首页 > 代码库 > Fields in a "Serializable" class should either be transient or serializable
Fields in a "Serializable" class should either be transient or serializable
Fields in a Serializable
class must themselves be either Serializable
or transient
even if the class is never explicitly serialized or deserialized. That‘s because under load, most J2EE application frameworks flush objects to disk, and an allegedly Serializable
object with non-transient, non-serializable data members could cause program crashes, and open the door to attackers.
This rule raises an issue on non-Serializable
fields, and on collection fields when they are not private
(because they could be assigned non-Serializable
values externally), and when they are assigned non-Serializable
types within the class.
Noncompliant Code Example
public class Address { //... } public class Person implements Serializable { private static final long serialVersionUID = 1905122041950251207L; private String name; private Address address; // Noncompliant; Address isn‘t serializable }
Exceptions
The alternative to making all members serializable
or transient
is to implement special methods which take on the responsibility of properly serializing and de-serializing the object. This rule ignores classes which implement the following methods:
private void writeObject(java.io.ObjectOutputStream out) throws IOException private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException;
Fields in a "Serializable" class should either be transient or serializable