What is serialization in Java?
Serializing an object means converting it into a byte stream so that it can be copied.
A Java object can be serialized if its class or any of its superclasses implements either the java. io. Java’s Serializable interface or one of its sub-interfaces.
What is Java IO serializable?
The Serializable class interface in Java (java. io. Serializable is a marker interface that your classes must use if they are to be serialized and deserialized.
The ObjectOutputStream is used to write (serialize) Java objects, and the ObjectInputStream is used to read (deserialize) them.
What is import Java IO serializable?
In the java.io package, you can declare a serialversionuid and find the Serializable interface.
It looks like a marker. There are no methods and fields on a Marker Interface.
This means that classes that implementing the java.io.serializable interface don’t have to add any methods.
If a class wants its instances to be serialized or deserialized, it must implement this interface.
How to prevent a Java deserialize vulnerability?
The best way to avoid a Java deserialize vulnerability is to not use Java serialization at all.
If your app doesn’t work with serialized objects, it can’t hurt you.
Explaining Java deserialize vulnerabilities
Deserialization vulnerabilities can lead to data type corruption or application crashes, which can cause a denial of service (DoS) condition.
Many times, the same bugs can be used by remote attackers to make a system vulnerable to arbitrary code execution.
Java.io.Serializable interface
In the java.io package, you can find the Serializable interface. It looks like a marker.
There are no methods and fields on a Marker Interface.
Java Serialization with Inheritance (IS-A Relationship)
The SerializeISA class serialized the Student class object, which extends the Serializable Person class.
Subclasses inherit the properties of their parent classes, so if the parent class is Serializable, so would the subclass.
Java transient. Keywords
You can avoid serialization in Java by using the transient keyword.
Objects in a data structure won’t be serialized if they are marked as “transient.”
Serialization is the process of turning an object into a string of bytes, or byte stream.
Java Serialization with Aggregation (HAS-A Relationship)
A class that references another class must have all of those references be Serializable in order for serialization to take place.
NotSerializableException throws ioexception classnotfoundexception at runtime in this situation.
Example of Java Serialization
In this example, we will serialize the Student class object from the code above.
The ObjectOutputStream class’s writeObject() method gives you the ability to serialize the object.
The state of the object is saved in a file called f.txt.
Example:
import java.io.*;
class Persist{
public static void main(String args[]){
try{
//Creating the object
Student s1 =new Student(021596,"Glenn Magada Azuelo");
//Creating stream and writing the object
FileOutputStream fout=new FileOutputStream("f.txt");
ObjectOutputStream out=new ObjectOutputStream(fout);
out.writeObject(s1);
out.flush();
//closing the stream
out.close();
System.out.println("ITNAS PASSED");
} catch(Exception e){System.out.println(e);}
}
}
Output:
ITNAS PASSED
Externalizable in Java
Externalizable is an interface that lets you set up your own serialization rules and methods.
You need to know about Serialization before you can understand the Externalizable interface.
Java Serialization makes it easy to store an object and then re-create it later.
Java Serialization with array or collection
In Java, the ArrayList class is serializable by default, without needing to implement the Serializable interface.
Java Serialization with the static data member
Static members belong to their classes, but they are not part of the objects in those classes.
When an object is serialized, the state of static members is not saved. Static members are not part of an object’s saved state.
What is serializing and Deserializing?
Serialization is the process of converting an object into a stream of data so that it can be stored or transmitted. Its primary function is to save how an object is configured so that it can be reconfigured as necessary.
Deserialization is the process of going backward.
Why do we need Serializable in Java?
In Java, serialization is the idea of showing the state of an object as a public int or public string bytes.
All of the information about the object is in the byte stream.
Serialization in Java is most often used in Hibernate, JMS, JPA, and EJB. It helps move code from one JVM to another and then de-serialize it there.
Why do we need a Serializable interface in Java?
Serialization is the process of converting an object into a stream of data that can be stored or transmitted.
This allows you to save objects so that they can be used later.
Deserialization is the reverse process of changing an Object stream into a real Java object that our program can use.
What happens without serialization in Java?
In a graph, you might come across an readobject method that doesn’t support the Serializable interface.
In this case, the NotSerializableException will be thrown, and it will say what class of object can’t be serialized.
When NOT to Use Java IO Serialization (and What to Use Instead)
Java’s built-in serialization is convenient but has well-known limitations in 2026 production systems. Avoid it when:
- Communicating with non-Java systemsthe serialized binary format is Java-specific. Other languages can’t read it.
