CONTENTS | PREV | NEXT | Java Object Serialization Specification |
Fields containing sensitive data should not be serialized; doing so exposes their values to any party with access to the serialization stream. There are several methods for preventing a field from being serialized:
- Declare the field as private transient.
- Define the
serialPersistentFields
field of the class in question, and omit the field from the list of field descriptors.- Write a class-specific serialization method (i.e.,
writeObject
orwriteExternal
) which does not write the field to the serialization stream (i.e., by not callingObjectOutputStream.defaultWriteObject
).