Be Careful With Transient Data（Java序列化与trasient变量）

Be Careful With Transient Data

 

(原文来自http://www.devx.com/tips/Tip/13726 )

Expertise: Intermediate
Language: Java
January 28, 2000
Be Careful With Transient Data
Java's serialization provides an elegant, and easy to use mechanism for making an object's state persistent. While controlling object serialization, we might have a particular object data member that we do not want the serialization mechanism to save.
To turn off serialization on a certain field of an object, we tag that field of the class of our object with the Java's "transient" keyword. This, to low-level parts of the Java virtual machine, is an indication that the transient variable is not part of the persistent state of an object.

First, let's have some backgrounder code with Java's serialization.
Suppose we define a class as:

public class LoggingInfo implements java.io.Serializable
{
private Date loggingDate = new Date();
private String uid;
private transient String pwd;

LoggingInfo(String user, String password)
{
uid = user;
pwd = password;
}
public String toString()
{
String password=null;
if(pwd == null)
{
password = "NOT SET";
}
else
{
password = pwd;
}
return "logon info: \n " + "user: " + uid +
"\n logging date : " + loggingDate.toString() +
"\n password: " + password;
}
}
Now we can create an instance of this class and serialize it, and write the serialized object to disk as in:
LoggingInfo logInfo = new LoggingInfo("MIKE", "MECHANICS");
System.out.println(logInfo.toString());
try
{
ObjectOutputStream o = new ObjectOutputStream(
new FileOutputStream("logInfo.out"));
o.writeObject(logInfo);
o.close();
}
catch(Exception e) {//deal with exception}
To read the object back, we can write
try
{
ObjectInputStream in =new ObjectInputStream(
new FileInputStream("logInfo.out"));
LoggingInfo logInfo = (LoggingInfo)in.readObject();
System.out.println(logInfo.toString());
}
catch(Exception e) {//deal with exception}
If we run this code, we notice that the read-back object prints password as "NOT SET". This is exactly the effect we should have expected when we declared the pwd field as transient.
Now, let's see a potential problem that careless treatment of transient fields may cause. Suppose we modify our class definition and provide default values for the transient field, say we write:

public class GuestLoggingInfo implements java.io.Serializable
{
private Date loggingDate = new Date();
private String uid;
private transient String pwd;

GuestLoggingInfo()
{
uid = "guest";
pwd = "guest";
}
public String toString()
{
//same as above
}
}
Now, if we serialize an instance of GuestLoggingInfo, write it to disk, and read it back, we still see that the read-back object prints password as "NOT SET". In effect, the process of reading back (de-serializing) totally ignores the constructor of GuestLoggingInfo. So what happened?
The answer lies in the fact that the initialization code is not called because we are not initializing, in other words, we are not constructing a brand new object, but loading back the persistent state of an object of a class, and assigning that state to another object of the same class. Declaring the pwd field as transient, excludes the data for that field from the persistent state of our object. Then, upon de-serialization, since there is no data preserved for the pwd field, the field gets Java's default value for its type (null for String).

So, if you mark a field of an object as transient, and write that object to disk, expect to have the default value of the type of that field when you de-serialize the object, and not the actual value that the field had before its state was serialized. If a default value (or any meaningful value) is essential for a transient field of a de-serialized object, you have to assign it yourself either directly (if the field is public) or via a setter method.

Behrouz Fallahi