【正文】 ttribute ?刪除 attribute 2020/11/4 Institute of Computer Software Nanjing University 54 Attribute was not in stored version. Field is initialized to default value of attribute type Stored version had a field. New version has removed attribute. Attributes have not changed. Correction correct_mismatch is Handle object retrieval mismatch by correctly setting up balance. do balance := ensure consistent: balance = end 2020/11/4 Institute of Computer Software Nanjing University 55 deposits withdrawals balance 900 100 200 240 300 new field (initialized to default value) old fields Wrong! 維護(hù)不變式 自動對象轉(zhuǎn)換： Java ? serialVersionUID ?自動定義 （根據(jù)類文件生成） ? 1. Class name 2. The class modifiers 3. The name of each interface 4. For each field of the class (except private static and private transient fields): ? The name of the field ? The modifiers of the field ? The descriptor of the field ? 5. For each method including constructors, except private methods and constructors: ? The name of the method ? The modifiers of the method ? The descriptor of the method 2020/11/4 Institute of Computer Software Nanjing University 56 自動對象轉(zhuǎn)換： Java ?手工指定 ?ANYACCESSMODIFIER static final long serialVersionUID = 42L。 ? 不管你選擇了哪種序列化形式，你都要為自己編寫的每個序列化的類聲明一個顯式的序列化版本 UID。 ?它要消耗過多的時間。 2020/11/4 Institute of Computer Software Nanjing University 25 Effective Java for Serialization ? 2. Consider using a custom serialized form 考慮使用自定義的序列化形式 ?如果一個對象的物理表示等同于它的邏輯內(nèi)容，則默認(rèn)的序列化形式可能是合適的。 ?可序列化類的變化越大，它就越需要測試。 ?序列化會使類的演化受到限制。 } 2020/11/4 Institute of Computer Software Nanjing University 16 The Externalizable Interface ? The class of an Externalizable object must do the following: ? Implement the interface ? Implement a writeExternal method to save the state of the object ? Implement a readExternal method to read the data written by the writeExternal method from the stream and restore the state of the object ? Have the writeExternal and readExternal methods be solely responsible for the format, if an externally defined format is written ? Have a public noarg constructor 2020/11/4 Institute of Computer Software Nanjing University 17 The Externalizable Interface ? An Externalizable class can optionally define the following methods: ?writeReplace ?readResolve 2020/11/4 Institute of Computer Software Nanjing University 18 Note: 聲明類實現(xiàn) Externalizable接口會有重大的安全風(fēng)險。 Java Object Serialization What ? Object Serialization extends the core Java Input/Output classes with support for objects. ? Object Serialization supports the encoding of objects, and the objects reachable from them, into a stream of bytes。 Java Object Serialization Example ? Reading from an object stream 2020/11/4 Institute of Computer Software Nanjing University 10 // Deserialize a string and date from a file. FileInputStream in = new FileInputStream(tmp)。 ObjectOutput s = new ObjectOutputStream(f)。 (Error during serialization)。 ()。 InputStream o = ()。 String str = null。 (Error during serialization)。 (new Date())。 OutputStream o = ()。 ObjectOutput s = new ObjectOutputStream(o)。 ()。 (1)。 Date d = null。 ObjectInput s = new ObjectInputStream(o)。 (str)。 (1)。 (Today)。 ObjectInputStream s = new ObjectInputStream(in)。 and it supports the plementary reconstruction of the object graph from the stream. 2020/11/4 Institute of Computer Software Nanjing University 11 Java Object Serialization Goal ? Have a simple yet extensible mechanism. ? Maintain the Java object type and safety properties in the serialized form. ? Be extensible to support marshaling and unmarshaling as needed for remote objects. ? Be extensible to support simple persistence of Java objects. ? Require per class implementation only for customization. ? Allow the object to define its external format. 2020/11/4 Institute of Computer Software Nanjing University 12 Java Object Serialization How ? Objects to be saved in the stream may support either the Serializable or the Externalizable interface. ?For Serializable objects, the stream includes sufficient information to restore the fields in the stream to a patible version of the class. ?For Externalizable objects, the class is solely responsible for the external format of its contents. 2020/11/4 Institute of Computer Software Nanjing University 13 The Serializable Interface ? public interface { }。 writeExternal()與 readExternal()方法聲明為 public，惡意類可以用這些方法讀取和寫入對象數(shù)據(jù)。 ?代價 2：增加了錯誤和安全漏洞的可能性。 2020/11/4 Institute of Computer Software Nanjing University 24 Effective Java for Serialization ? Notes: ?為了繼承而設(shè)計的類應(yīng)該很少實現(xiàn) Serializable，接口也應(yīng)該很少會擴(kuò)展它。 ?即使確定了默認(rèn)序列化形式是合適的，通常仍然要提供一個 readObject方法以保證約束關(guān)系和安全性。 ?它會引起棧溢出。 2020/11/4 Institute of Computer Software Nanjing University 32 private static final long serialVersionID = randomLongValue Effective Java for Serialization ? 3. Write readObject methods defensively 保護(hù)性地編寫 readObject方法 ?readObject方法實際上相當(dāng)于另一個共有的構(gòu)造函數(shù)，如同其他構(gòu)造函數(shù)一樣，它也要求所有同樣的注意事項： 檢查實參的有效性 ，并且 必要時對參數(shù)進(jìn)行保護(hù)性拷貝 。 ?類改變時仍然能夠反序列化 ? Java定義了一些“兼容”條件，符合條件的自動轉(zhuǎn)換 ?可以容忍的： adding fields, etc. ?太糟糕的 : “Changing the type of a field”, deleting fields, etc 2020/11/4 Institute of Computer Software Nanjing University 57 對于實在“糟糕”的類修改 ?可以定制序列化和反序列化方法 private void readObject(ObjectInputStream in) {} private void writeOb