Be Careful With Transient Data

Be Careful With Transient Data

Java’s serialization provides an elegant, and easy to use mechanism for making an object’s state persistent. While controlling object serialization, we might have a particular object data member that we do not want the serialization mechanism to save.

To turn off serialization on a certain field of an object, we tag that field of the class of our object with the Java’s “transient” keyword. This, to low-level parts of the Java virtual machine, is an indication that the transient variable is not part of the persistent state of an object.

First, let’s have some backgrounder code with Java’s serialization.
Suppose we define a class as:

 public class LoggingInfo implements {     private Date loggingDate = new Date();     private String uid;     private transient String pwd;         LoggingInfo(String user, String password)     {         uid = user;         pwd = password;     }     public String toString()     {         String password=null;         if(pwd == null)         {         password = "NOT SET";         }         else         {             password = pwd;         }         return "logon info: 
   " + "user: " + uid +             "
   logging date : " + loggingDate.toString() +             "
   password: " + password;     } } 

Now we can create an instance of this class and serialize it, and write the serialized object to disk as in:

 LoggingInfo logInfo = new LoggingInfo("MIKE", "MECHANICS"); System.out.println(logInfo.toString()); try {    ObjectOutputStream o = new ObjectOutputStream(                 new FileOutputStream("logInfo.out"));    o.writeObject(logInfo);    o.close(); } catch(Exception e) {//deal with exception} 

To read the object back, we can write

 try {    ObjectInputStream in =new ObjectInputStream(                 new FileInputStream("logInfo.out"));    LoggingInfo logInfo = (LoggingInfo)in.readObject();    System.out.println(logInfo.toString()); } catch(Exception e) {//deal with exception} 

If we run this code, we notice that the read-back object prints password as “NOT SET”. This is exactly the effect we should have expected when we declared the pwd field as transient.

Now, let’s see a potential problem that careless treatment of transient fields may cause. Suppose we modify our class definition and provide default values for the transient field, say we write:

 public class GuestLoggingInfo implements {     private Date loggingDate = new Date();     private String uid;     private transient String pwd;         GuestLoggingInfo()     {         uid = "guest";         pwd = "guest";     }     public String toString()     {         //same as above      } } 

Now, if we serialize an instance of GuestLoggingInfo, write it to disk, and read it back, we still see that the read-back object prints password as “NOT SET”. In effect, the process of reading back (de-serializing) totally ignores the constructor of GuestLoggingInfo. So what happened?

The answer lies in the fact that the initialization code is not called because we are not initializing, in other words, we are not constructing a brand new object, but loading back the persistent state of an object of a class, and assigning that state to another object of the same class. Declaring the pwd field as transient, excludes the data for that field from the persistent state of our object. Then, upon de-serialization, since there is no data preserved for the pwd field, the field gets Java’s default value for its type (null for String).

So, if you mark a field of an object as transient, and write that object to disk, expect to have the default value of the type of that field when you de-serialize the object, and not the actual value that the field had before its state was serialized. If a default value (or any meaningful value) is essential for a transient field of a de-serialized object, you have to assign it yourself either directly (if the field is public) or via a setter method.

Share the Post:
XDR solutions

The Benefits of Using XDR Solutions

Cybercriminals constantly adapt their strategies, developing newer, more powerful, and intelligent ways to attack your network. Since security professionals must innovate as well, more conventional endpoint detection solutions have evolved

AI is revolutionizing fraud detection

How AI is Revolutionizing Fraud Detection

Artificial intelligence – commonly known as AI – means a form of technology with multiple uses. As a result, it has become extremely valuable to a number of businesses across

AI innovation

Companies Leading AI Innovation in 2023

Artificial intelligence (AI) has been transforming industries and revolutionizing business operations. AI’s potential to enhance efficiency and productivity has become crucial to many businesses. As we move into 2023, several

data fivetran pricing

Fivetran Pricing Explained

One of the biggest trends of the 21st century is the massive surge in analytics. Analytics is the process of utilizing data to drive future decision-making. With so much of

kubernetes logging

Kubernetes Logging: What You Need to Know

Kubernetes from Google is one of the most popular open-source and free container management solutions made to make managing and deploying applications easier. It has a solid architecture that makes

ransomware cyber attack

Why Is Ransomware Such a Major Threat?

One of the most significant cyber threats faced by modern organizations is a ransomware attack. Ransomware attacks have grown in both sophistication and frequency over the past few years, forcing

data dictionary

Tools You Need to Make a Data Dictionary

Data dictionaries are crucial for organizations of all sizes that deal with large amounts of data. they are centralized repositories of all the data in organizations, including metadata such as