← Back to Home

Deserialization

Deserialization is the reverse process of serialization. It converts a byte stream back into a live Java object, restoring the object’s state exactly as it was at the time of serialization.

This is a high-frequency interview topic, usually asked together with serialization, transient, and serialVersionUID.

What Is Deserialization?

  • Converts byte stream → Java object
  • Reconstructs object state from serialized data
  • Uses ObjectInputStream
  • Creates a new object in memory

Why Deserialization Is Needed

  • Restore objects from files
  • Receive objects over network
  • Reload cached objects
  • Session restoration in applications

Deserialization Flow (Conceptual)

Serialized File / Network Stream
          ↓
ObjectInputStream.readObject()
          ↓
New Java Object (state restored)

Basic Deserialization Example

Serializable Class

import java.io.Serializable;

class Employee implements Serializable {
    int id;
    String name;

    Employee(int id, String name) {
        this.id = id;
        this.name = name;
    }
}

Deserialization Code

ObjectInputStream ois =
    new ObjectInputStream(new FileInputStream("emp.ser"));

Employee e = (Employee) ois.readObject();
ois.close();

System.out.println(e.id + " " + e.name);

✔ Object recreated
✔ Same state as during serialization
✔ Constructor NOT called

Key Rules of Deserialization (Interview Critical)

  1. Class must implement Serializable
  2. serialVersionUID must match
  3. Constructors are NOT executed
  4. Static fields are NOT restored
  5. Transient fields get default values
  6. New object is created in heap

What Happens to Different Fields?

Field Type Deserialization Behavior
Instance variable Restored
transient Default value (null, 0, false)
static Not restored
final Restored (if serialized)

serialVersionUID and Deserialization (Very Important)

private static final long serialVersionUID = 1L;

If serialVersionUID Mismatch

java.io.InvalidClassException
  • ✔ Same UID → success
  • ❌ Different UID → failure

Parent Class Behavior (Interview Trap)

Case 1: Parent is Serializable

  • Parent fields are restored
  • Parent constructor NOT called

Case 2: Parent is NOT Serializable

  • Parent no-arg constructor IS called
  • Parent fields initialized normally

Custom Deserialization (Advanced)

Override readObject() for custom logic.

private void readObject(ObjectInputStream ois)
        throws IOException, ClassNotFoundException {

    ois.defaultReadObject();
    // custom validation / logic
}

✔ Used for:

  • Validation
  • Decryption
  • Reinitializing transient fields

Deserialization Security Risks (Real-World)

  • Malicious serialized data
  • Arbitrary code execution
  • Object injection attacks

Mitigation

  • Never deserialize untrusted data
  • Validate object state
  • Use filtering (ObjectInputFilter)
  • Prefer JSON/XML for APIs

Serialization vs Deserialization (Quick Compare)

Aspect Serialization Deserialization
Direction Object → Stream Stream → Object
Main class ObjectOutputStream ObjectInputStream
Constructor called ❌ No ❌ No
Purpose Save / send Restore

Common Beginner Mistakes

  • Expecting constructor to run
  • Forgetting serialVersionUID
  • Assuming transient values restore
  • Deserializing untrusted data
  • Class mismatch between serialize/deserialize

Interview-Ready Answers

Short Answer

Deserialization converts a byte stream back into a Java object.

Detailed Answer

In Java, deserialization is the process of reconstructing an object from its serialized byte stream using ObjectInputStream. It restores the object’s state without invoking constructors and requires the class to implement Serializable with a compatible serialVersionUID.

Key Takeaway

Deserialization restores object state, not object behavior. Understand constructor behavior, transient fields, and UID compatibility to avoid runtime failures and security issues.