Java Serialization
19
Serialization in Java Critical for Java network abilities
description
Simple introduction to the core concepts of serialization in Java and how to add serialization to any Java class
Transcript of Java Serialization
Serialization in JavaSerialization in Java
Critical for Java network abilities
Jeslie Chermak ([email protected])
Critical for Java network abilities
Jeslie Chermak ([email protected])
What is “serialization”?What is “serialization”?• Serialization is the (reversible) encoding
of objects, and the objects reachable in them, into a stream of bytes. It is by no means unique to Java: http://en.wikipedia.org/wiki/Serialization
• This talk is based on information from http://download.oracle.com/javase/tutorial/essential/io/objectstreams.html
• Serialization is the (reversible) encoding of objects, and the objects reachable in them, into a stream of bytes. It is by no means unique to Java: http://en.wikipedia.org/wiki/Serialization
• This talk is based on information from http://download.oracle.com/javase/tutorial/essential/io/objectstreams.html
Why Should I Use It?Why Should I Use It?• BASIS FOR ALL PERSISTENCE IN
JAVA!
• Simple to add to most classes.• Allows for easy extension.• Handles versioning.
• BASIS FOR ALL PERSISTENCE IN JAVA!
• Simple to add to most classes.• Allows for easy extension.• Handles versioning.
Simple ClassSimple Class
• Create a new class in package com.jcc.training.generics
• Class will implement a traditional “stack” containing Integers
• Only methods are push, pop, top• Allow NULLs in stack
• Create a new class in package com.jcc.training.generics
• Class will implement a traditional “stack” containing Integers
• Only methods are push, pop, top• Allow NULLs in stack
Java 1.4 ImplementationJava 1.4 Implementationpackage com.jcc.training.generics;
import java.util.ArrayList;import java.util.List;
public class Stack { private final List stack = new ArrayList(); public void push(final Integer value) { this.stack.add(value); // NULL
allowed! } public Integer top() { if (this.stack.isEmpty()) throw new IllegalStateException(); return (Integer) this.stack.get(this.stack.size() - 1); } public Integer pop() { final Integer value = this.top(); this.stack.remove(this.stack.size() - 1); return value; }}
package com.jcc.training.generics;
import java.util.ArrayList;import java.util.List;
public class Stack { private final List stack = new ArrayList(); public void push(final Integer value) { this.stack.add(value); // NULL
allowed! } public Integer top() { if (this.stack.isEmpty()) throw new IllegalStateException(); return (Integer) this.stack.get(this.stack.size() - 1); } public Integer pop() { final Integer value = this.top(); this.stack.remove(this.stack.size() - 1); return value; }}
WIBNIFWIBNIF
• Problem: How do we make this class serializable?
• Solution: Use a special “marker” interface -- Serializable
• Problem: How do we make this class serializable?
• Solution: Use a special “marker” interface -- Serializable
Java 1.4 ImplementationJava 1.4 Implementationpackage com.jcc.training.generics;
import java.util.ArrayList;import java.util.List;
public class Stack implements java.io.Serializable { // marker interface private final List stack = new ArrayList(); public void push(final Integer value) { this.stack.add(value); // NULL
allowed! } public Integer top() { if (this.stack.isEmpty()) throw new IllegalStateException(); return (Integer) this.stack.get(this.stack.size() - 1); } public Integer pop() { final Integer value = this.top(); this.stack.remove(this.stack.size() - 1); return value; }}
package com.jcc.training.generics;
import java.util.ArrayList;import java.util.List;
public class Stack implements java.io.Serializable { // marker interface private final List stack = new ArrayList(); public void push(final Integer value) { this.stack.add(value); // NULL
allowed! } public Integer top() { if (this.stack.isEmpty()) throw new IllegalStateException(); return (Integer) this.stack.get(this.stack.size() - 1); } public Integer pop() { final Integer value = this.top(); this.stack.remove(this.stack.size() - 1); return value; }}
WIBNIFWIBNIF
• Problem: Java has evolved since 1.4
• Solution: Serialization has been present since initial public release (1.0.2) -- it is a core feature of the language implementation
• Problem: Java has evolved since 1.4
• Solution: Serialization has been present since initial public release (1.0.2) -- it is a core feature of the language implementation
Java 5 with GenericsJava 5 with Genericspackage com.jcc.training.generics;
import java.io.Serializable; // missing earlierimport java.util.ArrayList;import java.util.List;
public class Stack implements Serializable { // marker interface private final List<Integer> stack = new ArrayList<Integer>(); // field typed! public void push(final Integer value) { this.stack.add(value); // NULL allowed! } public Integer top() { if (this.stack.isEmpty()) throw new IllegalStateException(); return this.stack.get(this.stack.size() - 1); // no cast! } public Integer pop() { final int value = this.top(); // OOPS! this.stack.remove(this.stack.size() - 1); return value; }}
package com.jcc.training.generics;
import java.io.Serializable; // missing earlierimport java.util.ArrayList;import java.util.List;
