public class User implements Serializable {
//class attributes, constructors, setters and getters as shown above
/**
* Always treat de-serialization as a full-blown constructor, by validating the final state of the de-serialized object.
*/
private void readObject(ObjectInputStream aInputStream) throws ClassNotFoundException, IOException
{
// perform the default de-serialization first
aInputStream.defaultReadObject();
// make defensive copy of the mutable Date field
dateOpened = new Date(dateOpened.getTime());
// ensure that object state has not been corrupted or tampered with malicious code
//validateUserInfo();
}
/**
* This is the default implementation of writeObject. Customize as necessary.
*/
private void writeObject(ObjectOutputStream aOutputStream) throws IOException {
//ensure that object is in desired state. Possibly run any business rules if applicable.
//checkUserInfo();
// perform the default serialization for all non-transient, non-static fields
aOutputStream.defaultWriteObject();
}
}
Serialization of inner classes, including local and anonymous classes, is strongly discouraged. When the Java compiler compiles certain constructs, such as inner classes, it creates synthetic constructs; these are classes, methods, fields, and other constructs that do not have a corresponding construct in the source code. Synthetic constructs enable Java compilers to implement new Java language features without changes to the JVM. However, synthetic constructs can vary among different Java compiler implementations