Java SE 21 — 1Z0-830

Appearance

Lesson 03 · Serialization

Objectives

After this lesson you will be able to:

  • Make a class Serializable and write/read it with object streams.
  • Use transient and serialVersionUID correctly.
  • Recognize serialization pitfalls.

Serializable and object streams

Implementing the marker interface Serializable (no methods) lets ObjectOutputStream / ObjectInputStream convert an object graph to/from bytes.

java
class Account implements Serializable {
    private static final long serialVersionUID = 1L;
    String owner;
    transient String sessionToken;     // NOT serialized
}

try (var out = new ObjectOutputStream(Files.newOutputStream(p))) {
    out.writeObject(account);
}
try (var in = new ObjectInputStream(Files.newInputStream(p))) {
    Account a = (Account) in.readObject();   // throws ClassNotFoundException if class missing
}

transient

A transient field is skipped during serialization; on read-back it gets the type's default (null, 0, false) — the constructor does not run. Use it for secrets, caches, and non-serializable references.

java
account.sessionToken = "secret";
// after round-trip:
a.sessionToken == null;     // true — transient was not stored, no constructor ran

Exam trap

Deserialization bypasses constructors — the object is rebuilt from bytes, not constructed. Every non-transient, non-static field must itself be Serializable, or writeObject throws NotSerializableException. static fields belong to the class, not the instance, so they are never serialized.

serialVersionUID

This static final long is the class's version stamp. On read, the JVM compares the stored UID to the current class's; a mismatch throws InvalidClassException. If you don't declare one, the compiler generates a fragile value from the class shape that changes on almost any edit.

java
private static final long serialVersionUID = 1L;   // declare it explicitly

SDET note

Java's built-in serialization is brittle and a known security risk (deserializing untrusted bytes can execute code). For real persistence/transport prefer an explicit format — JSON (Module 17) — and treat Serializable mostly as exam knowledge. Never readObject untrusted data.

Key Takeaways

  • Serializable is a marker interface enabling ObjectOutputStream/ObjectInputStream (writeObject/readObject).
  • transient fields are skipped (restored to defaults); deserialization bypasses constructors.
  • Every non-transient, non-static field must be Serializable or you get NotSerializableException; statics aren't serialized.
  • Declare serialVersionUID explicitly; a mismatch on read throws InvalidClassException.

Lesson Quiz

Lesson Quiz · Serialization0 / 5

  1. What happens to a transient field after a serialize/deserialize round-trip?

    • AKeeps its value
    • BSet to the type's default (null/0/false)
    • CThrows
    • DRe-runs the constructor

  2. A non-transient field's type is not Serializable. What happens on writeObject?

    • AIt's skipped
    • BNotSerializableException
    • CIt's stored as null
    • DCompile error

  3. What does deserialization use to build the object?

    • AThe no-arg constructor
    • BThe bytes — it bypasses constructors
    • CA static factory
    • Dclone()

  4. A serialVersionUID mismatch on read throws...

    • AIOException
    • BInvalidClassException
    • CClassNotFoundException
    • DNothing

  5. Are static fields serialized?

    • AYes
    • BNo — they belong to the class, not the instance
    • COnly if final
    • DOnly the first one

Next: Module 08 Mini-Exam. Run the matching code in labs/src/main/java/com/jse21/m08_io/.