The Serializable contract and what you're actually committing to, serialVersionUID and the InvalidClassException, transient fields, custom readObject/writeObject hooks, the deserialization gadget chain attack that makes Java serialization a CVE factory, readResolve() for Singleton integrity, and when to use Jackson, Protobuf or Avro instead.
// Lessons
- 01soon
The Serializable Contract — What You're Actually Committing To
- 02soon
serialVersionUID — The Most Ignored Field in Java
- 03soon
transient — Excluding Fields from Serialization
- 04soon
readObject() and writeObject() — Custom Serialization Hooks
- 05soon
The Gadget Chain Attack — Why Java Deserialization Is a CVE Factory
- 06soon
readResolve() — Singleton Integrity During Deserialization
- 07soon
Modern Alternatives — Jackson, Protobuf and Avro Compared