Serialization (Serializable, transient)

Serialization is the process of converting a Java object into a stream of bytes that can be stored or transmitted, and later turned back into an equal object — a powerful but security-sensitive part of the platform.

Learn Serialization (Serializable, transient) in our free Java course — a beginner-friendly interactive lesson with worked examples, a practice exercise and…

Part of the free Java course at LearnCodingFast — hands-on lessons with examples you run in your browser, plus practice exercises and a quick quiz.

You should know classes and objects , interfaces (Serializable is one), and have seen exceptions — these stream operations throw several checked ones.

💡 Analogy: Serialization is like flat-packing a piece of furniture to ship it. The assembled chair (your object) is broken down into a flat box of parts (bytes) that can be stored or posted, then rebuilt into an identical chair at the other end (deserialization). transient fields are the parts you deliberately leave out of the box — the cushions you'll buy fresh on arrival. And serialVersionUID is the model number printed on the box: if the assembly instructions at the destination are for a different model number, you refuse to build it rather than produce a broken chair.

All examples below flat-pack into an in-memory ByteArrayOutputStream instead of a file, so they run anywhere with no disk access — and print the real round-tripped result.

Implement Serializable , declare a serialVersionUID , then write with ObjectOutputStream.writeObject and read back with ObjectInputStream.readObject (casting the result). We serialize into a byte array so the example needs no file.

Mark a field transient to keep it out of the byte stream — for secrets like a password , recomputable caches, or non-serializable references. After deserialization those fields hold their default value ( null for objects, 0 for numbers).

The serialVersionUID is a version stamp. On read, Java compares the stream's UID with the current class's; a mismatch throws InvalidClassException . Always declare it explicitly — otherwise the compiler auto-generates one that changes on almost any edit, silently breaking old data.

Java's native deserialization is one of the platform's most exploited features. Deserializing bytes from an untrusted source can instantiate arbitrary classes and execute code during reconstruction — so-called gadget chains that have produced many real-world remote-code-execution CVEs.

Answer: 0 — its type default. Transient fields aren't written, so on restore objects are null and numbers are 0 / 0.0 .

Answer: NotSerializableException at write time, naming the offending class. Make that type Serializable or mark the field transient .

Answer: not with native Java serialization — untrusted streams can trigger code execution. Use JSON for external data, or a strict ObjectInputFilter if you truly must.

🎯 YOUR TURN — Skip a cache field

Add a transient cache field to Book so the title persists but the cache comes back null .

🧩 MINI-CHALLENGE — Generic round-trip helper

Write using in-memory streams, and prove the restored Cart has equal contents but is a different object.

You can now make a class Serializable , round-trip it through ObjectOutputStream / ObjectInputStream using in-memory byte arrays, control what travels with transient , manage compatibility with serialVersionUID , and — crucially — respect the deserialization security risks by preferring JSON for untrusted data.

Next up: Checkpoint: Practical Java — a build challenge that combines collectors, builders, immutability, equals/hashCode and more.

Practice quiz

• Browse all free courses
• Cheat sheets & quizzes
• Coding dictionary