Serialization

Serialization enables the state of objects in a Java program to be captured and written out to a byte stream [[Sun 04b]]. This allows for the object state to be preserved so that it can be reinstated (by deserialization). Serialization also allows for Java method calls to be transmitted over a network for Remote Method Invocation (RMI). An object (called someObject in the following example) can be serialized as follows:

ObjectOutputStream oos = new ObjectOutputStream(
    new FileOutputStream("SerialOutput"));
oos.writeObject(someObject);
oos.flush();

The object can be deserialized as follows:

ObjectInputStream ois = new ObjectInputStream(
    new FileInputStream("SerialOutput"));
someObject = (SomeClass) ois.readObject();

Serialization captures all the fields of a class, provided the class implements the Serializable interface, including the non-public fields that are not normally accessible. If the byte stream to which the serialized values are written is readable, then the values of the normally inaccessible fields may be read. Moreover, it may be possible to modify or forge the preserved values so that when the class is deserialized, the values become corrupted.

Introducing a security manager does not prevent the normally inaccessible fields from being serialized and deserialized (although permission must be granted to write to and read from the file or network if the byte stream is being stored or transmitted). Network traffic (including RMI) can be protected, however, by using SSL.