Saturday, August 9, 2008

Serialization and Deserialization Important Tips

**For an object to be serialized, it has to implement either the or interfaces, the latter being a subtype of Serializable.


**Serializable is a marker interface: it specifies no methods and merely indicates an object that has serializable state.


**All subclasses of a Serializable class are also serializable.


**If a supertype of a Serializable object is not itself serializable, then the object can assume the responsibility for saving and reconstructing the supertype's state (public, protected, and package fields if they share a package).For this to work, the superclass must have a public no-arg constructor.


**Further, if an object at runtime refers to a nonserializable object, the serialization system will throw a NotSerializableException, since it cannot write the complete object graph to the serialized stream.


**If an object holds multiple references to another object, this second object is serialized only once, and subsequent references to it will include a handle as a reference instead.


**Along with instance data, the object serialization system writes a special object to the stream to represent the serializable object's class.


**This object is of the type, and is essentially a descriptor for the Class object associated with the serializable object. It contains the class's name, its unique version number (serialVersionUID), and the class fields.


**In addition, it also has methods to obtain the actual class represented by this object, if, and only if, this class is already present in the local VM:

Class forClass() : If there is no class identified in the local VM that corresponds to this ObjectStreamClass, then a null value is returned.


**Not all objects are suitable for serialization:

1.Threads, for instance, do not have state that can later be recreated. (Actually, it is possible, but very difficult, to do so.)

2.There can also be objects that should not be serialized for semantic reasons. Even if an object is serializable, you may not need to write all object fields to the stream during serialization. For instance, a variable that loses its meaning in a different execution context (such as something indicating the current time) should be marked transient, and will instead be initialized to its default value when reading it from the stream.


**If instances of a class need a special way to serialize their state, that class can implement the Externalizable interface, which mandates two methods:
void readExternal(ObjectInput inputStream);

void writeExternal(ObjectOutput outputStream);


**The main difference between Externalizable and Serializable is that the latter serializes, by default, the entire object graph, including states of an object's superclass. While in the former Only the identity of the class of an Externalizable instance is written in the serialization stream and it is the responsibility of the class to save and restore the contents of its instances.

Externalizable gives you complete control over the serialization process.

Serialization allows you to create a JVM-independent binary representation of an in-memory Java object. This external representation may be used to transfer or store the object and to recreate it in another JVM.


**Two streams in

1. ObjectInputStream

2. ObjectOutputStream

-- are run-of-the-mill byte streams and work like the other input and output streams. However, they are special in that they can read and write objects.


**Serializable has no methods but Externalizable has 2 methods: readExternal() and writeExternal()


You can use object serialization in the following ways:
· Remote Method Invocation (RMI) --communication between objects via sockets
· Lightweight persistence--the archival of an object for use in a later invocation of the same program.


**Technique to protect sensitive data in classes :

Mark fields that contain sensitive data as private transient. transient and static fields are not serialized or deserialized.

Marking the field will prevent the state from appearing in the stream and from being restored during deserialization.

Since writing and reading (of private fields) cannot be superseded outside of the class, the class's transient fields are safe.


No comments:

Search Amazon for Best Books on Java J2EE


blogarama - the blog directory

Search your favourite topics