully rely on the standard default serialization implementation. Below is the pseudo code for my idea (I would ignore the actual method signatures, as this is just a pseudo code designed to solve a wider idea):

  class SensitiveData implemets java.io.Externalizable{ int sensitiveInteger; writeExternal (OutputData outputData){ //encrypt sensitiveInteger here //serialize the sensitiveInteger which is now encrypted to any persistent store outputData.writeInt(sensitiveInteger); //do other processing } }

In fact, why is encryption simple, we might want to compress bytes serialized into some persistent stores if we want in some situations where the instance instance is "large".

0
source share

More articles:


All Articles