为什么Java.lang.Object没有实现Serializable接口? [英] Why doesn't Java.lang.Object implement the Serializable Interface?
问题描述
可能重复:
为什么Java需要Serializable接口?
根据Serializability in Java文档:
According to Serializability in Java docs :
类的可序列化由实现
java.io.Serializable接口的类启用。未实现此
接口的类将不会对其状态进行任何序列化或反序列化。
可序列化类的所有子类型本身都是可序列化的。
序列化接口没有方法或字段,仅用于
标识可序列化的语义
Serializability of a class is enabled by the class implementing the java.io.Serializable interface. Classes that do not implement this interface will not have any of their state serialized or deserialized. All subtypes of a serializable class are themselves serializable. The serialization interface has no methods or fields and serves only to identify the semantics of being serializable
为什么对象是否已实现 Serializable ?我们不希望可序列化的成员可以作为 transient 。为什么要阻止默认的Serializability?
Why doesn't the Object already implement Serializable? Members that we wouldn't want to be serializable may be made as transient. Why prevent the default Serializability?
推荐答案
可序列化类的所有子类型本身都是可序列化的。
All subtypes of a serializable class are themselves serializable.
换句话说:您创建,创建或将要创建的所有类都是可序列化的。 transient 只排除字段,而不是整个类。
In other words: all classes you ever create, were or will be created are all serializable. transient only excludes fields, not whole classes.
这是一个潜在的安全漏洞 - 巧合的是你可以序列化,例如你的 DataSource 里面有数据库凭证 - 如果这个特定的 DataSource 实现的创建者忘记了这些字段瞬态。序列化随机Java对象非常容易,例如:通过内部类隐藏引用外部这个。
This is a potential security hole - by coincidence you can serialize e.g. your DataSource with database credentials inside - if the creator of this particular DataSource implementation forgot to make such fields transient. It's surprisingly easy to serialize random Java object, e.g. through inner classes holding implicit reference to outer this.
使用你的白名单更安全明确地希望并允许序列化而不是仔细检查你的代码,确保没有你想要的字段被序列化。
It's just safer to use white-list of classes which you explicitly want and allow to serialize as opposed to carefully examining your code, making sure no fields you do not desire are ever serialized.
此外你不能再说: MySuperSecretClass 不可序列化(只是没有实现 Serializable ) - 你只能排除胆量(字段)。
Moreover you can no longer say: MySuperSecretClass is not serializable (by simply not implementing Serializable) - you can only exclude the guts (fields).
这篇关于为什么Java.lang.Object没有实现Serializable接口?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
