Fields in a ``++Serializable++`` class must themselves be either ``++Serializable++`` or ``++transient++`` even if the class is never explicitly serialized or deserialized. For instance, under load, most J2EE application frameworks flush objects to disk, and an allegedly ``++Serializable++`` object with non-transient, non-serializable data members could cause program crashes, and open the door to attackers. In general a ``++Serializable++`` class is expected to fulfil its contract and not have an unexpected behaviour when an instance is serialized. This rule raises an issue on non-``++Serializable++`` fields, and on collection fields when they are not ``++private++`` (because they could be assigned non-``++Serializable++`` values externally), and when they are assigned non-``++Serializable++`` types within the class. == Noncompliant Code Example [source,java] ---- public class Address { //... } public class Person implements Serializable { private static final long serialVersionUID = 1905122041950251207L; private String name; private Address address; // Noncompliant; Address isn't serializable } ---- == Compliant Solution [source,java] ---- public class Address implements Serializable { private static final long serialVersionUID = 2405172041950251807L; } public class Person implements Serializable { private static final long serialVersionUID = 1905122041950251207L; private String name; private Address address; } ---- == Exceptions The alternative to making all members ``++serializable++`` or ``++transient++`` is to implement special methods which take on the responsibility of properly serializing and de-serializing the object. This rule ignores classes which implement the following methods: ---- private void writeObject(java.io.ObjectOutputStream out) throws IOException private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException; ---- == See * https://cwe.mitre.org/data/definitions/594[MITRE, CWE-594] - Saving Unserializable Objects to Disk * https://docs.oracle.com/javase/6/docs/api/java/io/Serializable.html[Oracle Java 6, Serializable] * https://docs.oracle.com/javase/7/docs/api/java/io/Serializable.html[Oracle Java 7, Serializable] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::message.adoc[] ''' == Comments And Links (visible only on this page) include::comments-and-links.adoc[] endif::env-github,rspecator-view[]