top of page
Writer's pictureSiddharth Patel

Java - Serialization


Java Serialization is a mechanism that allows you to convert an object into a stream of bytes, which can then be saved to a file or sent over a network. This process is known as serialization, and it allows you to easily store and transfer objects between different systems.


To serialize an object in Java, you simply need to implement the Serializable interface. This interface doesn't have any methods that you need to implement, but it serves as a marker interface that tells the Java runtime that your object can be serialized.


Here's an example of a simple Java class that implements the Serializable interface:


```

import java.io.Serializable;


public class Person implements Serializable {

private String name;

private int age;


public Person(String name, int age) {

this.name = name;

this.age = age;

}


public String getName() {

return name;

}


public int getAge() {

return age;

}

}

```


In this example, we've created a simple Person class that has a name and an age. By implementing the Serializable interface, we're telling Java that this class can be serialized.


To serialize an object, you simply need to create an ObjectOutputStream and write the object to it. Here's an example:


```

import java.io.FileOutputStream;

import java.io.ObjectOutputStream;


public class SerializationExample {

public static void main(String[] args) {

Person person = new Person("John Doe", 30);


try {

FileOutputStream fileOut = new FileOutputStream("person.ser");

ObjectOutputStream out = new ObjectOutputStream(fileOut);

out.writeObject(person);

out.close();

fileOut.close();

System.out.println("Serialized data is saved in person.ser");

} catch (Exception e) {

e.printStackTrace();

}

}

}

```





Deserializing an Object


Java Deserialization is the process of converting a stream of bytes back into an object. This process is the reverse of serialization, and it allows you to easily retrieve objects that have been serialized.


To deserialize an object in Java, you simply need to create an ObjectInputStream and read the object from it. Here's an example:


```

import java.io.FileInputStream;

import java.io.ObjectInputStream;


public class DeserializationExample {

public static void main(String[] args) {

try {

FileInputStream fileIn = new FileInputStream("person.ser");

ObjectInputStream in = new ObjectInputStream(fileIn);

Person person = (Person) in.readObject();

in.close();

fileIn.close();

System.out.println("Deserialized data: " + person.getName() + ", " + person.getAge());

} catch (Exception e) {

e.printStackTrace();

}

}

}

```


In this example, we're creating an ObjectInputStream to read the serialized Person object from the file "person.ser". We're then casting the object to a Person object and printing out its name and age.


It's important to note that deserialization can be a security risk if you're not careful. If you're deserializing objects from an untrusted source, an attacker could potentially send you a malicious object that could execute arbitrary code on your system. To prevent this, you should always validate the input before deserializing it.


One way to do this is to use a whitelist of allowed classes that can be deserialized. You can do this by creating a custom ObjectInputStream that only allows certain classes to be deserialized. Here's an example:


```

import java.io.IOException;

import java.io.InputStream;

import java.io.ObjectInputStream;

import java.io.ObjectStreamClass;

import java.util.Arrays;

import java.util.List;


public class WhitelistObjectInputStream extends ObjectInputStream {

private List<String> allowedClasses;


public WhitelistObjectInputStream(InputStream in, String... allowedClasses) throws IOException {

super(in);

this.allowedClasses = Arrays.asList(allowedClasses);

}


@Override

protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {

if (!allowedClasses.contains(desc.getName())) {

throw new ClassNotFoundException("Class not allowed: " + desc.getName());

}

return super.resolveClass(desc);

}

}

```


In this example, we're creating a custom ObjectInputStream that only allows classes that are in the allowedClasses list to be


3 views0 comments

Recent Posts

See All

Comments


bottom of page