What is serialization and deserialization in Java?
Serialization is the process of converting a Java object's state into a byte stream so it can be persisted to disk, stored in a database, or transmitted over a network. Deserialization is the inverse: reconstructing an object from that byte stream. Together, they enable objects to outlive the JVM process that created them.
To make a class serializable, it must implement the java.io.Serializable marker interface, which has no methods. The JVM's built-in serialization mechanism then handles the conversion automatically using ObjectOutputStream for writing and ObjectInputStream for reading.
Each serializable class should declare a private static final long serialVersionUID field. This value is embedded in the serialized stream and checked during deserialization. If the class on the reading side has a different serialVersionUID than the one in the stream, an InvalidClassException is thrown. Omitting serialVersionUID means the JVM auto-generates it from class structure — any field addition or removal will change it and break existing serialized data.
Serialization has important caveats. It is shallow by default in the sense that all referenced objects must also be Serializable (or declared transient). It bypasses constructors — the object is reconstructed by directly setting field values from the stream, so any validation logic in constructors is not executed. This is a known security attack vector: malicious serialized data can create objects in invalid states.
For production systems, Java's built-in serialization is often avoided in favor of explicit formats like JSON (Jackson, Gson), Protocol Buffers, or Avro, which are language-agnostic, more efficient, and safer. Built-in serialization is appropriate for short-lived use cases like Java RMI or HttpSession persistence in application servers.
Customization hooks include readObject/writeObject for field-level control, readResolve/writeReplace for singleton preservation, and the Externalizable interface for complete control over the format.
Correctly describes the concept, mentions Serializable interface and ObjectOutputStream/ObjectInputStream, and notes serialVersionUID purpose.
Adds constructor bypass security implication, transient interaction, serialVersionUID versioning mechanics, and mentions real-world alternatives like JSON or Protobuf.
Reading the answer is step one. Explaining it unprompted — under interview pressure — is what actually matters. Get AI-graded feedback on your answer with follow-up probes on your weak points.
Get Graded — Free Assessment