Reputation: 57
Restrictions on serialization
I created a simple class with two int variables which implements Serializable interface. then i created object for this class and serialized using ObjectOutputStream in my local file system. now the point is after serializing i modified the serilized class by removing one variable.
Now When i try to Deserialize the object it is throwing an Exception called "java.io.InvalidClassException".
So is there any way to restrict modifying the serialized class.
what is this scenario called in java/programming terminology.
Thanks in Advance.
my Code is as follows :
package sample;
import java.io.Serializable;
public class Serial implements Serializable{
int a,b;
public void disp(){
System.out.println(a+" "+b);
}
}
package sample;
import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
public class ser {
public static void main(String[] args) {
Serial ss=new Serial();
ss.a=10;
//ss.b=20;
try{
FileOutputStream fio=new FileOutputStream("D:\\abc.ggg");
ObjectOutputStream oos=new ObjectOutputStream(fio);
oos.writeObject(ss);
}
catch(Exception e){
e.printStackTrace();
}
}
}
package sample;
import java.io.FileInputStream;
import java.io.ObjectInputStream;
public class Dser {
public static void main(String[] args) {
try {
FileInputStream fis=new FileInputStream("D:\\abc.ggg");
ObjectInputStream ois=new ObjectInputStream(fis);
Serial sss=(Serial)ois.readObject();
sss.disp();
System.out.println(sss.a+" ");
} catch (Exception e) {
e.printStackTrace();
}
}
}
Upvotes: 1
Views: 958
Answers (2)
Reputation: 180
I think the best way to restrict the changing of a serialized class is through a combination of javadoc and testing. In other words, you can't strictly enforce that no one changes it, but you can certainly suggest strongly that they don't unless they've thought through the consequences.
When you serialize a class a lot more than you might intend becomes part of your public API and you are locked into it forever more. If you haven't yet, I'd suggest checking out the serialization chapters from Josh Bloch's book "Effective Java" - Items 74-78. He goes into the myriad pitfalls you can encounter and how to avoid a good number of them.
Upvotes: 0
Reputation: 68915
Each serializable class has an associated serialVersionUID . like
private static final long serialVersionUID = 1L;
Either you provide it or JVM will compute it while serializing the instance of the class. Generally when you modify your class you modify this ID so that class versions are matched. When you do not provide ID then the ID computed is considering your instance variables so it will be different if you change the class which is one of the reason you are getting java.io.InvalidClassException.
Now when you change your class i.e remove a variable in your case and your serialized class in the file still has the old class instance. When it is deserialized instance state is extracted from the file and tried to inject in a newly created object using Reflection. Now when it will try to inject the value of the variable you have removed it will throw exception.
Upvotes: 1
Related Questions
- Java Serialization with non serializable parts
- Java: What can and what can't be serialized?
- Java Serializable
- What are the conditions for Serializable?
- Java Serialization
- Java Serialization
- Catch-22 in serialization
- Customized serialization in Java
- Can anything be serialized as long as it implements Serializable?
- Java: Restriction on serializability