Page History

The Java API [API 2006] for the Serializable inteface declares:

Classes that require special handling during

...

object serialization and deserialization

...

must implement special methods with

...

exactly the following signatures [API 2006]:

 private void writeObject(java.io.ObjectOutputStream out)

...

 throws IOException

...

 private void readObject(java.io.ObjectInputStream in)

...

 throws IOException, ClassNotFoundException;

...

 private void readObjectNoData()

...

 throws ObjectStreamException;

According to the Serialization Specification \[[Sun 2006|AA. Bibliography#Sun 06]\], {{readResolve()}} and {{writeReplace()}} method documentation:

For Serializable and Externalizable classes, the readResolve method allows a class to replace/resolve the object read from the stream before it is returned to the caller. By implementing the readResolve method, a class can directly control the types and instances of its own instances being deserialized.

For Serializable and Externalizable classes, the writeReplace method allows a class of an object to nominate its own replacement in the stream before the object is written. By implementing the writeReplace method, a class can directly control the types and instances of its own instances being serialized.

It is possible to add any access-specifier to the readResolve() and writeReplace() methods. However, if they are declared private, extending classes cannot invoke or override them. Similarly, if either of these methods is declared static, extending classes cannot override the method, they can only hide it.

Deviating from these method signatures produces a method that will, in fact, is not be invoked during object serialization or deserialization. Such a method will clearly not have the expected behavior. Such methods, especially if declared public, might be accessible to untrusted code.

Be aware that, unlike Unlike most interfaces, Serializable does not define the method signatures it requires . It cannot, because readObject() and writeObject() are private. Consequently, the Java compiler will not identify a deviant an incorrect method signature.

Noncompliant Code Example

This noncompliant code example shows a class Ser with a private constructor, indicating that code external to the class should not be unable able to create instances of it. The class implements java.io.Serializable and defines public readObject() and writeObject() methods. Consequently, untrusted code can obtain the reconstituted objects by using readObject(), and can write to the stream by using writeObject().

...

...