Eclipse Serializer 1.0 Final Release is Now Available

We’re very proud to announce that MicroStream Serializer is now an official Eclipse project and, Eclipse Serializer version 1.0 is now available as final release. The code is available on GitHub under Eclipse Public License 2.0: https://github.com/eclipse-serializer/serializer

To use Eclipse Serializer, add the following dependency to your project.

        <dependency>
            <groupId>org.eclipse.serializer</groupId>
            <artifactId>serializer</artifactId>
            <version>1.0.0-SNAPSHOT</version>
        </dependency>

Eclipse Serializer was designed to deal with any Java object, with complex object structure, and to be highly secure.

Serialize any object

Eclipse Serializer enables you to serialize any Java object. Different to Java serialization, you don’t have to implement the Serializeable interface. There are no specific interfaces, superclasses or annotations at all.

Complex object graphs

Eclipse Serializer enables you to serialize any object graph of any size and complexity. The depth of your object graph is not limited and using any circular references is possible. There is no stack-based recursion. In traditional serialization methods, when the serializer encounters a complex data structure (e.g., a nested object within an object), it may use a recursive function call to process the nested structure. Each function call adds an entry to the call stack, which can cause a stack overflow error when dealing with deeply nested or complex data structures. Thus, Eclipse Serializer is also more memory-efficient and you should benefit in scenarios where memory constraints are a concern.

High-Secure Serialization

Eclipse Serializer works fundamentally different from traditional Java serialization to eliminate deserialization attacks. Java serialization transfers both, data and class information. Through deserialization, all classes in the classpath are executed fully-automated by the JVM to recreate the objects. This makes it very easy to inject and execute malicious code.

Eclipse Serializer however, transfers data only, but no code. Through deserialization, no code is executed. All objects are created directly in the memory by the serializer itself, while the JVM is not involved. To make this possible, Eclipse Serializer provides a type-dictionary that is used by sender and receiver. Thus, injecting malicious code has no consequences.

Versioning

Classes change over time. If you add new, modify or remove existing fields, it can cause compatibility issues when deserializing objects that were serialized using an older version of the class. In these cases, versioning need to handled explicitly, which can be complex. Eclipse Serializer provides you a very elegant and efficient feature called Legacy Type Mapping to handle versioning.

Open byte format

Eclipse Serializer uses a highly optimized byte format that enables to represent highly complex object graphs. The format, of course, is also open-source and can be converted into CSV. Converter for other encodings are planned.

Secure your Java applications and frameworks today with Eclipse Serializer and please, Star us on GitHub!