6

I posting a doubt that I came across reading Effective Java. I apologize if its a real simple and straight forward doubt. So in Item 74 - Implement Serializable judiciously, He is saying that even after implementing a good Information Hiding on your class using private and package private fields, it is prone to lose effectiveness? Whatever I read in the past was, all serialization does is, convert Objects into Byte Stream Form and After deserialization the same object is retained back. How does it lose Data Hiding in this process?

candiru
  • 4,424
  • 2
  • 22
  • 16
t0mcat
  • 5,511
  • 19
  • 45
  • 58

3 Answers3

4

You could potentially have access to the value of the internal state of an object using serialization and deserialization.

By serializing an object, you might be able to read the values of the private fields that you otherwise shouldn't. Conversely, if you create a well-crafted byte array that you deserialize into an instance, you might be able to initialize it in an illegal state.

candiru
  • 4,424
  • 2
  • 22
  • 16
  • Hmmm.. so does this mean, anytime we Serialize an Object, we lose the guarantee that Data Hiding might not work the way we wanted it to work? – t0mcat Nov 12 '10 at 16:58
  • 1
    Well, in some sense yes, but if you think this may cause problems, you can always override the readObject() method, check the state yourself, and throw an exception if it violates some constraint. As for accessing values, in most practical cases this isn't a big issue. – candiru Nov 12 '10 at 17:06
0

Data hiding problem with Serialization in context of OOP is pointed by @candiru.

But there is another aspect as well with Serialization.

You can send serialized file across the network so it can be peeped and things which are supposed to be private can be easily compromised.

Below is the content of a Bean class which i serialized (using default technique). I could view the content by opening the serialized file in a text editor.

’ sr SerializationPractice1 I ageL extrat Ljava/lang/String;L nameq ~ xp
pt SidKumarq ~ x

Now you can easily find below things without even knowing about the class :

  1. Name of the class : SerializationPractice1
  2. A string attribute named as name value is SidKumar

These things you can notice for sure; other details are not so clear. And above information is correct.

rai.skumar
  • 10,309
  • 6
  • 39
  • 55
0

I do believe that Serialization has the potential of exposing private data to the outside world. And that is where Externalizing (using Externalizable type instances come in very handy). By implementing Externalizable interface's writeExternal(...) method the developer has full control over the serialization process rather than relying completely on the default serialization runtime implementation. Below is the pseudo-code for my idea (I would be ignoring the actual method signatures as it is mere a pseudo-code intended to put across the broader idea):

    class SensitiveData implemets java.io.Externalizable{

       int sensitiveInteger;
       writeExternal (OutputData outputData){
          //encrypt sensitiveInteger here
          //serialize the sensitiveInteger which is now encrypted to any persistent store
          outputData.writeInt(sensitiveInteger);
          //do other processing
    }
 }

In fact, why just encryption, we might well want to compress the bytes serialized to some persistent store if we want in some situations where the instance to be serialized is 'big'.

nawazish-stackoverflow
  • 253
  • 5
  • 14