How can I validate what I've just deserialized?

Tim Rohaly

When an object is deserialized, its internal state is restored to what it was at the time of serialization. So if you serialized a good object, you will get a good object back or an exception will be thrown.

However, there are times when you need to check more than just the state of the object. Take for example an object that represents a credit card, including cardholder name, credit card number, and expiration date. If this credit card is deserialized after its expiration date, then although its state is intact, the card is no longer valid and can't be used in a purchase transaction. This sort of information may be checked in the serializable object's readObject() method.

Because serialization saves and restores complete object graphs, you might also imagine there is a need to validate consistency of the entire graph. This cannot be done within a single object's readObject() method - it can only be done after all the objects in the graph are restored.

To validate an entire graph, you need to do two things:

  • provide an object which implements the java.io.ObjectInputValidation interface
  • register this object with the ObjectInputStream which is reading the graph

The java.io.ObjectInputValidation interface defines just the method validateObject() which is declared to throw an InvalidObjectException. Your validator object must provide an implementation for this method which checks the validity of the graph and throws this exception when needed.

The validator object must be registered with the stream during the read of the graph; this is usually done within a readObject() method by invoking the registerValidation() method on the ObjectInputStream, passing the stream a reference to the validator object.

Here is a short example which shows the mechanics of validation and demonstrates that the validation occurs after the object graph has been reconstituted. This simple example stores objects of type Validate in a collection, and validates upon deserialization that the collection is homogeneous.

import java.io.*;
import java.util.*;

public class Validate implements Serializable, ObjectInputValidation {

    Vector collection;

    public Validate(Vector collection) {
        this.collection = collection;

    private void readObject(ObjectInputStream in)
                 throws OptionalDataException, ClassNotFoundException,
                        IOException {
        System.out.println("reading object");
        in.registerValidation(this, 0);

    private void writeObject(ObjectOutputStream out) throws IOException {
        System.out.println("writing object");

    public void validateObject() throws InvalidObjectException {
        System.out.println("validating object");
        Enumeration e = collection.elements();
        while (e.hasMoreElements()) {
            if (!(e.nextElement() instanceof Validate))
                throw new InvalidObjectException("Not a homeogeneous collection!");

    public static void main(String[] args)
                       throws IOException, ClassNotFoundException {
        Vector collection = new Vector();
        for (int i=0; i<10; i++) {
            Validate obj = new Validate(collection);
        ObjectOutputStream out = new ObjectOutputStream(
                                     new FileOutputStream("validate.ser"));
        ObjectInputStream in = new ObjectInputStream(
                                   new FileInputStream("validate.ser"));
        try {
            Vector restored = (Vector) in.readObject();
        catch (InvalidObjectException e) {
            System.out.println("invalid collection!");