public class Stack implements Serializable { // marker interface private final List<Integer> stack = new ArrayList<Integer>(); // field typed! public void push(final Integer value) { this.stack.add(value); // NULL allowed! } public Integer top() { if (this.stack.isEmpty()) throw new IllegalStateException(); return this.stack.get(this.stack.size() - 1); // no cast! } public Integer pop() { final int value = this.top(); // OOPS! this.stack.remove(this.stack.size() - 1); return value; }}
WIBNIFWIBNIF
• Problem: classes evolve over time
• Solution: introduce a version UID to capture “real” changes
• Problem: classes evolve over time
• Solution: introduce a version UID to capture “real” changes
Improved and VersionedImproved and Versionedpackage com.jcc.training.generics;
import java.util.ArrayList;import java.util.List;
public class Stack<E> implements java.io.Serializable { // class typed!private static final long serialVersionUID = 1L; // we specified private final List<E> stack = new ArrayList<E>(); // typed by class public void push(final E value) { // typed by class
this.stack.add(value); // NULL allowed! } public E top() { // typed by class if (this.stack.isEmpty()) throw new IllegalStateException(); return this.stack.get(this.stack.size() - 1); } public E pop() { // typed by class final E value = this.top(); // typed by class this.stack.remove(this.stack.size() - 1); return value; }}
package com.jcc.training.generics;
import java.util.ArrayList;import java.util.List;
public class Stack<E> implements java.io.Serializable { // class typed!private static final long serialVersionUID = 1L; // we specified private final List<E> stack = new ArrayList<E>(); // typed by class public void push(final E value) { // typed by class
this.stack.add(value); // NULL allowed! } public E top() { // typed by class if (this.stack.isEmpty()) throw new IllegalStateException(); return this.stack.get(this.stack.size() - 1); } public E pop() { // typed by class final E value = this.top(); // typed by class this.stack.remove(this.stack.size() - 1); return value; }}
WIBNIFWIBNIF
• Problem: some code lacks the UID
• Solution: define default UID to match that normally built in a class -- serialver program
• Problem: some code lacks the UID
• Solution: define default UID to match that normally built in a class -- serialver program
Good NewsGood News
• Most (all?) IDEs provide a serialver hook
• Writing simple objects is easy• Reading objects is comparable
• Most (all?) IDEs provide a serialver hook
• Writing simple objects is easy• Reading objects is comparable
Object I/OObject I/O
• Writing:public void writeIt(OutputStream os, Foo foo) {
ObjectOutputStream oos = new ObjectOutputStream(os);oos.writeObject(foo);
oos.close();}
• Reading:public Foo readIt(InputStream is) {
ObjectInputStream ois = new ObjectInputStream(is);Foo foo = (Foo) ois.readObject();
ois.close();return foo;
}
• Writing:public void writeIt(OutputStream os, Foo foo) {
ObjectOutputStream oos = new ObjectOutputStream(os);oos.writeObject(foo);
oos.close();}
• Reading:public Foo readIt(InputStream is) {
ObjectInputStream ois = new ObjectInputStream(is);Foo foo = (Foo) ois.readObject();
ois.close();return foo;
}
WIBNIFWIBNIF
• Problem: not every field should be serialized
• Solution: transient fields• Problem: static fields are the
same for each object instance• Solution: they are not written by
default
• Problem: not every field should be serialized
• Solution: transient fields• Problem: static fields are the
same for each object instance• Solution: they are not written by
default
Bad NewsBad News
• Default readObject() and writeObject() methods may not properly handle objects with transient and/or static fields
• Default readObject() and writeObject() methods may not properly handle objects with transient and/or static fields
Good NewsGood News
• Object.readObject() and Object.writeObject() methods (used in default handling) are overloadable: private void readObject(ObjectInputStream)
throws IOException, ClassNotFoundException;private void writeObject(ObjectOutputStream)
throws IOException;
• Object.readObject() and Object.writeObject() methods (used in default handling) are overloadable: private void readObject(ObjectInputStream)
throws IOException, ClassNotFoundException;private void writeObject(ObjectOutputStream)
throws IOException;
Better NewsBetter News
• When default handling is insufficient, use the Externalizable interface instead of Serializable and implement readExternal() and writeExternal() -- a lot more work for total control of serialization
• When default handling is insufficient, use the Externalizable interface instead of Serializable and implement readExternal() and writeExternal() -- a lot more work for total control of serialization
Going Further …Going Further …
• Java tutorials: http://download.oracle.com/javase/tutorial/index.html
• Serialization in depth w/examples: http://download.oracle.com/javase/7/docs/technotes/guides/serialization/index.html
• Object streams: http://download.oracle.com/javase/tutorial/essential/io/objectstreams.html
• Google “java serialization”
• Java tutorials: http://download.oracle.com/javase/tutorial/index.html
• Serialization in depth w/examples: http://download.oracle.com/javase/7/docs/technotes/guides/serialization/index.html
• Object streams: http://download.oracle.com/javase/tutorial/essential/io/objectstreams.html
• Google “java serialization”
![[papers] Deserialization Vulnerability - exploit-db.com · 7 | P a g e Deserialization vulnerability in Java: Java provides serialization where object represented as sequence of bytes,](https://static.fdocuments.in/doc/165x107/5b6e19167f8b9a0d578dd27e/papers-deserialization-vulnerability-exploit-dbcom-7-p-a-g-e-deserialization.jpg)
