Java Serialization – Compatible and Incompatible Changes

Java serialization enables writing Java objects to the file systems for permanent storage or on the network to transfer to other applications. Serialization in Java is achieved with Serializable interface. Java Serializable interface guarantees the ability to serialize the objects. This interface recommends we use serialVersionUID also.

Now, even if you use both in the application classes, do you know what can break your design even now?? Let us identify the future changes in the class which will be compatible changes and others that will prove incompatible changes.

1. Incompatible Changes

Incompatible changes to classes are those changes for which the guarantee of interoperability cannot be maintained. The incompatible changes that may occur while evolving a class are given below (considering default serialization or deserialization):

  • Deleting fields – If a field is deleted in a class, the stream written will not contain its value. When the stream is read by an earlier class, the value of the field will be set to the default value because no value is available in the stream. However, this default value may adversely impair the ability of the earlier version to fulfill its contract.
  • Moving classes up or down the hierarchy – This cannot be allowed since the data in the stream appears in the wrong sequence.
  • Changing a non-static field to static or a non-transient field to transient – When relying on default serialization, this change is equivalent to deleting a field from the class. This version of the class will not write that data to the stream, so it will not be available to be read by earlier versions of the class. As when deleting a field, the field of the earlier version will be initialized to the default value, which can cause the class to fail in unexpected ways.
  • Changing the declared type of a primitive field – Each version of the class writes the data with its declared type. Earlier versions of the class attempting to read the field will fail because the type of the data in the stream does not match the type of the field.
  • Changing the writeObject or readObject method so that it no longer writes or reads the default field data or changing it so that it attempts to write it or read it when the previous version did not. The default field data must consistently either appear or not appear in the stream.
  • Changing a class from Serializable to Externalizable or vice-versa is an incompatible change since the stream will contain data that is incompatible with the implementation of the available class.
  • Changing a class from a non-enum type to an enum type or vice versa since the stream will contain data that is incompatible with the implementation of the available class.
  • Removing either Serializable or Externalizable is an incompatible change since when written it will no longer supply the fields needed by older versions of the class.
  • Adding the writeReplace or readResolve method to a class is incompatible if the behavior would produce an object that is incompatible with any older version of the class.

2. Compatible Changes

  • Adding fields – When the class being reconstituted has a field that does not occur in the stream, that field in the object will be initialized to the default value for its type. If class-specific initialization is needed, the class may provide a readObject() method to initialize the field to non-default values.
  • Adding classes – The stream will contain the type hierarchy of each object in the stream. Comparing this hierarchy in the stream with the current class can detect additional classes. Since there is no information in the stream from which to initialize the object, the class’s fields will be initialized to the default values.
  • Removing classes – Comparing the class hierarchy in the stream with that of the current class can detect that a class has been deleted. In this case, the fields and objects corresponding to that class are read from the stream. Primitive fields are discarded, but the objects referenced by the deleted class are created, since they may be referred to later in the stream. They will be garbage-collected when the stream is garbage-collected or reset.
  • Adding writeObject/readObject methods – If the version reading the stream has these methods then readObject is expected, as usual, to read the required data written to the stream by the default serialization. It should call defaultReadObject first before reading any optional data. The writeObject method is expected as usual to call defaultWriteObject to write the required data and then may write optional data.
  • Removing writeObject/readObject methods – If the class reading the stream does not have these methods, the required data will be read by default serialization, and the optional data will be discarded.
  • Adding java.io.Serializable – This is equivalent to adding types. There will be no values in the stream for this class so its fields will be initialized to default values. The support for subclassing non-serializable classes requires that the class’s super type have a no-arg constructor and the class itself will be initialized to default values. If the no-arg constructor is not available, the InvalidClassException is thrown.
  • Changing the access to a field – The access modifiers public, package, protected, and private have no effect on the ability of serialization to assign values to the fields.
  • Changing a field from static to non-static or transient to non-transient – When relying on default serialization to compute the serializable fields, this change is equivalent to adding a field to the class. The new field will be written to the stream but earlier classes will ignore the value since serialization will not assign values to static or transient fields.

3. SerialVersionUID

The serialVersionUID is a universal version identifier for a Serializable class. Deserialization uses this number to ensure that a loaded class corresponds exactly to a serialized object. If no match is found, then an InvalidClassException is thrown.

