Serialization has been a part of the Java Platform since the 1.1 release. While serialization brings with it a lot of utility and was key in Java's early success, it does have some pretty significant issues as well. In this episode of Stack Walker, we review the history of serialization, the concerns it was attempting to address, and how some of those design decisions have resulted in more than a few headaches for JDK engineers and Java developers alike. We will then look at how the JDK engineering team is working towards addressing the issues that serialization presents and ultimately a replacement. 

Come to *JavaOne 2026* in Redwood City, March 17th-19th, and get $150 off with code J1WEB150: https://www.oracle.com/javaone/

Want to learn more about serialization, other topics, and finding your local Java Users Group (JUG)? Check out: https://dev.java 

*Additional Reading and Viewing:*
Towards Better Serialization: https://openjdk.org/projects/amber/design-notes/towards-better-serialization
Why We Hate Java Serialization And What Might Do About It: https://www.youtube.com/watch?v=dOgfWXw9VrI
Serialization 2 0: A Marshalling Update!: https://www.youtube.com/watch?v=F89sNgG9dRY
https://openjdk.org/jeps/290
https://openjdk.org/jeps/395

0:00 Intro
2:15 History of Serialization
5:30 How Serialization Works
8:23 Serialization's Flaws
9:07 Extra Linguistic
10:15 Polymorphism and Confinement
11:21 Difficult to Use Features
12:39 Undermines final
14:19 Thread Safety
14:54 Inhibits JDK Evolution
15:15 The Way Forward
17:02 Conclusion

Attributions:
https://commons.wikimedia.org/w/index.php?curid=6372844
https://commons.wikimedia.org/w/index.php?curid=9886955
https://lotr.fandom.com/wiki/Gandalf
https://commons.wikimedia.org/w/index.php?curid=49570

Tags: #Java #JDK #javaprogramming

Java (Official Oracle)

Java serialization, introduced in Java 1.1 (1997), was designed to solve object persistence and distributed computing needs via RMI. Its ease of use drove widespread adoption, but the mechanism has significant problems: it bypasses constructors during deserialization, undermines encapsulation and final fields, enables polymorphism/confinement attacks via malicious class injection, creates thread-safety hazards, forces code duplication, and inhibits JDK evolution due to backwards compatibility requirements. Mitigations include configurable serialization filters (JEP 290, JDK 9) and special handling for records (JDK 16). The JDK team is working toward a serialization 2.0 that reduces reflection magic and requires explicit intermediate representations, though a full replacement is still in progress.

Java Serialization: Spooky Action at a Distance