1. The Problem with Traditional Java Serialization

Old Java serialization (Serializable) had major security issues:

Deserialization Attacks

Attackers could send malicious serialized objects that trigger:

  • Remote Code Execution (RCE)

  • Gadget chains

  • Arbitrary method execution during readObject()

Example dangerous flow:

Attacker → sends crafted serialized object
Server → ObjectInputStream.readObject()
JVM → loads unexpected class
Malicious code executes

This became one of the most common Java vulnerabilities (OWASP).

2. Why Record Classes Improve Security

1️⃣ Immutability

Record classes are immutable by design.

Example:

public record User(String name, int age) {}

Properties:

  • fields are final

  • no setters

  • state cannot be mutated after creation

This prevents state manipulation attacks.

2️⃣ No Hidden Mutable State

Traditional class:

class User implements Serializable {
   String name;
   int age;
}

Problems:

  • fields can change

  • attackers can inject unexpected values

Record class:

User[name=Vikas, age=42]

Clear, fixed structure.

3️⃣ Canonical Constructor Validation

Records allow validation at creation time.

Example:

public record User(String name, int age) {
    public User {
        if(age < 0)
            throw new IllegalArgumentException("Invalid age");
    }
}

This prevents invalid or malicious data injection.

4️⃣ Reduced Attack Surface

Records:

  • do not support custom serialization hooks

  • avoid dangerous methods like:

readObject()
writeObject()
readResolve()
writeReplace()

These methods were often used in gadget chains for attacks.

3. Records Work Better with Modern Serialization

Records integrate cleanly with modern serialization frameworks:

Serialization

Record Support

JSON

Jackson / Gson native support

Protobuf

clean mapping

Avro

schema-based

Kafka events

immutable messages

Example JSON mapping:

public record Order(String id, double price) {}

Jackson automatically serializes:

{
 "id":"123",
 "price":45.5
}

No reflection hacks required.

4. Why Microservices Prefer This Model

Modern architecture avoids Java native serialization and prefers:

Service A
   ↓ JSON / Protobuf
Service B
   ↓
Record Classes

Benefits:

  • immutable data transfer

  • safer deserialization

  • predictable schema

5. Real Industry Direction

Java ecosystem is moving toward:

Avoid

  • Serializable

  • ObjectInputStream

Prefer

  • Record classes

  • JSON / Protobuf

  • Schema-based contracts

Even Spring Boot 3 / Spring 6 works perfectly with records.

Keep Reading

© 2026 The Vikas Taank Engineering Brief.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv