Basic Java Deserialization (ObjectInputStream, readObject)

👉 Overview

👀 What ?

Java deserialization is the process of converting a stream of bytes back into a copy of the original Java object. This process is performed by using the Java classes ObjectInputStream and readObject method.

🧐 Why ?

Deserialization is important in Java programming as it allows the state of an object to be saved and restored at a later time. This is crucial in applications like networking where objects need to be transmitted over a network, or in cases where the state of an object needs to be persisted in a database or a file system.

⛏️ How ?

To use Java deserialization, first, an object must have been serialized and saved into a file or sent over a network. The ObjectInputStream class is then used to read this serialized object. The readObject method of the ObjectInputStream class is used to deserialize the object.

⏳ When ?

Java introduced the concept of serialization and deserialization with the introduction of JDK 1.1 in the year 1997.

⚙️ Technical Explanations

In Java, deserialization is accomplished through the ObjectInputStream class. This class provides a method called readObject that can be used to convert the byte stream back into an object. The readObject method reads a stream of bytes and recreates the original Java object. It does this by reading the metadata about the object that was written during serialization, and using this metadata to recreate the object in memory. The process of deserialization does not call the constructor of the object, instead, it uses the metadata to directly allocate memory for the object and initializes it. Deserialization can be a risky process from a security standpoint, as maliciously crafted streams could potentially be used to exploit vulnerabilities in the deserialization process.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.