Design Document of Serialization and De-serialization
Revision
History
Version
|
Description
|
Author
|
|
07-10-2016
|
0.1
|
Serialization
and De-serialization
|
Kartik
Chandra Mandal
|
Table
of Contents
2.
Introduction
- The process of an
Object from Simple Java supported from to File supported form or
network supported form call Serialization
- The
process of a File supported form or network supported form to Object
supported from call De-Serialization from Simple Java
2.1.
Purpose
·
Big Balloon Carry from one place to another place is a good
example of Serilization and deserilization
·
Same things pass one java
supported form to File supported form
2.2.
Scope, Approach and Methods
2.2.1.
What is the process of
Serilization?
·
File
Output Stream
·
Object Output Stream
·
Object Output stream one method
writeObjet( pass the object);
2.2.1.1. How to do Serilization process?
Class Login
implements serializable{
int
userId=10;
int
userPassword=20;
}
Class
SerilizationDemo extend Login{
Public static
void main(String …args){
Login
login=new Login();
FileOutPutStream
fos=new FileOutPutStream(“abc.ser”);
ObjectOutPutStream
oos=new ObjectOutPutStream(fos);
Oos.writeObject(login);
}
}
|
2.2.1.2. Important Rules?
Ø If
Login class not implements serializable then this is compile properly but run
time got exception like Exception in thread “main”
java.io.notSerializableException: Login
Ø If
Login class is implements serializable then this is compile and run properly
Ø If
Login class any variable is transient modifier used then what happen?
Class Login implements serializable{
int userId=10;
transient int userPassword=20;
}
Then JVM will take care and not save exact
value, but save the default value in file
Transient means not serialize.
|
Ø Static
with transient vs Serialization
Class Login implements serializable{
int userId=10;
transient static int userPassword=20;
}
Then Static variable is not a part of object
level. It is the part of class level. But serialization is the part of object
level. So when class is loaded that time static variable object reference
creates and you can use in other place. But object level you can use with out
de serialization. So static variable is not part of serialization so if use
static with transient then it is not impact at all.
|
Ø Final
with transient vs Serialization
Class Login implements serializable{
transient final int userId=10;
int userPassword=20;
}
In serialization every final variable directly
participate by value. So final variable you can’t change the data. So if we
use final variable with transient modifier then this is not impact to final
variable because final variable directly participate to serialization.
|
Ø Enhance with Eample
Declare
|
Output
|
Int userId =10;
Int userPassword=20;
|
10…. 20
|
Transient Int userId =10;
Int userPassword=20;
|
0.….20
|
Transient static Int userId =10;
Int userPassword=20;
|
10……20
|
Transient final Int userId =10;
Int userPassword=20;
|
10 ……20
|
Static Int userId =10;
Int userPassword=20;
|
10 ……20
|
Final Int userId =10;
Int userPassword=20;
|
10……20
|
Ø If
we don’t know the sequence object then what process we flow?
Then we use to
read object by using
Object o =ois.readObject();
If(O instance
Class){
}
2.2.1.3. Customized Serilization process?
Ø Why
you will do the customized serialization?
To recover the loss of information using transient
key word then we go to customized serialization
Ø How to create customized serialization?
o Private
void writeObject(ObjectOutputStream oos) throws Exception
o Private
void readObject(ObjectInputStream ins) throws Exception
So this two
method is callback Which will take care by JVM
Ø Example of Cutomized
Serilization?
Class Login implements serializable{
int userId=10;
transient int userPassword=20;
private void writeObject(ObjectOutputStream oos)
throws Exception{
oos.defaultWriteObject(); //means for default
serialization
String
newUserPassword=encryptedPassword(userPassword);
oos.writeObject(newUserPassword);
}
private void readObject(ObjectOutputStream ois)
throws Exception{
ois.defaultReadObject();//means for default
De-serilization
String newUserPassword=(String)ois.readObject();
userPassword=decryptedPassword(userPassword);
}
Private String encryptedPassword(String pass){
pass=pass+”Kartik”;
return pass;
}
Private String decryptedPassword (String pass){
return =pass.substring(0,
pass.length()-6);
}
}
Class SerilizationDemo extend Login{
Public static void main(String …args){
Login login=new Login();
FileOutPutStream fos=new
FileOutPutStream(“abc.ser”);
ObjectOutPutStream oos=new
ObjectOutPutStream(fos);
oos.writeObject(login);
FileInputStream fis=new
FileInputStream(“abc.ser”);
ObjectInputStream ois=new ObjectInputStream(fis);
Login d2=(Login)ois.readObject();
}
}
|
2.2.1.4. De-Serilization Understanding?
Ø What
is the process of De-Serialization?
o File
Input Stream
o Object
Input Stream
o Object
input stream one method readObjet();
Ø Example
of De-Serilization?