  • Always include it as a field, for example: “private static final long serialVersionUID = 7526472295622776147L; ” include this field even in the first version of the class, as a reminder of its importance.
  • Do not change the value of this field in future versions, unless you are knowingly making changes to the class which will render it incompatible with old serialized objects. If needed, follow the above given guidelines.

4. The readObject() and writeObject() Methods

  • Deserialization must be treated as any constructor: validate the object state at the end of deserializing – this implies that readObject() should almost always be implemented in Serializable classes, such that this validation is performed.
  • If constructors make defensive copies for mutable object fields, so must readObject().

5. Best Practices

  • Use javadoc’s @serial tag to denote Serializable fields.
  • The .ser extension is conventionally used for files representing serialized objects.
  • No static or transient fields undergo default serialization.
  • Extendable classes should not be Serializable, unless necessary.
  • Inner classes should rarely if ever, implement Serializable.
  • Container classes should usually follow the style of Hashtable, which implements Serializable by storing keys and values, as opposed to a large hash table data structure.

6. Sample Implementation

import java.io.Serializable;
import java.text.StringCharacterIterator;
import java.util.*;
import java.io.*;

public final class UserDetails implements Serializable {

/**
* This constructor requires all fields
*
* @param aFirstName
* contains only letters, spaces, and apostrophes.
* @param aLastName
* contains only letters, spaces, and apostrophes.
* @param aAccountNumber
* is non-negative.
* @param aDateOpened
* has a non-negative number of milliseconds.
*/
public UserDetails(String aFirstName, String aLastName, int aAccountNumber,
						Date aDateOpened)
{
  super();
  setFirstName(aFirstName);
  setLastName(aLastName);
  setAccountNumber(aAccountNumber);
  setDateOpened(aDateOpened);
  // there is no need here to call verifyUserDetails.
}

// The default constructor
public UserDetails() {
  this("FirstName", "LastName", 0, new Date(System.currentTimeMillis()));
}

public final String getFirstName() {
  return fFirstName;
}

public final String getLastName() {
  return fLastName;
}

public final int getAccountNumber() {
  return fAccountNumber;
}

/**
* Returns a defensive copy of the field so that no one can change this
* field.
*/
public final Date getDateOpened() {
  return new Date(fDateOpened.getTime());
}

/**
* Names must contain only letters, spaces, and apostrophes. Validate before
* setting field to new value.
*
* @throws IllegalArgumentException
* if the new value is not acceptable.
*/
public final void setFirstName(String aNewFirstName) {
  verifyNameProperty(aNewFirstName);
  fFirstName = aNewFirstName;
}

/**
* Names must contain only letters, spaces, and apostrophes. Validate before
* setting field to new value.
*
* @throws IllegalArgumentException
* if the new value is not acceptable.
*/
public final void setLastName(String aNewLastName) {
  verifyNameProperty(aNewLastName);
  fLastName = aNewLastName;
}

/**
* Validate before setting field to new value.
*
* @throws IllegalArgumentException
* if the new value is not acceptable.
*/
public final void setAccountNumber(int aNewAccountNumber) {
  validateAccountNumber(aNewAccountNumber);
  fAccountNumber = aNewAccountNumber;
}

public final void setDateOpened(Date aNewDate) {
  // make a defensive copy of the mutable date object
  Date newDate = new Date(aNewDate.getTime());
  validateAccountOpenDate(newDate);
  fDateOpened = newDate;
}

/**
* The client's first name.
*
* @serial
*/
private String fFirstName;

/**
* The client's last name.
*
* @serial
*/
private String fLastName;

/**
* The client's account number.
*
* @serial
*/
private int fAccountNumber;

/**
* The date the account was opened.
*
* @serial
*/
private Date fDateOpened;

/**
* Determines if a de-serialized file is compatible with this class.
* Included here as a reminder of its importance.
*/
private static final long serialVersionUID = 7526471155622776147L;

/**
* Verify that all fields of this object take permissible values
*
* @throws IllegalArgumentException
* if any field takes an unpermitted value.
*/
private void verifyUserDetails() {
  validateAccountNumber(fAccountNumber);
  verifyNameProperty(fFirstName);
  verifyNameProperty(fLastName);
  validateAccountOpenDate(fDateOpened);
}

