CodeQL documentation

Serialization methods do not match required signature

ID: java/wrong-object-serialization-signature
Kind: problem
Severity: warning
Precision: medium
   - reliability
   - maintainability
   - language-features
Query suites:
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

A serializable object that defines its own serialization protocol using the methods readObject and writeObject must use the signature that is expected by the Java serialization framework. Otherwise, the default serialization mechanism is used.


Make sure that the signatures of readObject and writeObject on serializable classes use these exact signatures:

private void readObject( in)
     throws IOException, ClassNotFoundException;
private void writeObject( out)
     throws IOException;


In the following example, WrongNetRequest defines readObject and writeObject using the wrong signatures. However, NetRequest defines them correctly.

class WrongNetRequest implements Serializable {
	// BAD: Does not match the exact signature required for a custom 
	// deserialization protocol. Will not be called during deserialization.
	void readObject(ObjectInputStream in) {
	// BAD: Does not match the exact signature required for a custom 
	// serialization protocol. Will not be called during serialization.
	protected void writeObject(ObjectOutputStream out) {

class NetRequest implements Serializable {
	// GOOD: Signature for a custom deserialization implementation.
	private void readObject(ObjectInputStream in) {
	// GOOD: Signature for a custom serialization implementation.
	private void writeObject(ObjectOutputStream out) {