码迷,mamicode.com
首页 > 其他好文 > 详细

Fields in a "Serializable" class should either be transient or serializable

时间:2017-07-20 13:35:13      阅读:988      评论:0      收藏:0      [点我收藏+]

标签:perl   type   public   value   ras   exce   which   and   cts   

Fields in a Serializable class must themselves be either Serializable or transient even if the class is never explicitly serialized or deserialized. That‘s because under load, most J2EE application frameworks flush objects to disk, and an allegedly Serializable object with non-transient, non-serializable data members could cause program crashes, and open the door to attackers.

This rule raises an issue on non-Serializable fields, and on collection fields when they are not private (because they could be assigned non-Serializable values externally), and when they are assigned non-Serializable types within the class.

Noncompliant Code Example

public class Address {
  //...
}

public class Person implements Serializable {
  private static final long serialVersionUID = 1905122041950251207L;

  private String name;
  private Address address;  // Noncompliant; Address isn‘t serializable
}

Exceptions

The alternative to making all members serializable or transient is to implement special methods which take on the responsibility of properly serializing and de-serializing the object. This rule ignores classes which implement the following methods:

 private void writeObject(java.io.ObjectOutputStream out)
     throws IOException
 private void readObject(java.io.ObjectInputStream in)
     throws IOException, ClassNotFoundException;

Fields in a "Serializable" class should either be transient or serializable

标签:perl   type   public   value   ras   exce   which   and   cts   

原文地址:http://www.cnblogs.com/winner-0715/p/7210642.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!