January 19, 2020
Hot Topics:

Java Language Integrity & Security: Serializing Classes

  • February 5, 2007
  • By Matt Weisfeld
  • Send Email »
  • More Articles »

This series, The Object-Oriented Thought Process, is intended for someone just learning an object-oriented language and who wants to understand the basic concepts before jumping into the code, or someone who wants to understand the infrastructure behind an object-oriented language he or she is already using. These concepts are part of the foundation that any programmer will need to make the paradigm shift from procedural programming to object-oriented programming.

Click here to start at the beginning of the series.

In keeping with the code examples used in the previous articles, Java will be the language used to implement the concepts in code. One of the reasons that I like to use Java is because you can download the Java compiler for personal use at the Sun Microsystems Web site http://java.sun.com/. You can download the standard edition, J2SE 5.0, at http://java.sun.com/j2se/1.5.0/download.jsp to compile and execute these applications. I often reference the Java J2SE 5.0 API documentation and I recommend that you explore the Java API further. Code listings are provided for all examples in this article as well as figures and output (when appropriate). See the first article in this series for detailed descriptions for compiling and running all the code examples.

In the previous column, you explored some of the behaviors of dynamically loaded classes as they relate to the topics of performance and security, http://www.developer.com/java/data/article.php/3652286. Specifically, you attempted to insert a rogue class into the loading process to see whether you could compromise the integrity of the class loading process. In this article, you will expand this concept within the constraints of a client/server model.

The code examples in this series are meant to be a hands-on experience. There are many code listings and figures of the output produced from these code examples. Please boot up your computer and run these exercises as you read through the text.

The Code Example

Please revisit an earlier article in this series, "Serializing an Object via a Client/Server Connection," to provide you with an example that you can use to illustrate this month's topic. Diagram 1 shows the basic framework that you will use for this example. There are three files in this example: Employee.java, Server.java, and Client.java.

Diagram 1: Client/Server Framework

The basic concept is this:

  • An Employee object is created.
  • Attributes in the Employee object are set.
  • The client sends an Employee object that is sent across a network.
  • The server accepts the Employee object.
  • The server changes the Employee object's attributes.
  • The server sends the Employee object back to the client.
  • The client verifies that the attributes were indeed altered.

You create a class called Employee as seen in Listing 1. In this case, you prune the class significantly from the example in the earlier article so that you can concentrate on the concept of loading the class.

Listing 1: The Employee Class

import java.io.*;
import java.util.*;

public class Employee implements Serializable {

   private int employeeNumber;

   Employee(int num) {
      employeeNumber = num;

   public int getEmployeeNumber() {
      return employeeNumber ;

   public void setEmployeeNumber(int num) {
      employeeNumber = num;


Likewise, you can adjust the code in the client and server to correspond with the lighter version of the Employee class.

The complete code for the Client class is shown in Listing 2.

Listing 2: The Client Class

import java.io.*;
import java.net.*;

public class Client {

   public static void main(String[] arg) {
      try {
         Employee joe = new Employee(150);

         System.out.println("original employeeNumber= " +

         Socket socketConnection = new Socket("", 11111);

         ObjectOutputStream clientOutputStream = new
         ObjectInputStream clientInputStream = new


         joe= (Employee)clientInputStream.readObject();

         System.out.println("updated employeeNumber= " +


      } catch (Exception e) {System.out.println(e); }

The complete code for the Server class is shown in Listing 3.

Listing 3: The Server Class

import java.io.*;
import java.net.*;

public class Server {

   public static void main(String[] arg) {

      Employee employee = null;

      try {

         ServerSocket socketConnection = new ServerSocket(11111);

         System.out.println("Server Waiting");

         Socket pipe = socketConnection.accept();

         ObjectInputStream serverInputStream = new

         ObjectOutputStream serverOutputStream = new

         employee = (Employee)serverInputStream.readObject();




      }  catch(Exception e) {System.out.println(e);


For a detailed description of the code contained in Server.java and Client.java, please refer to the article referenced earlier: http://www.developer.com/design/article.php/3597071.

Page 1 of 3

Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date