简体繁体 English

与对象序列化期间计算出的SUID混淆

[英]Confused with SUID calculated during serialization of an object

原文 2017-09-21 13:15:52 2 1 java/ performance/ java-ee/ serialization

I was reading serialization and confused with how SUID calculated during object serialization is passed to another machine. 我正在阅读序列化，并对在对象序列化期间计算出的SUID如何传递到另一台机器感到困惑。 Below queries in context of object being serialized in one machine and passed to another. 下面的查询是针对在一台计算机中序列化并传递给另一台计算机的对象的上下文。

a) Why suid is static ? a）为什么suid是静态的？ b) If it is static and if we're only passing serialized object to another machine over network , then how come other JVM comes to know SUID calculated in first machine. b）如果它是静态的，并且如果我们只是通过网络将序列化的对象传递给另一台机器，那么其他JVM如何知道在第一台机器上计算出的SUID。 Since suid calculated is static and object is serialized , how other JVM comes to know SUID calculated for serialized object. 由于计算的suid是静态的并且对象已序列化，因此其他JVM如何知道为序列化的对象计算的SUID。

I gooogled but couldn't find appropriate ans. 我咕oo了，但找不到合适的答案。 Thanks in advance. 提前致谢。

1 个解决方案

If I have correctly understood your question, you want to understand how SUID is used internally. 如果我已正确理解您的问题，那么您想了解内部如何使用SUID。 Let me resume, in order to be sure that we share same information. 让我恢复，以确保我们共享相同的信息。

Serialization allows you to convert a live object to a sequence of byte, in order to store it somewhere or transmit it over a wire. 序列化允许您将活动对象转换为字节序列，以便将其存储在某处或通过电线传输。 More precisely, serialization saves the state of a object. 更准确地说，序列化可以保存对象的状态。

Serialization can be used also to send a object to a different environment, where a class with the same name is present too. 序列化还可以用于将对象发送到不同的环境，在该环境中也存在具有相同名称的类。 Serialization contract tells that equal object types must have same SUID: so eg if you generate a serialization of a "Foo" object with SUID=1, it can be deserialized as a live instance of Foo only if related Foo class defines SUID=1 (or InvalidClassException will be thrown). 序列化协定告知相等的对象类型必须具有相同的SUID：因此，例如，如果您生成具有SUID = 1的“ Foo”对象的序列化，则只有在相关的Foo类定义SUID = 1时，才能将其反序列化为Foo的实时实例。或将抛出InvalidClassException）。

Deserialization process restores class fields (non-static and non-transient ones - that's why SUID is static), but SUID must be the same. 反序列化过程可以还原类字段（非静态和非瞬态字段，这就是SUID是静态的原因），但是SUID必须相同。 Anyway, if you do not declare SUID, JVM evaluates one for you (as the hash of the class itself - not of the object) and uses it as default, adding it in the serialized object. 无论如何，如果您未声明SUID，则JVM会为您评估一个（作为类本身的哈希，而不是对象的哈希），并将其用作默认值，并将其添加到序列化的对象中。 Serialization specifications recommend to always define explicitely a SUID on serializable object, because there are no guarantees that automatic evaluation of SUID is the same on different JVM, so it can happen that SUID evaluation on serializer is different from the evaluation on deserializer (causing - as before - a InvalidClassException). 序列化规范建议始终在可序列化对象上明确定义SUID，因为不能保证在不同的JVM上SUID的自动评估是相同的，因此，可能会发生序列化器上的SUID评估与反序列化器上的评估不同（因为-之前-InvalidClassException）。

You can find further details here: https://docs.oracle.com/javase/8/docs/platform/serialization/spec/class.html#a4100 您可以在此处找到更多详细信息： https : //docs.oracle.com/javase/8/docs/platform/serialization/spec/class.html#a4100

PS: you can find how custom SUID for a class is evaluated by looking at java.io.ObjectStreamClass.computeDefaultSUID(Class<?> cl) source code. PS：您可以通过查看java.io.ObjectStreamClass.computeDefaultSUID（Class <？> cl）源代码来找到如何评估类的自定义SUID。