Hi Dan, Wrt Java serialization, in.defaultReadObject() and out.defaultWriteObject() should pretty much always be called as the very first line in the readObject and writeObject implementations, respectively.
Josh Bloch covers this in his Effective Java book (2nd edition), page 299. While too lengthy to repeat here, it boils down to ensuring the class functions properly even as future modifications occur, as well as for real security reasons. I can't comment as to whether or not your solution is fine for your needs, but this explains the reason why they are in Shiro's current implementation. Cheers, Les P.S. As an aside if anyone finds this next comment helpful, there are two Java books that I have at my desk that are indispensable to me: Josh Bloch's Effective Java (2nd edition) and Brian Goetz (et. al.)'s Java Concurrency in Practice. -- Les Hazlewood CTO, Katasoft | http://www.katasoft.com | 888.391.5282 twitter: @lhazlewood | http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com On Fri, Sep 23, 2011 at 4:19 PM, dan <[email protected]> wrote: > Hi -- > > In the writeObject() method of SimpleSession is a call to > out.defaultWriteObject() before each field is written out. This call to > defaultWriteObject() was causing exceptions for me (non-serializable, can't > serialize WeakHashMap) so it got me thinking... > > My understanding is that defaultWriteObject() writes out the non-transient > fields, and is used if a class doesn't explicitly have its own writeObject() > method. Since writeObject() specifies exactly which fields to serialize, I > don't think this call is useful ... in fact, it would just make the > serialized stream bigger. > > I took it out of my code and saw no ill effect from it. > > Thanks, > Dan > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/SimpleSession-serialization-tp6826037p6826037.html > Sent from the Shiro User mailing list archive at Nabble.com.
