...
When serialization is unavoidable, it is still possible to have classes that cannot implement serializable effectivelythat the class suffers from serializability issues. Usually, this happens when there are references to non-serializable objects within the serializable class. This compliant solution avoids the possibility of incorrect serialization and also protects sensitive data members from being serialized accidentally. The basic idea is to declare the target member as transient so that it is not included in the list of fields to be serialized, whenever default serialization is used.
...
Other solutions include using custom implementation of writeObject(), writeReplace() and writeExternal() methods so that sensitive fields are not written to the serialized stream or alternatively, conducting proper validation checks while deserializing. Yet another remedy is to define the serialPersistentFields array field and ensuring ensure that sensitive fields are not added to the array (SER00-J. Maintain serialization compatibility during class evolution). Sometimes it is necessary to prevent a serializable object (whose superclass implements Serializable) from being serialized. This is the focus of the second noncompliant code example.
...