Method Detail

• serialize

  @Deprecated
  default <T> void serialize​(Class<T> type,
                             T value,
                             OutputStream out)
                      throws Exception

  Deprecated.

  since 1.9
  Writes the given value to the output stream as bytes.

  This method has been superseded by serialize(Class, Object, OutputStream, SessionTypeFilter) in 1.9. Implementations should not implement this method, but that instead.

  Type Parameters:

  T - the type of the object

  Parameters:

  type - the declared type of the object

  value - the value to serialize

  out - the destination for the bytes

  Throws:

  Exception - if the value could not be serialized

• serialize

  default <T> void serialize​(Class<T> type,
                             T value,
                             OutputStream out,
                             SessionTypeFilter typeFilter)
                      throws Exception

  Writes the given value to the output stream as bytes.

  Implementations MUST take care to check that all types serialized are allowed to be as per typeFilter. This includes the type of value and the transitive types referenced by it. Implementations should use SessionTypeFilter.assertAllowed(String).

  To enable backwards compatibility, the default implementation delegates to serialize(Class, Object, OutputStream) after logging a warning about the inherent security vulnerability in not checking the suitability of types. All implementations should implement this method and not that method.

  Type Parameters:

  T - the type of the object

  Parameters:

  type - the declared type of the object

  value - the value to serialize

  out - the destination for the bytes

  typeFilter - the filter that determines whether a type is session safe and allowed to be serialized

  Throws:

  Exception - if the value could not be serialized

• deserialize

  @Deprecated
  default <T> T deserialize​(Class<T> type,
                            InputStream in)
                     throws Exception

  Deprecated.

  since 1.9
  Reads the bytes of the given input stream, creating a new object.

  This method has been superseded by serialize(Class, Object, OutputStream, SessionTypeFilter) in 1.9. Implementations should not implement this method, but that instead.

  Type Parameters:

  T - the type of the object

  Parameters:

  type - the expected type of the object

  in - the source of the bytes

  Returns:

  the object

  Throws:

  IOException - any thrown by in

  Exception - the the value could not be deserialized

• deserialize

  default <T> T deserialize​(Class<T> type,
                            InputStream in,
                            SessionTypeFilter typeFilter)
                     throws Exception

  Reads the bytes of the given input stream, creating a new object.

  Implementations MUST take care to check that all types to be deserialized are allowed to be as per typeFilter. This includes the type of the object being deserialized and the transitive types referenced by it. Implementations should use SessionTypeFilter.assertAllowed(String).

  To enable backwards compatibility, the default implementation delegates to deserialize(Class, InputStream) after logging a warning about the inherent security vulnerability in not checking the suitability of types. All implementations should implement this method and not that method.

  Type Parameters:

  T - the type of the object

  Parameters:

  type - the expected type of the object

  in - the source of the bytes

  typeFilter - the filter that determines whether a type is session safe and allowed to be deserialized

  Returns:

  the object

  Throws:

  IOException - any thrown by in

  Exception - the the value could not be deserialized