java serializable interface

Question

In Java some of the objects are serializeable and some or not.An object of a class which implements Serializable interface can be act as serializable object.Also Serializable interface is used for namesake only and there is no methods there.Here my question is ,Java specification can simply say all objects are serializable .user needn't implement any interfaces for this purpose.But it didn't specified like this.So what is the purpose behind this ?

Here i am not asking why we need Serializable interface?

Why i need to convey this information(ie., the given object is Serializable one) to the developer and to the compiler/JVM?

Answer 1

This link has some reasons. I think the underlying philosophy is that the marker interface (i.e. no methods) genuinely conveys information to the developer and to the compiler/JVM.

Edit: I began to write a comment in response to the first comment, but decided to edit the answer.

The link lists 3 reasons why you may not want an object to be serializable: (a) may not make sense to serialize state (b) additional contract/versioning overhead (c) privacy concerns. There is no way for the compiler to know these issues in advance.

One might ask "why isn't Serialization a default, and there is a way to opt-out?". The answer here is probably that (1) it is weird to express in the language (2) it is more dangerous. For an example of (2), if you don't know about the privacy issue (c), then you might expose sensitive information with no explicit indication of doing so.

Answer 2

Presumably because it forces the developer to think about how serialization has to occur. There are a couple non-trivial issues there, for instance maintaining object identity of singleton objects, what state to serialize (should that field be transient? If so, how is it initialized after deserialization?) and versioning.

Moreover, implementing Serializable has security implications. While the virtual machine ensures that private fields can not be modified (at least if a security manager is present), there is no such protection for serialized data.

Answer 3

Here's a real live example: decent appservers can temporarily store session data (specifically, the attributes of HttpSession) on disk when the server has to be shut down or restarted, so that it can restore all session data on startup. In a clustered environment the appserver will also write session data to disk so that it can be shared among appservers in the cluster.

Writing Java objects (usually just javabeans) to disk require that they implements java.io.Serializable (which is just a marker interface). Rougly said, with implementing the interface the developer gives JVM the permission to store this data on the disk file system. But that also imples that anything else outside the context can access this data.

If the class implementing serializable contains a field which you'd like not to be stored on the disk file system, for example private String password (bad example, but it should give you the idea), then you can just declare it transient to avoid its value being serialized to disk:

private transient String password;

You only have to live with the fact that it won't be restored with its original value after deserialization. You have to write additional logic to restore its value yourself. Fields marked static will also not be serialized, but they usually already get initialized during loading of the class.

Hope this gives a clear picture.

Answer 4

1. Using serialization concept an object can be exposed outside jvm it intern exposes private variables’ value which is violation of OOPS concept. By marking a class as Serializable, developers understand the security concern.
2. JVM serializes complete object navigation graph. Sometime developer might intent to persist only top level object and forget to mark member variables as transient. In this case Serializable interface enforces developer to make conscious decision to persistent required classes.

http://webmoli.com/2008/01/27/what-is-the-magic-serializable-interface-does-in-java/