/**
* Ensure names contain only letters, spaces, and apostrophes.
*
* @throws IllegalArgumentException
* if field takes an unpermitted value.
*/
private void verifyNameProperty(String aName) {
boolean nameHasContent = (aName != null) && (!aName.equals(""));
  if (!nameHasContent) {
    throw new IllegalArgumentException(
    "Names must be non-null and non-empty.");
  }

StringCharacterIterator iterator = new StringCharacterIterator(aName);
char character = iterator.current();
  while (character != StringCharacterIterator.DONE) {
    boolean isValidChar = (Character.isLetter(character)
    || Character.isSpaceChar(character) || character == ''');
    if (isValidChar) {
      // do nothing
    } else {
      String message = "Names can contain only letters, spaces, and apostrophes.";
      throw new IllegalArgumentException(message);
    }
    character = iterator.next();
  }
}

/**
* AccountNumber must be non-negative.
*
* @throws IllegalArgumentException
* if field takes an unpermitted value.
*/
private void validateAccountNumber(int aAccountNumber) {
  if (aAccountNumber < 0) {
    String message = "Account Number must be greater than or equal to 0.";
    throw new IllegalArgumentException(message);
  }
}

/**
* DateOpened must be after 1970.
*
* @throws IllegalArgumentException
* if field takes an unpermitted value.
*/
private void validateAccountOpenDate(Date aDateOpened) {
  if (aDateOpened.getTime() < 0) {
    throw new IllegalArgumentException(
      "Date Opened must be after 1970.");
  }
}

/**
* Always treat deserialization as a full-blown constructor, by validating
* the final state of the de-serialized object.
*/
private void readObject(ObjectInputStream aInputStream)
throws ClassNotFoundException, IOException {
  // always perform the default deserialization first
  aInputStream.defaultReadObject();

  // make defensive copy of the mutable Date field
  fDateOpened = new Date(fDateOpened.getTime());

  // ensure that object state has not been corrupted or tampered with
  // malicious code
  verifyUserDetails();
}

/**
* This is the default implementation of writeObject. Customise if
* necessary.
*/
private void writeObject(ObjectOutputStream aOutputStream)
throws IOException {
  // perform the default serialization for all non-transient, non-static
  // fields
  aOutputStream.defaultWriteObject();
}
}

Let us see now how to do serialization and deserialization in Java.

7. Demo

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.util.Calendar;
import java.util.Date;

public class TestUserDetails {

  public static void main(String[] args) {

    // Create new UserDetails object
    UserDetails myDetails = new UserDetails("Lokesh", "Gupta", 102825,
    new Date(Calendar.getInstance().getTimeInMillis()));

    // Serialization code
    try {
      FileOutputStream fileOut = new FileOutputStream("userDetails.ser");
      ObjectOutputStream out = new ObjectOutputStream(fileOut);
      out.writeObject(myDetails);
      out.close();
      fileOut.close();
    } catch (IOException i) {
      i.printStackTrace();
    }

    // deserialization code
    @SuppressWarnings("unused")
    UserDetails deserializedUserDetails = null;
    try {
      FileInputStream fileIn = new FileInputStream("userDetails.ser");
      ObjectInputStream in = new ObjectInputStream(fileIn);
      deserializedUserDetails = (UserDetails) in.readObject();
      in.close();
      fileIn.close();

      // verify the object state
      System.out.println(deserializedUserDetails.getFirstName());
      System.out.println(deserializedUserDetails.getLastName());
      System.out.println(deserializedUserDetails.getAccountNumber());
      System.out.println(deserializedUserDetails.getDateOpened());
    } catch (IOException ioe) {
      ioe.printStackTrace();
    } catch (ClassNotFoundException cnfe) {
      cnfe.printStackTrace();
    }
  }
}

The program output:

Lokesh
Gupta
102825
Wed Nov 21 15:06:34 GMT+05:30 2012

Happy Learning !!

References: http://docs.oracle.com/javase/7/docs/platform/serialization/spec/serialTOC.html

Comments

Subscribe
Notify of
guest
16 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments

About Us

HowToDoInJava provides tutorials and how-to guides on Java and related technologies.

It also shares the best practices, algorithms & solutions and frequently asked interview questions.

Our Blogs

REST API Tutorial

Dark Mode

Dark Mode