Most of these other answers are explaining the general concept of serialization, but the OP seems to be asking a more specific question: they understand what serialization is, but they've noticed that many codebases serialize Java objects (e.g. to JSON) without implementing the Serializable interface. If this is the case, what's the purpose of the interface? Let me start off by saying that in my experience, the Serializable does not seem to be used very often in modern codebases. Nowadays, most modern codebases tend to prefer to do serialization via a library like Gson, Jackson, SnakeYAML, protobuf, etc. Now to directly answer your question, I think you haven't completely internalized the purpose of an interface yet. Let me do an analogy with electrical outlets. The electrical grid in America vs Europe are built to different standards. In the USA, an electrical outlet will provide 120 volts at 60 Hz, while in many places in Europe, it will provide 240 Volts at 50 Hz. If you want to build an appliance, say a television, you can build one that works to the US standard, or you can build one that works to the European standard. Either one works fine, but you as a TV designer, need to know ahead of time whether you're expecting to receive a US-style power source or a European-style power source so that you can put the right type of circuitry to make sure your television works. Interfaces (in all programming languages, not just Java) act like standards and specifications that allow two software modules to work together, just like the US electrical standard is designed so that any US appliance can work in any US electrical outlet. They provide a guarantee about what sort of functionality an implementing object will provide (e.g. 120 volts at 60Hz) that the caller can rely on to build whatever additional functionality they want on top of it. If you want to integrate with the java.io.ObjectInputStream and java.io.ObjectOutputStream pair of classes (which help perform serialization for you), you need to implement the Serializable interface, just like if you want your television to work with US outlets, you need to design it to work with 120 volts and 60 hz. If you don't care about using ObjectInputStream and ObjectOutputStream, you don't have to implement that interface (maybe your television uses batteries or has a solar panel, in which case you don't need to worry about designing a plug that fits a US outlet). In languages with static type checking, such as Java, the compiler will prevent you from using a class in an API that requires a specific interface is that class does not implement that interface. This is analogous to the idea that the shapes of US electrical outlets are different from European outlets, so you can't accidentally plug in a TV into an outlet that it won't work with. TL;DR: So the answer to your question is that the Serializable is needed when you interact with an API that requires an instance of Serializable -- the vast majority of type, that API will be the java.io.ObjectInputStream and java.io.ObjectOutputStream APIs. If you don't interact with those kinds of APIs, you don't need to implement the Serializable. And in fact, most modern codebases don't rely on ObjectInputStream and ObjectOutputStream to perform serialization, and so most codebases won't bother to have their classes implement Serializable even if though they still intended to serialize those objects -- they simply intend to use a different API to perform that serialization. Answer from Nebu on reddit.com
🌐
Reddit
reddit.com › r/javahelp › explain like i'm five - what is serializable?
r/javahelp on Reddit: Explain like i'm five - what is Serializable?
April 26, 2024 -

I just don't get it. I'm a junior and see it often in the codebase of the company i work at. Documentation says that it helps serialize and deserialize objects, but why does that need to happen using this interface? There are so many classes that do not implement Serializable, so what happens to them?
Head First Java book says that objects need to be serialized when data is sent over the network or saved to a disk. But there is serialization/deserialization happening to JSON objects for example when they're being sent from server to client and vice versa, and those classes do not implement Serializable.
So in which "special" scenario does one need/want to implement Serializable?

🌐
Baeldung
baeldung.com › home › java › core java › different serialization approaches for java
Different Serialization Approaches for Java | Baeldung
July 18, 2025 - Their main purpose is to save the state of an object so that we can recreate it when needed. In this tutorial, we’ll explore different serialization approaches for Java objects.
Discussions