- Storing data long-termadding a field to your class can break deserialization of old objects.
- Accepting untrusted inputdeserialization of attacker-controlled byte streams is one of the OWASP Top 10 vulnerabilities (A08:2021 Software and Data Integrity Failures).
- Cross-version compatibility mattersmanaging
serialVersionUIDacross application versions is fragile.
Modern Alternatives
| Format | Use For | Java Library |
|---|---|---|
| JSON | Web APIs, configs, human-readable storage | Jackson, Gson |
| Protocol Buffers | High-performance binary IPC, gRPC | protobuf-java |
| Apache Avro | Big data, Kafka pipelines | avro-java |
| Java built-in | Quick prototypes, JVM-only systems | java.io.Serializable |
For your BSIT capstone:Java built-in serialization is fine, it demonstrates you understand the concept. But mention in your documentation that you’d switch to JSON or Protobuf for a production system.
Quick JSON Example (Jackson)
import com.fasterxml.jackson.databind.ObjectMapper;
public class JsonExample {
public static void main(String[] args) throws Exception {
ObjectMapper mapper = new ObjectMapper();
Student s = new Student("John", 22, "BSIT");
// Serialize to JSON string
String json = mapper.writeValueAsString(s);
System.out.println(json);
// Output: {"name":"John","age":22,"course":"BSIT"}
// Deserialize back to object
Student loaded = mapper.readValue(json, Student.class);
}
}Notice: no need to implement Serializable, no serialVersionUID to maintain, and any language can parse the output.
Security Best Practices for Java Serialization
If you must use Java serialization (legacy code, JVM-internal IPC), follow these rules to avoid deserialization attacks:
- Never deserialize data from untrusted sources.User uploads, network input, cookies, all unsafe by default.
- Use a
ObjectInputFilter(Java 9+) to whitelist allowed classes during deserialization. Block everything else. - Implement
readObject()defensivelyvalidate every field after deserialization, not just during construction. - Mark sensitive fields as
transientpasswords, API keys, session tokens should never be serialized to disk or sent over the wire. - Set a
serialVersionUIDexplicitlydon’t rely on the auto-generated one, which changes if you tweak the class. - Keep dependencies updatedmany CVEs over the years target deserialization gadgets in popular libraries.
Summary
In summary, you have learned about serialization in Java.
This article discusses what is serialization, what is Java IO serializable, and how to prevent a Java deserialization vulnerability.
Serialization with an array or collection and why do we need a serializable interface.
I hope this lesson has helped you learn a lot. Check out my previous and latest articles for more life-changing tutorials which could help you a lot.
< PREVIOUS
Frequently Asked Questions
What is Java IO serialization in simple terms?
Java IO serialization is the process of converting a Java object into a stream of bytes so it can be saved to a file, sent over a network, or stored in a database. Deserialization is the reverse, reconstructing the original object from those bytes. The classes involved are ObjectOutputStream (write) and ObjectInputStream (read), both from the java.io package.
What does the Serializable interface do in Java?
The java.io.Serializable interface is a marker interface, it has no methods. Implementing it simply tells the JVM that instances of your class can be serialized. Without it, attempting to serialize the object throws a NotSerializableException. All fields must also be serializable (or marked transient) for serialization to succeed.
What is the transient keyword in Java serialization?
The transient keyword marks a field that should NOT be serialized. Use it for sensitive data (passwords, API keys), derived/cached values that can be recomputed, or non-serializable field types (like database connections or thread objects). When the object is deserialized, transient fields are restored to their default values (null for objects, 0 for numbers, false for booleans).
What is serialVersionUID and why do I need it?
serialVersionUID is a version number for your serializable class. The JVM uses it to verify that the class definition hasn’t changed between when an object was serialized and when it’s being deserialized. If you don’t declare one, Java auto-generates one based on the class structure, but it changes if you add a field, breaking old serialized data. Always declare it explicitly: private static final long serialVersionUID = 1L;.
Is Java serialization safe to use with untrusted input?
No, deserialization of untrusted input is on the OWASP Top 10 (A08:2021). Attackers can craft malicious byte streams that exploit gadget chains in your classpath to execute arbitrary code. For untrusted input, use JSON with a strict schema instead. If you must use Java serialization, set up an ObjectInputFilter (Java 9+) to whitelist only the specific classes you expect.