Tuesday, 23 October 2012

Java Serialization

Today java users implements Serializable many time even I too do the same but there are very few peoples who knows what actual is serialization in JAVA and what is inside a serialized object?
So lets explore what is inside a serialized object and what it means.

Wrong perception:: Java serialization is used for storing (to preserve the state) an object and retrieving it.

In actual java serialization is to write an object into a stream, so that it can be transported over the network and rebuilt object on the other side. When there are two different parties involved, you need a protocol to rebuild the exact same object again. Java serialization API just provides you that. Other ways you can leverage the feature of serialization is, you can use it to perform a deep copy.

How do you serialize?
To serialize an object, that class should implement the serializable(marker interface). It just informs the compiler that this java class can be serialized. You can tag properties that should not be serialized as transient. You open a stream and write the object into it. Java API takes care of the serialization protocol and persists the java object in a file in conformance with the protocol. De-serialization is the process of getting the object back from the file to its original form.
Here protocol means, understanding between serializing person and de-serializing person. What will be the contents of file containing the serialized object? This serves as a guideline to de-serialize. Have a look at the following sample and how its serialized file looks.

Sample Source Code

Serialized Object Content
Look at following image. After serializing ‘SerializationBox’ in the above sample code, I opened the output in a hex editor. You can use Notepad++ and hex plugin to open the serialized file.
Let us look at contents byte by byte and find out what they are. It starts with “ac ed”. It is is called STREAM_MAGIC. It is a magic number (java API guys says) that is written to the stream header. It denotes that is start of serialzed content.

Similarly every character has a meaning. Actually the serialized file is more bulkier than you would expect, as it has a huge header the meta information of the classes involved and finally the content. Object Serialization Stream Protocol have a look at chapter 6.4.2 Terminal Symbols and Constants. It gives you list of symbols and constants used in serialization.

Decrypting Serialized Java Object
In the image, I have underline a unit of information in a separate color for you to easily identify.
ac ed – STREAMMAGIC – denotes start of serialzed content
00 05 – STREAM
VERSION – serialization version
73 – TCOBJECT – new Object
72 – TC
CLASSDESC – new Class Descriptor
00 26 – length of the class name
63 6f 6d 2e 6a 61 76 61 70 61 70 65 72 73 2e 73 61 6d 70 6c 65 2e 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 42 6f 78 – class name
57 fc 83 ca 02 85 f0 18 – SerialVersionUID
02 – this object is serializable
00 01 – count of properties in the serialzed class – one property in our example
42 00 10 – private byte
73 65 72 69 61 6c 69 7a 61 62 6c 65 50 72 6f 70 78 70 – property name – serializableProp in our example
0a – 10 the value – This is the persisted value of the property in our sample.

Help4J - Jar Search Engine. Easiest way to find jar and its source.

profile for Ashish Aggarwal on Stack Exchange, a network of free, community-driven Q&A sites

1 comment:

  1. Hi Ashish Aggarwal
    Thanks for the Post !
    i just thought to make this code more ease by including
    import java.io.*;
    // rather importing library individually
    take for public access specifier keyword from SerializationSample class so the code compile well . just like this

    import java.io.*;

    class SerilizationBox implements Serializable {

    private static final long serializeVersionUID= -8737694337090054613L;
    private final byte serializableProp = 10;

    public byte getSerializableProp(){
    return serializableProp;

    class SerializationSample{
    public static void main (final String args [] )throws IOException,FileNotFoundException,ClassNotFoundException{

    SerilizationBox serilizationBox = new SerilizationBox ();
    SerilizationBox sb = (SerilizationBox)deSerialize("serial.out");

    public static void serialize(final String outFile, final Object serializableObject)throws IOException{
    FileOutputStream fos = new FileOutputStream(outFile);
    ObjectOutputStream oos = new ObjectOutputStream (fos);
    public static Object deSerialize(final String serializedObject)throws FileNotFoundException,IOException,ClassNotFoundException{

    FileInputStream fis = new FileInputStream(serializedObject);
    ObjectInputStream ois= new ObjectInputStream (fis);

    return ois.readObject();


    thanks a lot for the post
    Keep rocking !