Three ways of Java built-in serialization

This article is an introduction.

  • Please refer to relevant articles Too many Java serialization vulnerabilities to fix
  • Serialization is the process of extracting a data object and converting it to a byte stream (binary format), so it can be transferred over the network or stored in a database, and then deserialized in its original form later.
  • Java has three ways of serialization built in

Implement Serializable interface

  • Using the default serialization mechanism, i.e. implementing the Serializable interface is enough, and no method is needed.
  • The Serializable interface doesn't have any methods, it's just a tag, which tells the Java virtual machine that the class can be serialized. Then we use the writeObject(object) method of ObjectOutputStream to serialize and the readObject() method of ObjectInputStream to deserialize.
  • In this way, the serialization mechanism will automatically save the member variables of the object, and the static member variables and the member variables decorated by the transient keyword will not be serialized and saved

User entity class

package com.lct.entities;

import java.util.Date;
import java.util.concurrent.atomic.AtomicInteger;

 * Created by Administrator on 2018/7/31 0031.
 * User class -- implement Serializable interface
public class User implements Serializable{

    private Integer id;
    private String name;
    private Date birthday;
    private static AtomicInteger count;
    private static final String COLOR = "red";

    public Date getBirthday() {
        return birthday;

    public void setBirthday(Date birthday) {
        this.birthday = birthday;

    public static String getCOLOR() {
        return COLOR;

    public static AtomicInteger getCount() {
        return count;

    public static void setCount(AtomicInteger count) {
        User.count = count;

    public Integer getId() {
        return id;

    public void setId(Integer id) { = id;

    public String getName() {
        return name;

    public void setName(String name) { = name;

    public String toString() {
        return "User{" +
                "birthday=" + birthday +
                ", id=" + id +
                ", name='" + name + '\'' +

Serializable and Deserialize

package test;

import com.lct.entities.User;

import java.util.Date;
import java.util.concurrent.atomic.AtomicInteger;

 * Created by Administrator on 2018/7/25 0025.
public class Test {

    public static void main(String[] args) {
        User user = new User();
        user.setBirthday(new Date());
        User.setCount(new AtomicInteger(110));

        try {
            /** Serialize to file*/
            FileOutputStream fileOutputStream = new FileOutputStream(new File("E:/abc.txt"));
            ObjectOutputStream objectOutputStream = new ObjectOutputStream(fileOutputStream);

            /**Deserialize from file*/
            FileInputStream fileInputStream = new FileInputStream(new File("E:/abc.txt"));
            ObjectInputStream objectInputStream = new ObjectInputStream(fileInputStream);
            User user1 = (User) objectInputStream.readObject();
            System.out.println("Deserialization result:\r\n" + user1);
        } catch (FileNotFoundException e) {
        } catch (IOException e) {
        } catch (ClassNotFoundException e) {



Operation result

Deserialization result:
User{birthday=Tue Jul 31 08:59:56 CST 2018, id=9527, name = Hua'an '}
Process finished with exit code 0





Keywords: Java network Database

Added by g_pmattoo on Thu, 23 Jan 2020 18:15:06 +0200