"An inner class is a nested class that is not explicitly or implicitly declared static" [JLS 2015]. Serialization of inner classes (including local and anonymous classes) is error prone. According to the Serialization Specification [Sun 2006]:

  • Serializing an inner class declared in a non-static context that contains implicit non-transient references to enclosing class instances results in serialization of its associated outer class instance.
  • Synthetic fields generated by Java compilers to implement inner classes are implementation dependent and may vary between compilers; differences in such fields can disrupt compatibility as well as result in conflicting default serialVersionUID values. The names assigned to local and anonymous inner classes are also implementation dependent and may differ between compilers.
  • Because inner classes cannot declare static members other than compile-time constant fields, they cannot use the serialPersistentFields mechanism to designate serializable fields.
  • Because inner classes associated with outer instances do not have zero-argument constructors (constructors of such inner classes implicitly accept the enclosing instance as a prepended parameter), they cannot implement Externalizable. The Externalizable interface requires the implementing object to manually save and restore its state using the writeExternal() and readExternal() methods.

Consequently, programs must not serialize inner classes.

Because none of these issues apply to static member classes, serialization of static member classes is permitted.

Noncompliant Code Example

In this noncompliant code example, the fields contained within the outer class are serialized when the inner class is serialized:

public class OuterSer implements Serializable {
  private int rank;
  class InnerSer implements Serializable {
    protected String name;
    // ...
  }
}

Compliant Solution

The InnerSer class of this compliant solution deliberately fails to implement the Serializable interface:

public class OuterSer implements Serializable {
  private int rank;
  class InnerSer {
    protected String name;
    // ...
  }
}

Compliant Solution

If an inner and outer class must both be Serializable, the inner class can be declared static to prevent a serialized inner class from also serializing its outer class.

public class OuterSer implements Serializable {
  private int rank;
  static class InnerSer implements Serializable {
    protected String name;
    // ...
  }
}

Risk Assessment

Serialization of inner classes can introduce platform dependencies and can cause serialization of instances of the outer class.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER05-J

Medium

Likely

Medium

P12

L1

Automated Detection

Detection of inner classes that implement serialization is straightforward.


Related Guidelines

MITRE CWE

CWE-499, Serializable Class Containing Sensitive Data

Bibliography



14 Comments

  1. The severity is medium because of the potential for sensitive info disclosure, if an inner class serializes a sensitive outer class.

    The likelihood is 'likely' becaus an inner class would always serialize an outer class.

    Changed the remediation cost is 'medium' because a serializable inner class is easy to detect by automated tools. But unless the inner class says 'implements Serializable', fixing the problem requires manual intervention.

  2. Bibliography?

    [JLS 2005]

    Section 8.1.3, Inner Classes and Enclosing Instances

    [Sun 2006]

    Java Object Serialization Specification, Section 1.10 The Serializable Interface

    1. Yow! The bibliography got munched back in May! Restored it.

      1. how about the following refinement on the bibliography?

          1. Why "section 1.10" is not added?
            I believe the information (section 1.10) is useful for readers who want to check the original information.

            For example, SER11-J has an entry

            [Sun 2006]

            Serialization Specification, A.7, Preventing Overwriting of Externalizable Objects

            (I want to confirm if there is any policy on this...)

            1. No policy, just didn't notice it (I was in a hurry). Fixed.

  3. I changed the paragraph at the last CS.
    anyone please check if I understand things correctly?

    OLD:

    The inner class may be declared static to prevent its serialization. A static inner class may also implement Serializable.

    NEW:

    the member class may be declared static to prevent its serialization. A static member class may also implement Serializable.

    more verbose writing with my understanding is:

    You can declare the member class as static to prevent its serialization when its outer class instance is serialized.
    A static member class itself can implement Serializable if necessary. No worry about serializing any information from the outer class instance because the static member class does not have a reference to the outer class instance.

    1. I think both your OLD and NEW texts are accurate and correct.

      Your 'more verbose writing' seems to indicate that serializing an outer class will also serialize an inner member class (unless it is static). That is not the danger...the danger is that serializing the inner class causes the outer class to also be serialized (unless the inner class is static).

      1. aha, my wording was incorrect.

        looking back at code examples...

        • NCCE: serializing an inner class may emit some sensitive information from the outer class
        • 1st CS: make the inner class non-serializable if possible.
        • 2nd CS: change that inner class to the static member class if serialization is necessary.

        with this scenario, how about the revised paragraph at the 2nd CS:

        OLD:

        the member class may be declared static to prevent its serialization. A static member class may also implement Serializable.

        NEW:

        If you need the member class as serializable, it must (or should?) be declared as static.

        1. Well, you can't say 'must', because declaring the inner class static is not the only solution, and is sometimes not possible. This is one solution, and not the only possibility. Sorry, I prefer the OLD wording.

          1. I still think the "OLD wording" above is bad because

            • the 1st sentence is incorrect because static declaration cannot prevent its serialization (maybe it should be written as "to prevent serializing the associated outer class instance", instead of "to prevent serialization" ?)
            • it's not clear to me what the 2nd sentence tries to explain; "a static member class may also implement Serializable." yes, so what?

            so, my (another) proposal is here

            If you need a serializable member class, then it should be static to prevent to serialize the associated outer class instance.

            1. Good points. I rewrote the paragraph.

  4. Automated Detection:

    Donar:

    findbugs:SE_BAD_FIELD_INNER_CLASS

    and

    findbugs:SE_INNER_CLASS