序列化(Serialization)

说说你对object serialization的理解
  • object serialization 是Java的一个框架,serializing是把objects 编程成 byte streams,deserializing 是从byte streams中重构出objects
如何实现类的序列化?
  • 实现Serializable接口
Java serialization的缺陷
  • 安全性隐患,易遭受袭击:可以调用ObjectInputStream中的readObject方法来反序列化出Object graphs
  • 正确性隐患,性能隐患,可维护性隐患
// Deserialization bomb - deserializing this stream takes forever
// deserializing the set causes the hashCode method to be invoked over 2100 times
static byte[] bomb() {
    Set root = new HashSet<>();
    Set s1 = root;
    Set s2 = new HashSet<>();
    for (int i = 0; i < 100; i++) {
        Set t1 = new HashSet<>();
        Set t2 = new HashSet<>();
        t1.add("foo"); // Make t1 unequal to t2
        s1.add(t1);  s1.add(t2);
        s2.add(t1);  s2.add(t2);
        s1 = t1;
        s2 = t2;
    }
    return serialize(root); // Method omitted for brevity
}
 
 
针对Java serialization的缺陷,有什么使用建议?
  • 不要再使用Java native serialization
  • 推荐采用其他的 cross-platform structured data 代表:JSON和protobuf
JSON和protobuf的对比,各自的优缺点
  • JSON被设计用于browser-server的通信;protobuf被设计用于servers之间的structured data通信
  • JSON是由 JavaScript开发;protobuf是由C++开发
  • JSON是基于文本的,可读性好;protobuf是二进制的,性能更高
  • JSON仅仅是数据代表;protobuf提供更丰富的数据类型(Schemas)
  • protobuf也能提供文本代表,叫pbtxt
如果仅仅采用Java默认序列化方式(implements Serializable),有哪些灾难?
  • 一旦一个类released,再次更改该类的实现将很难,这还涉及到serial version UIDs的问题
  • 增加了bugs 和 security holes,因为它能够直接操作私有成员,破坏了封装性
  • 在发布新版本类时,增加了测试负担,因为要考虑到前后版本的序列化和反序列化的兼容性
当一个对象的物理描述和其逻辑内容不一致时,如果采用默认序列化方式,有哪些缺陷?
  • 永久的把导出的API和当前的内部描述拴在一起
  • 消耗过度的空间
  • 消耗过度的时间
  • 造成stack overflows
// Awful candidate for default serialized form
public final class StringList implements Serializable {
    private int size = 0;
    private Entry head = null;
    private static class Entry implements Serializable {
        String data;
        Entry  next;
        Entry  previous;
    }

    ... // Remainder omitted
}
如何自己设计一种序列化方式?
  • 当一个对象的物理描述和其逻辑内容一致时,才适合使用Java的默认序列化方式
// Good candidate for default serialized form
public class Name implements Serializable {
    /**
     * Last name. Must be non-null.
     * @serial
     */
    private final String lastName;

    /**
     * First name. Must be non-null.
     * @serial
     */
    private final String firstName;
    /**
     * Middle name, or null if there is none.
     * @serial
     */
    private final String middleName;

    ... // Remainder omitted
}
  • 尽量使对象的实例字段设为transient,除非其value代表该对象的逻辑状态,如果你使用自定义的序列化方式,尽量让每个实例字段都标为transient
  • 提供自定义的writeObject和readObject方法
// StringList with a reasonable custom serialized form
public final class StringList implements Serializable {
    // transient modifier indicates that an instance field 
    // is to be omitted from a class’s default serialized form
    private transient int size   = 0;
    private transient Entry head = null;

    // No longer Serializable!
    private static class Entry {
        String data;
        Entry  next;
        Entry  previous;
    }

    // Appends the specified string to the list
    public final void add(String s) { ... }

    /**
     * Serialize this {@code StringList} instance.
     *
     * @serialData The size of the list (the number of strings
     * it contains) is emitted ({@code int}), followed by all of
     * its elements (each a {@code String}), in the proper
     * sequence.
     */
    private void writeObject(ObjectOutputStream s)
            throws IOException {
        s.defaultWriteObject();
        s.writeInt(size);
        // Write out all elements in the proper order.
        for (Entry e = head; e != null; e = e.next)
            s.writeObject(e.data);
    }

    private void readObject(ObjectInputStream s)
            throws IOException, ClassNotFoundException {
        s.defaultReadObject();
        int numElements = s.readInt();
        // Read in all elements and insert them in list
        for (int i = 0; i < numElements; i++)
            add((String) s.readObject());
    }

