Explain Codes LogoExplain Codes Logo

What is object serialization?

java
serialization
object-state
custom-serialization
Alex KataevbyAlex Kataev·Dec 7, 2024
TLDR

In Java, serialization can be thought of as the process of converting an object into a byte stream for the purpose of storing it in a file, sending it over a network, or saving it in a database. By marking a class with the Serializable interface, it signals that it can be flattened and saved. Likewise, we use the ObjectOutputStream for the serialization process and ObjectInputStream for the inverses process known as deserialization.

Here's Alice... in the Wonderland of Serialization!

import java.io.*; class Employee implements Serializable { String name; // You can't see me! I'm a 'transient' variable. transient int SSN; Employee(String name, int SSN) { this.name = name; this.SSN = SSN; } public static void main(String[] args) throws IOException { Employee emp = new Employee("Alice", 123456789); // Serialize me, captain! try (ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("employee.ser"))) { oos.writeObject(emp); } // We're now in an era where Alice is bytes! } }

Here, only Alice's name is serialized because her SSN is transient (a bit camera shy). Now, Alice is ready to travel the world, well, the employee.ser file in this case.

Breaking down the basics of serialization

Serialization provides us with the means to convert complex object hierarchies into a linear format (byte stream) that can be stored or transmitted across network links. However, the primary goal of serialization is not just to convert but to preserve the object state for future reconstruction (“deserialization”).

serialVersionUID: The version enforcer

Have you ever wondered what happens when you make changes to the class after you've serialized it? The unique serialVersionUID comes into play. Think of it as the version control guy, checking if your class version at serialization and deserialization time is the same. If not, it throws an InvalidClassException, reminding you to bring in the same class, please.

Diving into custom serialization

As Spiderman's Uncle Ben says—"With great power comes great responsibility!". Similarly, Java's writeObject and readObject methods let you implement custom serialization logic. Like an artist, you have the power to paint (serialize) and interpret (deserialize) the objects your way. You can either add extra security or manage transient fields or more...handle with care.

How is serialization applied in the real-world?

In real-world applications, serialization comes in handy for scenarios like preserving application state between sessions, caching data, or moving objects between JVMs via communication protocols.

Going beyond Java and security considerations

Serialization isn’t exclusive to Java. Cross-platform serialization empowers applications, built using different technologies, to have a conversation—exchange objects and understand shared semantics.

The dark side of serialization: security

Like all good things, even serialization has its own dark side—security vulnerabilities. Untrusted data, when deserialized, can lead to attack vectors. Therefore, deserialize only trusted data. Also, remember that the keyword transient isn't just shy, it's also security-conscious. 😉

The role of serialization in distributed computing

In a distributed ecosystem, systems communicate by sending data across the network. Serialization deconstructs complex objects into bits and bytes so that they can travel over the wire and be resurrected on the other side. It's an integral part of RMI (Remote Method Invocation), REST APIs, microservices archictecture, and more.