Have you ever seen what is inside a serialized object? I will explain you what is java serialization, then provide you with a sample for serialization. Finally most importantly, lets explore what is inside a serialized object and what it means. That is internals of java serialization and how does it works. If you want to have your own implementation of java serialization, this article will provide you with a good platform to launch.
What is Java Serialization?
Primary purpose of java serialization is to write an object into a stream, so that it can be transported through a network and that object can be rebuilt again. When there are two different parties involved, you need a protocol to rebuild the exact same object again. Java serialization API just provides you that. Other ways you can leverage the feature of serialization is, you can use it to perform a
deep copy.
Why I used ‘primary purpose’ in the above definition is, sometimes people use java serialization as a replacement for database. Just a placeholder where you can persist an object across sessions. This is not the primary purpose of java serialization. Sometimes, when I interview candidates for Java I hear them saying java serialization is used for storing (to preserve the state) an object and retrieving it. They use it synonymously with database. This is a wrong perception for serialization.
How do you serialize?
When you want to serialize an object, that respective class should implement the
marker interface serializable. It just informs the compiler that this java class can be serialized. You can tag properties that should not be serialized as transient. You open a stream and write the object into it. Java API takes care of the serialization protocol and persists the java object in a file in conformance with the protocol. De-serialization is the process of getting the object back from the file to its original form.
Here protocol means, understanding between serializing person and de-serializing person. What will be the contents of file containing the serialized object? This serves as a guideline to de-serialize. Have a look at the following sample and how its serialized file looks.
Sample Source Code for Java Serialization
package com.javapapers.sample; |
import java.io.FileInputStream; |
import java.io.FileNotFoundException; |
import java.io.FileOutputStream; |
import java.io.IOException; |
import java.io.ObjectInputStream; |
import java.io.ObjectOutputStream; |
import java.io.Serializable; |
class SerializationBox implements Serializable { |
private byte serializableProp = 10 ; |
public byte getSerializableProp() { |
public class SerializationSample { |
public static void main(String args[]) throws IOException, |
FileNotFoundException, ClassNotFoundException { |
SerializationBox serialB = new SerializationBox(); |
serialize( "serial.out" , serialB); |
SerializationBox sb = (SerializationBox) deSerialize( "serial.out" ); |
System.out.println(sb.getSerializableProp()); |
public static void serialize(String outFile, Object serializableObject) |
FileOutputStream fos = new FileOutputStream(outFile); |
ObjectOutputStream oos = new ObjectOutputStream(fos); |
oos.writeObject(serializableObject); |
public static Object deSerialize(String serilizedObject) |
throws FileNotFoundException, IOException, ClassNotFoundException { |
FileInputStream fis = new FileInputStream(serilizedObject); |
ObjectInputStream ois = new ObjectInputStream(fis); |
Exploring Java Serialization
Look at following image. After serializing ‘SerializationBox’ in the above sample code, I opened the output in a hex editor. You can use Notepad++ and
hex plugin to open the serialized file.
Let us look at contents byte by byte and find out what they are. It starts with “ac ed”. It is is called STREAM_MAGIC. It is a magic number (java API guys says) that is written to the stream header. It denotes
that is start of serialzed content.
Similarly every character has a meaning. Actually the serialized file is more bulkier than you would expect, as it has a huge header the meta information of the classes involved and finally the content.
Object Serialization Stream Protocol have a look at chapter 6.4.2 Terminal Symbols and Constants. It gives you list of symbols and constants used in serialization.
Decrypting Serialized Java Object
In the image, I have underline a unit of information in a separate color for you to easily identify.
ac ed – STREAM_MAGIC – denotes start of serialzed content
00 05 – STREAM_VERSION – serialization version
73 – TC_OBJECT – new Object
72 – TC_CLASSDESC – new Class Descriptor
00 26 – length of the class name
63 6f 6d 2e 6a 61 76 61 70 61 70 65 72 73 2e 73 61 6d 70 6c 65 2e 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 42 6f 78 – class name
57 fc 83 ca 02 85 f0 18 – SerialVersionUID
02 – this object is serializable
00 01 – count of properties in the serialzed class – one property in our example
42 00 10 – private byte
73 65 72 69 61 6c 69 7a 61 62 6c 65 50 72 6f 70 78 70 – property name – serializableProp in our example
0a – 10 the value – This is the persisted value of the property in our sample.
No comments:
Post a Comment