serialization proxy pattern

原创

wx61a48c2d77c92 2021-11-30 16:41:39 博主文章分类：Serialize ©著作权

文章标签 其他 文章分类 代码人生

©著作权归作者所有：来自51CTO博客作者wx61a48c2d77c92的原创作品，请联系作者获取转载授权，否则将追究法律责任

serialization proxy pattern

Both the enclosing class and its serialization proxy must be declared to implement Serializable.

public class User implements Serializable {
    ...
    private static class SerializationProxy implements Serializable {
        ...
    }
}

the writeReplace method translates an instance of the enclosing class to its serialization proxy prior to serialization.

public class User implements Serializable {
    ...
    private static class SerializationProxy implements Serializable {
        ...
    }
    
    // 2. writeReplace
    private Object writeReplace() {
        return new SerializationProxy(this);
    }
}

to guarantee that such an attack would fail, merely add this readObject method to the enclosing class.

public class User implements Serializable {
    ...
    private static class SerializationProxy implements Serializable {
        ...
    }
    
    private Object writeReplace() {
        return new SerializationProxy(this);
    }
    
    // 3. readObject
    private void ReadObject(ObjectInputStream stream) throws InvalidObjectException {
        throw new InvalidObjectException("Proxy required");
    }
}

the readResolve method creates an instance of the enclosing class using only its public API and therein lies the beauty of the pattern.

public class User implements Serializable {
    ...
    private static class SerializationProxy implements Serializable {
        ...
        
        // 4. readResolve
        private Object readResolve() {
            return new User(id, name);
        }
    }
    
    private Object writeReplace() {
        return new SerializationProxy(this);
    }
    
    private void ReadObject(ObjectInputStream stream) throws InvalidObjectException {
        throw new InvalidObjectException("Proxy required");
    }
}