View Source

            "An inner class is a nested class that is not explicitly or implicitly declared static" \[[JLS 2005|AA. References#JLS 05]\]. Serialization of inner classes (including local and anonymous classes) is error prone. According to the Serialization Specification \[[Sun 2006|AA. References#Sun 06]\]:

Serializing an inner class declared in a non-static context that contains implicit non-transient references to enclosing class instances results in serialization of its associated outer class instance.

Synthetic fields generated by Java compilers to implement inner classes are implementation dependent and may vary between compilers; differences in such fields can disrupt compatibility as well as result in conflicting default serialVersionUID values. The names assigned to local and anonymous inner classes are also implementation dependent and may differ between compilers.

Because inner classes cannot declare static members other than compile-time constant fields, they cannot use the serialPersistentFields mechanism to designate serializable fields.

Because inner classes associated with outer instances do not have zero-argument constructors (constructors of such inner classes implicitly accept the enclosing instance as a prepended parameter), they cannot implement Externalizable. The Externalizable interface requires the implementing object to manually save and restore its state using the writeExternal() and readExternal() methods.

Consequently, programs must not serialize inner classes.

Because none of these issues apply to static member classes, serialization of static member classes is permitted.

Noncompliant Code Example

In this noncompliant code example, the fields contained within the outer class are serialized when the inner class is serialized.

public class OuterSer implements Serializable {
  private int rank;
  class InnerSer implements Serializable {
    protected String name;
    //...
  }
}

Compliant Solution

The InnerSer class of this compliant solution deliberately fails to implement the Serializable interface.

public class OuterSer implements Serializable {
  private int rank;
  class InnerSer {
    protected String name;
    //...
  }
}

Compliant Solution

The inner class may be declared static to prevent its serialization. A static inner class may also implement Serializable.

public class OuterSer implements Serializable {
  private int rank;
  static class InnerSer implements Serializable {
    protected String name;
    //...
  }
}

Risk Assessment

Serialization of inner classes can introduce platform dependencies and can cause serialization of instances of the outer class.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
SER05-J	medium	likely	medium	P12	L1

Automated Detection

Detection of inner classes that implement serialization is straightforward.

Related Guidelines

MITRE CWE

CWE-499, "Serializable Class Containing Sensitive Data"

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1df8edd4-1ebd-4f6c-96a9-9bead2344d9d"><ac:plain-text-body><![CDATA[	[[API 2006	AA. References#API 06]]		]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="11586ee4-5174-4ce8-951b-4f9578924c3d"><ac:plain-text-body><![CDATA[	[[Bloch 2008	AA. References#Bloch 08]]	Item 74: "Implement serialization judiciously"	]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ffa78638-dfdc-437d-ae65-d9f6d97ade33"><ac:plain-text-body><![CDATA[	[[JLS 2005	AA. References#JLS 05]]	[Section 8.1.3, Inner Classes and Enclosing Instances	http://java.sun.com/docs/books/jls/third_edition/html/classes.html]	]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ce8becaa-78ea-4425-8e21-91b1ae6882cb"><ac:plain-text-body><![CDATA[	[[Sun 2006	AA. References#Sun 06]]	"Serialization specification"	]]></ac:plain-text-body></ac:structured-macro>

13. Serialization (SER)