xml - What is the need of serialization of objects in Java? - Stack Overflow
Pretty much any communication between ... is required. ... When you want to save an object's state into a file or send it over the network, you need to transform it into a series of bytes. This is called serialization. Java has a built-in mechanism for that, other options include XML or JSON... More on stackoverflow.com
🌐 stackoverflow.com
Java JSON serialization - best practice - Stack Overflow
I need to implement JSON serialization for some objects, and I've encountered a problem when it came to integration with generic collections. All serializable classes implement this interface ( More on stackoverflow.com
🌐 stackoverflow.com
json - Java Serialization for long-ish-term storage - Software Engineering Stack Exchange
Originally I've been using JSON to store the data, but that has a few issues, mostly that it's slow (it can take 8-10 seconds to read all the objects on my lower-end machine) and also, it's very common for the objects in my database to have fields that point to the same object. Java serialization ... More on softwareengineering.stackexchange.com
🌐 softwareengineering.stackexchange.com
September 29, 2014
java - Why does Jackson implement Serializable? - Stack Overflow
StdDeserializer extends JsonDeserializer implements Serializable, Gettable · (I don't see that T is required to be serializable, only the serializer?) Now, what I do not understand is why why are still dealing with this concept of binary java object serialization when we are mostly handling ... More on stackoverflow.com
🌐 stackoverflow.com
🌐
Oracle
blogs.oracle.com › javamagazine › java-json-serialization-jackson
Efficient JSON serialization with Jackson and Java | javamagazine
In modern Java applications, serialization is usually performed using an external library as an explicitly application-level concern, with the result being a document encoded in a widely deployed serialization format. The serialization document, of course, can be stored, retrieved, shared, and archived. A preferred format was, once upon a time, XML; in recent years, JavaScript Object Notation (JSON) has become a more popular choice.
🌐
CodeMiner42
blog.codeminer42.com › home › posts › serialization and deserialization in java using jackson
Serialization and Deserialization in Java using Jackson - The Miners
May 29, 2023 - A practical guide on how to serialize and deserialize objects to JSON in Java using Jackson. ... Before we start working with serialization and deserialization in Java we need to understand what these terms actually mean. Serialization is the process of converting the state of an object to a byte stream in a way that the byte stream can be reverted into a copy of the original object.
🌐
CodeGym
codegym.cc › courses › java collections › serialization into json
Course Java Collections - Lecture: Serialization into JSON
We take ObjectMapper and pass it ... with JSON, as well as the class of the object to be deserialized. Then we call the readValue method, and as output we get a ready-made Java object with all of the data." "Well, that's exactly like deserialization in Java." "Almost. There are several requirements placed on objects serialized into, or ...
Top answer
1 of 9
209

Short story about serialization

After many years of hard work, Earth's scientists developed a robot who can help them in daily work. But this robot had fewer features than the robots developed by the scientists from planet Mars.

After a meeting between both planets' scientists, it is decided that Mars will send their robots to Earth. But a problem occurred. The cost of sending 100 robots to Earth was $100 million. And it takes around 60 days of traveling.

Finally, Mars' scientists decided to share their secret with Earth's scientists. This secret was about the structure of class/robot. Earth's scientists developed the same structure on Earth itself. Mars' scientists serialized the data of each robot and sent it to earth. Earth's scientists deserialized the data and fed it into each robot accordingly.

This process saved them time in communicating a massive amount of data.

Some of the robots were being used in some defensive work on Mars. So their scientists marked some crucial properties of those robots as transient before sending their data to Earth. Note that the transient property is set to null (in case of reference) or to the default value (in case of the primitive type) when the object gets deserialized.

One more point noticed by Earth's scientists is that Mars' scientists asked them to create some static variables to keep details about the environment. These details are used by some robots. But Mars' scientists don't share these details. Because Earth's environment was different from Mars' environment.

Even though knowing about the robot class structure and having serialized data Earth's scientist were not able to deserialize the data which can make robots working.

Exception in thread "main" java.io.InvalidClassException:
SerializeMe; local class incompatible: stream classdesc
:

Mars' scientists were waiting for the complete payment. Once the payment was done Mars' scientists shared the serialversionUID with Earth's scientists. Earth's scientist set it to robot class and everything started working.

Update

Though with the help of serialization, they became able to send data using signals instead of actual spaceship, they realized that sending large set of data was still a challenge. Serialization make the process cheaper and faster but it was still slow. Hence the different scientists came up with different ideas to reduce the data size. Some scientists suggested to compress the data and some suggested to use different mechanism to represent it so it can be deserialized back. Some of the ideas are XML, JSON, msgpack, Nimn

2 of 9
159

Serialization is usually used When the need arises to send your data over network or stored in files. By data I mean objects and not text.

Now the problem is your Network infrastructure and your Hard disk are hardware components that understand bits and bytes but not JAVA objects.

Serialization is the translation of your Java object's values/states to bytes to send it over network or save it.

This is analogous to how your voice is transmitted over PSTN telephone lines.

