Java^TM Object Serialization Specification

Table of Contents

1 System Architecture

1.1 Overview

1.2 Writing to an Object Stream

1.3 Reading from an Object Stream

1.4 Object Streams as Containers

1.5 Defining Serializable Fields for a Class

1.6 Documenting Serializable Fields and Data for a Class

1.7 Accessing Serializable Fields of a Class

1.8 The ObjectOutput Interface

1.9 The ObjectInput Interface

1.10 The Serializable Interface

1.11 The Externalizable Interface

1.12 Protecting Sensitive Information

2 Object Output Classes

2.1 The ObjectOutputStream Class

2.2 The ObjectOutputStream.PutField Class

2.3 The writeObject Method

2.4 The writeExternal Method

2.5 The writeReplace Method

2.6 The useProtocolVersion Method

3 Object Input Classes

3.1 The ObjectInputStream Class

3.2 The ObjectInputStream.GetField Class

3.3 The ObjectInputValidation Interface

3.4 The readObject Method

3.5 The readObjectNoData Method

3.6 The readExternal Method

3.7 The readResolve Method

4 Class Descriptors

4.1 The ObjectStreamClass Class

4.2 Dynamic Proxy Class Descriptors

4.3 Serialized Form

4.4 The ObjectStreamField Class

4.5 Inspecting Serializable Classes

4.6 Stream Unique Identifiers

5 Versioning of Serializable Objects

5.1 Overview

5.2 Goals

5.3 Assumptions

5.4 Who’s Responsible for Versioning of Streams

5.5 Compatible Java™ Type Evolution

5.6 Type Changes Affecting Serialization

6 Object Serialization Stream Protocol

6.1 Overview

6.2 Stream Elements

6.3 Stream Protocol Versions

6.4 Grammar for the Stream Format

A Security in Object Serialization

A.1 Overview

A.2 Design Goals

A.3 Security Issues

A.4 Preventing Serialization of Sensitive Data

A.5 Writing Class-Specific Serializing Methods

A.6 Guarding Unshared Deserialized Objects

A.7 Preventing Overwriting of Externalizable Objects

A.8 Encrypting a Bytestream

B Exceptions In Object Serialization

C Example of Serializable Fields

C.1 Example Alternate Implementation of java.io.File