    ... // Remainder omitted
}
  • if you have a thread-safe object that achieves its thread safety by synchronizing every method and you elect to use the default serialized form, use the following write-Object method
// writeObject for synchronized class with default serialized form
private synchronized void writeObject(ObjectOutputStream s)
        throws IOException {
    s.defaultWriteObject();
}
  • declare an explicit serial version UID in every serializable class you write
private static final long serialVersionUID = randomLongValue;
写readObject方法时,应该注意什么?
  • 对于object reference fields,必须进行有防御的copy
  • Check任何不变性,如果check失败,要抛出InvalidObjectException
  • 在反序列化后,如果要验证整个 object graph,要使用ObjectInputValidation接口
  • 不要直接或间接的激活overridable methods
// readObject method with defensive copying and validity checking
private void readObject(ObjectInputStream s)
        throws IOException, ClassNotFoundException {
    s.defaultReadObject();

    // Defensively copy our mutable components
    start = new Date(start.getTime());
    end   = new Date(end.getTime());

    // Check that our invariants are satisfied
    if (start.compareTo(end) > 0)
        throw new InvalidObjectException(start +" after "+ end);
}
如果单例类implements Serializable,为了确保instance control(是真正的单例),有哪些建议?
public class Elvis {
    public static final Elvis INSTANCE = new Elvis();
    private Elvis() {  ... }

    public void leaveTheBuilding() { ... }
}
  • 提供一个readResolve method,同时确保该类的instance fields是原始类型或者带transient的引用类型
// singleton - transient object reference field
public class Elvis implements Serializable {
    public static final Elvis INSTANCE = new Elvis();
    private Elvis() { }
    private transient String[] favoriteSongs =
        { "Hound Dog", "Heartbreak Hotel" };
    public void printFavorites() {
        System.out.println(Arrays.toString(favoriteSongs));
    }

    private Object readResolve() {
        return INSTANCE;
    }
}
  • 相对于采用readResolve方法,优先使用enum types来确保单例
// Enum singleton - the preferred approach
public enum Elvis {
    INSTANCE;
    private String[] favoriteSongs =
        { "Hound Dog", "Heartbreak Hotel" };
    public void printFavorites() {
        System.out.println(Arrays.toString(favoriteSongs));
    }
}
  • 也可以采用序列化代理模式(serialization proxy pattern),考虑类Period
// Immutable class that uses defensive copying
public final class Period {
    private final Date start;
    private final Date end;
    /**
     * @param  start the beginning of the period
     * @param  end the end of the period; must not precede start
     * @throws IllegalArgumentException if start is after end
     * @throws NullPointerException if start or end is null
     */
    public Period(Date start, Date end) {
        this.start = new Date(start.getTime());
        this.end   = new Date(end.getTime());
        if (this.start.compareTo(this.end) > 0)
            throw new IllegalArgumentException(
                          start + " after " + end);
    }

    public Date start () { return new Date(start.getTime()); }

    public Date end () { return new Date(end.getTime()); }

    public String toString() { return start + " - " + end; }
 ... // Remainder omitted
}
public final class Period implements Serializable {
    private final Date start;
    private final Date end;
    /**
     * @param  start the beginning of the period
     * @param  end the end of the period; must not precede start
     * @throws IllegalArgumentException if start is after end
     * @throws NullPointerException if start or end is null
     */
    public Period(Date start, Date end) {
        this.start = new Date(start.getTime());
        this.end   = new Date(end.getTime());
        if (this.start.compareTo(this.end) > 0)
            throw new IllegalArgumentException(
                          start + " after " + end);
    }

// Serialization proxy for Period class
    private static class SerializationProxy implements Serializable {
         private final Date start;
         private final Date end;

         SerializationProxy(Period p) {
             this.start = p.start;
             this.end = p.end;
         }
         private static final long serialVersionUID = 234098243823485285L; // Any number will do (Item  87)
         // readResolve method for Period.SerializationProxy
         private Object readResolve() {
              return new Period(start, end);    // Uses public constructor
         }
    }

    // writeReplace method for the serialization proxy pattern
    private Object writeReplace() {
        return new SerializationProxy(this);
    }

    // readObject method for the serialization proxy pattern
    private void readObject(ObjectInputStream stream) throws InvalidObjectException {
        throw new InvalidObjectException("Proxy required");
    }

    public Date start () { return new Date(start.getTime()); }

    public Date end () { return new Date(end.getTime()); }

    public String toString() { return start + " - " + end; }
 ... // Remainder omitted
}

你可能感兴趣的:(序列化(Serialization))