🌐
GeeksforGeeks
geeksforgeeks.org › java › serialization-and-deserialization-in-java
Serialization and Deserialization in Java - GeeksforGeeks
June 1, 2026 - Converts stored byte stream data back into the original Java objects. Preserves object state, making objects usable just as they were before serialization. Facilitates data exchange between different applications, systems, or network environments.
Find elsewhere
🌐
Medium
medium.com › @bubu.tripathy › json-serialization-and-deserialization-in-java-2a3f08266b70
JSON Serialization and Deserialization in Java | by Bubu Tripathy | Medium
April 9, 2023 - In JSON serialization, the Jackson library will typically only output fields that are defined as properties in the Java class being serialized. However, in some cases, you may want to handle additional properties that are not explicitly defined in your Java class, for example, when dealing with JSON objects that have dynamic properties. In such cases, you can use the @JsonAnySetter and @JsonAnyGetter annotations in your Java class to handle these dynamic properties. The @JsonAnySetter annotation is used to indicate that any properties in the JSON input that are not explicitly mapped to Java fields should be handled by the annotated method.
🌐
Medium
medium.com › @AlexanderObregon › mechanics-of-json-serialization-and-deserialization-in-spring-boot-4bb02f19dd3e
Mechanics of JSON Serialization and Deserialization in Spring Boot
February 19, 2025 - Custom serialization allows modifying the way Java objects are written as JSON, while custom deserialization customizes how JSON data is converted back into Java objects. These customizations are often used to handle special formats, change ...
🌐
OpenJDK
openjdk.org › projects › amber › design-notes › towards-better-serialization
Towards Better Serialization
We should seek to support serialization of data, not objects. For example, many modern services are built around exchanging JSON documents — which cannot even represent the notion of object identity! The fact that JSON is considered a viable encoding strategy for nearly all services underscores ...
🌐
Quora
quora.com › Why-is-serialization-required-in-Java
Why is serialization required in Java? - Quora
Answer (1 of 15): With the ever-increasing boom of the IT industry, our reliance on it seems to be growing with every passing day. In a bid to stay relevant within the industry, steady growth has pushed many working professionals to take up programming languages. While the industry makes use of s...
🌐
DEV Community
dev.to › brunooliveira › practical-java-16-using-jackson-to-serialize-records-4og4
Practical Java 16 - Using Jackson to serialize Records - DEV Community
April 24, 2021 - The constructor, the getters and the attributes, add a lot of clutter, but, it's the only way to have a DTO to be serialized by Jackson, as the getters are required so that the library can write them to JSON internally, if we are below Java 16.
🌐
Vaadata
vaadata.com › home › technical › modifying java serialized objects as easily as json
Modifying Java Serialized Objects as Easily as JSON
April 11, 2024 - This tool is used when we need to interact with serialized Java objects because it makes them easier to manipulate. The idea is to convert a stream of objects into a JSON document and vice versa.
Top answer
1 of 1
7

I was in contact with Tatu Saloranta, the maintainer of Jackson, about just this question after looking at the commit that introduced this for the StdSerializer class and he answered in detail! Publishing his answer here:

The truth is this came as a user request, and as I recall, there are maybe 2 use cases where this might be useful. Second of them could sort of qualify for "moving objects between different JVMs". I'd have to agree that neither of these use cases seems like particularly common pattern, fwtw.

First one that was bit more exotic (and may or may not be relevant at this point) was for Android use case for its thaw/unthaw (or whatever it is called when app goes into background mode, back, wrt XmlMapper (XML-backed ObjectMapper) -- if so, performance was apparently much better if using JDK serialization, compared to re-creating mapper instance. I don't know if that is still the case or not.

Second, more widely applicable use case would be for platforms like Spark (or Hadoop, perhaps Flink/Apache Beam), in which a coordinator node may want to configure mapper in some way, and then send it to worker nodes initialized to particular settings (including also registered modules, which is how serializers/deserializers would be relevant). If so, performance isn't the key but ability to have exact configuration to use.

But trying to make/keep (de)serializers JDK serializable is a drag and it is something I am happy I can drop from Jackson 3.x (whenever that gets released :) ). ObjectMappers are still JDK serializable, but without requiring many/most of internal components to be. This is done by changing the way mappers are constructed and I probably shouldn't go too deep into details here. :)

🌐
SATHEE
sathee.iitk.ac.in › home › article › miscellaneous › serialization in java- exploring the importance advantages and disadvantages
SATHEE: Serialization In Java- Exploring The Importance Advantages And Disadvantages
It is the process of converting a complex, live object into a format that can be easily stored, transported, or reconstructed. In this section, we will explore the art and science of Java object serialization, exploring the steps and techniques required to encapsulate an object’s state and behaviour into a byte stream, making it portable and persistently retrievable.
Top answer
1 of 5
27

Any time you deserialize an object by calling ObjectInputStream.readObject, you have a remote code execution vulnerability: if someone can make you deserialize the wrong bytes, they can run any command on your computer.

