Table of contents
Introduction
Data objects in memory can only be converted into binary streams for data persistence and network transmission. The process of converting data objects into binary streams is called object serialization.
On the contrary, the process of restoring the binary stream into a data object is called deserialization.
Serialization needs to retain sufficient information to restore the data object, but in order to save storage space and network bandwidth, the serialized binary stream must be as small as possible.
A common usage scenario for serialization is data transmission in the RPC framework. There are three common serialization methods:
JAVA native serialization
Java classes implement the serialization of objects of this class by implementing the Serializable interface. This interface is very special and does not have any methods. It only serves as an identifier.
Java serialization retains the metadata of the object class (such as classes, member variables, inherited class information, etc.), as well as object data, etc., and has the best compatibility, but does not support cross-language and has average performance .
For classes that implement the Serializable interface, it is recommended to set the serialVersionUID field value . If not set, the compiler will automatically generate serialVersionUID based on the internal implementation of the class including class name, interface name, methods, properties, etc. every time it is run.
If the source code of the class is modified, the value of serialVersionUID may change after recompilation. Therefore, classes that implement the serializable interface must explicitly define the serialVersionUID attribute value.
When modifying a class, you need to decide whether to modify the serialVersionUID based on compatibility. If it is a compatible upgrade, please do not modify the serialVersionUID field to avoid deserialization failure.
If it is not compatible with the upgrade, you need to modify the serialVersionUID value to avoid deserialization confusion.
When using Java native serialization, please note that during Java deserialization, the parameterless constructor of the class will not be called, but the native method will be called to assign the member variable to the initial value of the corresponding type.
Due to performance and compatibility considerations, Java native serialization is not recommended .
Hessian serialization
Hessian serialization is a network protocol that supports dynamically typed, cross-language, object-based transmission.
Java object serialized binary streams can be deserialized by other languages (C++/Python). The Hessian protocol has the following features:
Self-describing serialization types. Use one byte to represent common basic types without relying on external description files or interface definitions.
- Dramatically shorten the binary stream.
- Language independent, supports scripting languages.
- The protocol is simple and more efficient than Java's native serialization.
Compared with Hessian 1.0, Hessian 2.0 adds compression encoding. Its serialized binary stream size is
50% of Java serialization, the serialization time is 30% of Java serialization, and the deserialization time is 20
% of Java deserialization. Hessian will store all properties of complex objects in a Map for serialization.
Therefore, when the parent class and subclass have member variables with the same name, when Hessian serializes, the child is serialized first, and then the parent class is serialized, so
deserialization As a result, the member variable of the subclass with the same name will be overwritten by the value of the parent class.
High efficiency, poor compatibility, not recommended .
JSON serialization
JSON (JavaScript ect Notation) is a lightweight data exchange format . JSON serialization is to convert data objects into JSON strings.
Type information is discarded during the serialization process, so only type information can be accurately deserialized during deserialization. Compared with the first two methods, JSON is more readable and convenient for debugging .
Serialization usually transmits objects through the network and objects often contain sensitive data, so serialization often becomes an attack point for hackers. Attackers cleverly use the deserialization process to construct malicious code, causing the program to execute arbitrary code during the deserialization process. code.
Deserialization vulnerabilities have occurred in Apache Commons Collections Jackson fastjson and others that are widely used in Java projects. How to prevent this kind of hacker attack?
Some sensitive attributes of objects do not need to be serialized and transmitted. You can add the transient keyword to avoid converting this attribute information into a serialized binary stream .
If you must transfer sensitive attributes of an object, you can use symmetric and asymmetric encryption to transmit them independently, and then use a method to restore the attributes to the object.
Application developers must have a certain awareness of security precautions for serialization, verify the content of incoming data or control permissions, and update security vulnerabilities in a timely manner to avoid attacks.
The above knowledge points come from Efficient Code: Java Development Manual. This article is a post-reading note. It is shared with everyone as a note.
JSON serialization is often used in actual development. For example:
this interface uses JSON serialization. The input parameter object uses the @RequestBody annotation to convert the input parameters into a Java object. The @ResponseBody annotation is used to convert the return value of the interface into JSON format. Return, a typical JSON serialization reference example.