top of page
Writer's pictureApurva Kulkarni

Understanding Transient Keyword in Java Serialization: What You Need to Know

Transient in Java is used to mark the member variable not to be serialized when it is persisted to streams of bytes. This keyword plays an important role to meet security constraints in Java. It ignores the original value of a variable and saves the default value of that variable data type. At the time of serialization, if you don’t want to save the value of a particular variable in a file, then we can use the transient keyword. To learn more about transient, let us first understand what is serialization in java.


What is serialization ?

Serialization in Java is a mechanism that is used in converting the state of an object into a byte stream. Serialization allows us to convert an Object to stream that we can send over the network or save it as file or store in DB for later usage. Deserialization is the process of converting Object stream to actual Java Object to be used in our program.



Serializable is an interface in java which is a marker interface and has no fields or methods to implement. It’s like an Opt-In process through which we make our classes serializable. Serialization in java is implemented by ObjectInputStream and ObjectOutputStream, so all we need is a wrapper over them to either save it to file or send it over the network.

Below is the example of transient keyword:



In above example, the password data member of the SerializationDemo class is declared as transient, its value will not be serialized. But if we deserialize the object, we will get the default value for a transient variable.


Use of Transient keyword:
  • We can use Transient keyword when we have fields that are derived/calculated from other fields within the instance of a class.

  • We use it with fields which are not marked as “Serializable” inside JDK or application code. This is because classes which do not implement Serializable interface are referenced within any serializable class and cannot be serialized and will throw “java.io.NotSerializableException” exception. Note: The non-serializable references should be marked “transient” before serializing the main class.


Use of Transient with Final keyword:
  • Transient in Java can be used with the final keyword because it behaves differently in different situations which is not generally the case with other keywords in Java.

  • The final modifier makes no difference when it has literal initialization. When a variable of type String is declared as final and transient, its value is determined at compile-time and is stored in the class’s constant pool. Since it is final, it’s value can’t be change after it’s initialization. Hence, its value will be taken from the class and not null.


Difference between Transient and Volatile:
  • Volatile and Transient are two completely different keywords that are used in Java. A Transient keyword is used during serialization of Java object.

  • Volatile is related to the visibility of variables modified by multiple threads.

  • The only similarity between these keywords is that they are less used or uncommon keywords and not as popular as public, static or final.


Deserialization :

To get the default value of transient data member, we need to deserialize. Let us understand what it means. Deserialization is the reverse of that process, taking data structured in some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML. However, many programming languages have native ways to serialize objects. These native formats usually offer more features than JSON or XML, including customizability of the serialization process.

Unfortunately, the features of these native deserialization mechanisms can sometimes be repurposed for malicious effect when operating on untrusted data. Attacks against deserializers have been found to allow denial-of-service, access control, or remote code execution (RCE) attacks.



Once we deserialize the String type, it returns null, same way it will return 0 if the data type of is an integer. Below is the example of deserialization where transient data member will return default values only.



Summary:

Transient keyword is a useful approach while maintaining the security of an application. For example when we want to preserve the password of a user where objects are serialised and deserialized on regular basis in an application, it can be used.


6 views0 comments

Recent Posts

See All

Battle of the Backends: Java vs Node.js

Comparing Java and Node.js involves contrasting two distinct platforms commonly used in backend development. Here’s a breakdown of their...

Kommentare


bottom of page