The exploit works by creating an object that will run evil code inside its readObject method, which is called during the process of deserialization, then serializing this object and making you deserialize it. At first glance, you'd think this could only happen if the attacker could load an evil class into your program, in which case they've already hacked your program with or without serialization. However, there are several ways to create an "evil object" using only classes from common libraries (example) and in the future one might be found in the standard library, which would work in every program.

If you happen to be familiar with CVE-2010-0840 (escaping the Java applet sandbox using "Trusted Method Chaining") the concept is very similar but the details are completely different.

The exploit occurs during the process of deserialization, inside readObject, so nothing you do after readObject returns can prevent it.

For more details, see the writeup.

You can prevent the exploit in a cumbersome way, by creating a subclass of ObjectInputStream, overriding the resolveClass method so that only the specific classes you want to be deserialized can be resolved, and using this subclass for deserialization, or by calling setObjectInputFilter with an appropriate filter before reading any objects.

2 of 5
22

"never" is a strong word. However, when the official documentation of a class starts with a bold security warning:

Warning: Deserialization of untrusted data is inherently dangerous and should be avoided. Untrusted data should be carefully validated according to the "Serialization and Deserialization" section of the Secure Coding Guidelines for Java SE. Serialization Filtering describes best practices for defensive use of serial filters.

(emphasis in original)

it's probably a good idea to take that warning seriously.

In a nutshell, the problem with Java Serialization is that the classes to be instantiated are determined by the serialized data. That is, the data controls with objects are created, and can instantiate any (serializable) class available to your program. In addition, classes can declare methods to be invoked upon deserialization, which allows an attacker to invoke any such method with any input. While care should be taken to harden such methods against misuse, their sheer number makes it virtually certain that at least one class in your classpath remains vulnerable, and can be exploited by the attacker.

(Yes, after the object has been instantiated and returned to your code, your code will notice that the object is of the wrong type and raise an error. However, that happens after the attacker-selected code has executed, and is therefore too late to prevent remote code execution, resource exhaustion, or whatever else the vulnerable method did)

More modern serialization libraries prevent this by asking the caller for the expected class, rather than trusting the data. For instance, with a Jackson ObjectMapper, you'd write:

    var person = objectMapper.readObject(Person.class)

That puts control of which classes are instantiated into the hands of the receiving rather than the sending program.

To mitigate the risk in cases where we can't switch to a more modern data format, ObjectInputStreams have been extended with filtering options. However, due to backward compatiblity concerns, these protections are disabled by default. They are also somewhat onerous to configure. And filters just restrict which classes can be instantiated - if one of those is vulnerable, you can still be owned.

Overall, the official recommendation that Java Serialization should not be used with untrusted data is entirely reasonable.

Now, one might argue that Java Serialization remains suitable if data comes from a trusted source. I'd disagree, because

  1. it's quite possible that even though the data is trusted now, it may become untrusted in the future. For instance, suppose you use Java Serialization for session persistence. Sounds harmless, right? But suppose the customer reports some weird error when reading persisted sessions. To diagnose the issue, you ask them for the session file and load it in your dev environment. Oops.
  2. in the event that a trusted system is compromised, Java Serialization can be used to escalate the compromise to your system

What could possibly justify these risks? The only things in favor of Java Serialization are that it is part of the JDK and easy to use. But more modern serialization libraries are also easy to use, and often have a more readable, text-based wire format such as JSON, which helps greatly with debugging. (One might expect Java Serialization's binary format to be more compact, but it also contains a lot more metadata, which can more than offet the gains from the binary format). And in the age of Maven (or whichever dependency managment tool you prefer), pulling in an additional library is not nearly as hard as it used to be.

Overall, I find the recommendation to "never use Java Serialization" quite sensible. It's one of those early Java technologies that did not anticipate the security challenges we face today.

🌐
Skillsoft
skillsoft.com › home › serialization in java: using json in java for serialization & parsing
Serialization in Java: Using JSON in Java for Serialization & Parsing - Java - BEGINNER - Skillsoft
The JavaScript Object Notation (JSON) format is a widely used data format for serializing the internal state of objects to a structured and human-readable format. Take this course to explore the org.json library, which offers powerful features and constructs for the serialization of Java objects to the JSON format and parsing JSON files and structures.
🌐
SourceForge
flexjson.sourceforge.net
JSON Serialization Usage
The return value will always be the exact same reference passed as the 2nd parameter to deserializeInto(). If there is a valid field in the json it will always overwrite what's in memory this includes null values too. This only supports deserializing into Java beans not collections. Finally, JSONSerializer and JSONDeserializer instances can be reused to serialize/deserialize many objects of the same type.