Attention reader! Get hold of all the important Java Foundation and Collections concepts with the Fundamentals of Java and Java Collections Course at a student-friendly price and become industry ready. The byte stream created is platform independent. So, the object serialized on one platform can be deserialized on a different platform.
To make a Java object serializable we implement the java. Serializable interface. The ObjectInputStream class contains readObject method for deserializing an object. To travel an object across a network. Only the objects of those classes can be serialized which are implementing java. Serializable is a marker interface has no data member and method. Other examples of marker interfaces are:- Cloneable and Remote. Points to remember 1. Only non-static data members are saved via Serialization process.
Static data members and transient data members are not saved via Serialization process. Constructor of object is never called when an object is deserialized.
Associated objects must be implementing Serializable interface. A Serializable class can declare its own UID explicitly by declaring a field name. Sign In Register. Sign Out Sign In Register. Latest Insider. Check out the latest Insider stories here.
More from the IDG Network. How to work with serialization in. How to use Java generics to avoid ClassCastExceptions. How to describe Java code with annotations.
Java 9's other new enhancements, Part 2. Why is serialization required? Figure 1. A high-level view of serialization in action click to enlarge How to serialize an object In order to serialize an object, you need to ensure that the class of the object implements the java.
Listing 1. Implementing Serializable import java. Listing 2. To re-create the object from the persistent file, you would employ the code in Listing 3.
Listing 3. The serialized format of an object What does the serialized version of the object look like? Listing 4. Listing 5. Java's serialization algorithm By now, you should have a pretty good knowledge of how to serialize an object.
In general the serialization algorithm does the following: It writes out the metadata of the class associated with an instance. It recursively writes out the description of the superclass until it finds java. Once it finishes writing the metadata information, it then starts with the actual data associated with the instance. But this time, it starts from the topmost superclass.
It recursively writes the data associated with the instance, starting from the least superclass to the most-derived class. Listing 6. Listing 7. Figure 2. An outline of the serialization algorithm Let's go through the serialized format of the object in detail and see what each byte represents.
Specifies that this is a serialization protocol. The serialization version. Specifies that this is a new Object. Specifies that this is a new class. This particular flag says that the object supports serialization. Represents a new string. This flag notes that the object supports serialization. A serialized object in Java is a byte array with information of the state. It contains the name of the object it refers to and the data of the field.
If you look at a stored serialized object with a hex-editor, you can enclose and manipulate the information quickly. We already know that Java deserialization does not use the constructor to create an object but rather uses reflection to load the fields. This means that any validation checks done in the constructor are never called when recreating the object. You can think about checks like start-date before end-date when describing a period.
When deserializing a Java object, this new object can have an invalid state. When reading the file ValueObject. Now I can easily manipulate the string value. Below I change it from Hi to Hallo. So, if an application accepts serialized objects, it is relatively easy to temper with the values.
Tampering with the data in an object is harmful already. However, this can also lead to code execution if the correct set of objects is deserialized. To explain this I first have to explain gadgets and chains. This existing executable code can be reused for malicious purposes. If we look at Java serializable objects, some magic methods—like the private readObject method—are reflectively called when deserializing. This gadget class overrides the default readObject method.
As a result, every time an Object of class Gadget gets deserialized, the Runnable object command is executed. When a command class looks something like the example below, it is easy to manipulate this serialized object and perform code injection. Also, note that if an application accepts serialized objects, the object is deserialized first before it is cast to the desired type.
This means that even if casting fails, deserialization is already completed and the readObject method is executed. A typical deserialization attack consists of a cleverly crafted chain of gadgets. An attacker searches for a gadget that is usable for launching an attack and chains several executions that end with arbitrary code execution, for instance. In our example:.
0コメント