Class Login implements serializable{
int userId=10;
int userPassword=20;
}
Class DeSerilizationDemo extend Login{
Public static void main(String …args) throws
throwable{
Login d=new Login();
FileInputStream fis=new
FileInputStream(“abc.ser”);
ObjectInputStream ois=new ObjectInputStream(fis);
Login d2=(Login)ois.readObject();
}
}
|
2.2.1.5. Inheritance with serilization Understanding?
Ø If
Parent class is serializable but Child is not serialization then what happen?
Then program is
execute properly because parent is serializable so every child by default
serializable.
Ø If
Parent class is not serializable but Child class is serializable then what
happen?
o Parent
class is not Serializable. If any instance variable inheriting from non
serializable area then JVM ignore original value and put the default
value
o in
deserialization time you got instance –control flow:
§ identified
of instance variable which is non serializable
§ Execution
of non serializable instance variable assignment to de-seriazable
§ Execution
of no argument constructor
§ If
run time no argument constructor is not found then got one exception like
InvalidClassCustException
§ Example
Class Animal{
Int i=10;
Animal(){
Syso(“Animal Constructor called”);
}
}
Class Dog extends Animal implements seriazable{
Int j=10;
Public static void main(String …args){
Dog d=new Dog();
d.i=200;
d.j=400
FileOutPutStream fos=new
FileOutPutStream(“abc.ser”);
ObjectOutPutStream oos=new
ObjectOutPutStream(fos);
Oos.writeObject(d);
FileInputStream fis=new
FileInputStream(“abc.ser”);
ObjectInputStream ois=new ObjectInputStream(fis);
Dog d2=(Dog)ois.readObject();
}
}
Out put Step:
i=10,j=10, Ã after assign
i=200,j=400--Ã after
serialization i=0, j=400Ã after
de-serilization à i=10,
j=400
|
2.2.2.
What is the process of Externalization?
Ø If
you save total object to a file then call to Serilization and if you need part
of the object to a file then call Externilization
Ø Serilization
will take care by JVM but Externilization will take care by Programmer
Ø Performance
wise Externilization is better then Serilization
Ø Externalization
there should be must have no-arguments constructor but in serilization it is
not requird
Ø So
when we call Deserilization then JVM call to no-argument constructor
after then call to De-serilization methods
Ø Tresient
key word not play the role in Externilization
2.2.2.1. How to do Externilization process?
Ø Example of Externilization
class Result implements Externilization{
String name;
int roleNo;
int marks
public result(){}
public result(String name,int roleNo,int marks){
this.name=name;this.roleNo=roleNo;this.marks=marks;}
Public void writeExternal(ObjectOutput out)
throws IOE {
out.setObject(this.name);
out.setInt(this.marks);
}
Public void readExternal(ObjectInput in) throws
IOE,ClassNotFound {
name=(String)in.readObject();
marks=in.readInt();
}
}
After than do
as it is same of Seilization and deserilization process like
Class SerilizationDemo extend Login{
Public static void main(String …args){
Result login=new Result ();
FileOutPutStream fos=new
FileOutPutStream(“abc.ser”);
ObjectOutPutStream oos=new
ObjectOutPutStream(fos);
Oos.writeObject(login);
FileInputStream fis=new
FileInputStream(“abc.ser”);
ObjectInputStream ois=new ObjectInputStream(fis);
Result d2=( Result)ois.readObject();
}
}
|
Ø Difference between
Serilization and Externalization
Serialization
|
Externalization
|
|
|
2.2.3.
Understand of
SerilizationVersionUid?
Ø What
is SerilizationVersionUid?
o when
we used serialization any place then so highly recommended to add
SerilizationVersionUid to overcome of many issue.
o When
sender send an object data to receiver. Then first create serialization of that
object and save to a file.
o Now
receiver read this object by using De-serialization and convert file to object.
Ø Example
Sender
|
Object à File
|
If any modification of .class file in receiver side or jvm
|
File à Object
|
receiver
|
Object A
Object B
Object C
Object d with default serilize version id
|
Proper save
Proper save
Proper save
Proper save
|
No
Yes (modification)
Yes (JVM)
no issue if you changes jvm or .class file by default class will
matching by Serilal Version Uid
|
No issue
Issue InvalidClassException
May be/May not be
No issue
|
Correct data
Fail
Unambiguous answer
Correct data with default serilize version id
|
| Example 1 Serialization And De-Serialization : |
 |
I am Kartik Chandra Mandal from Bangalore, India. Working as software engineer in Java technology. Have good knowledge of OWASP and CSRF in security for applications and it's implementation in Java technology.