Java Serialization, Marker Interface, and Spring Security Authentication Explained Simply

A detailed yet simplified explanation of Java serialization, marker interfaces like Serializable, and Spring Security concepts such as Authentication and GrantedAuthority, including internal working and real-world understanding.

Java Serialization, Marker Interface, and Spring Security (Simple Explanation)

Java uses serialization to convert objects into byte streams, marker interfaces to tag classes with special behavior, and Spring Security uses interfaces like Authentication and GrantedAuthority to manage user login and roles. This document explains all these concepts in a simple, practical way.

What is Serialization in Java?

Serialization is the process of converting a Java object into a byte stream so that it can be stored in a file, sent over a network, or saved in a session. Deserialization is the reverse process.

Student s = new Student("John", 20);

ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream("student.dat"));
out.writeObject(s);
out.close();

Here, the object is converted into bytes and stored in a file named student.dat. You control where the data is stored using streams like FileOutputStream, SocketOutputStream, or ByteArrayOutputStream.

Who Actually Does Serialization?

Java itself performs serialization internally using ObjectOutputStream. The developer does not write the conversion logic. Instead, Java uses reflection to inspect object fields and convert them into bytes automatically.

writeObject(obj)
   ├── checks Serializable
   ├── uses reflection
   ├── reads fields (name, age)
   └── converts to byte stream

What is Serializable?

Serializable is a marker interface in Java. It has no methods. Its only purpose is to mark a class as eligible for serialization.

import java.io.Serializable;

class Student implements Serializable {
    String name;
    int age;
}

If a class does not implement Serializable and you try to serialize it, Java throws NotSerializableException.

What is a Marker Interface?

A marker interface is an interface with no methods or fields. It is used only to provide metadata to the JVM or framework.

  • Serializable → allows serialization
  • Cloneable → allows object cloning
  • Remote → used in distributed systems

The JVM checks marker interfaces using instanceof to decide whether an object is allowed for a specific operation.

Why Serializable Has No Methods?

Serializable does not contain methods because the actual serialization logic is already implemented inside Java's standard library classes like ObjectOutputStream. The interface only acts as a permission marker.

Where is Serialized Data Stored?

Serialized data is stored wherever the OutputStream points. You decide the destination in your code.

  • File system using FileOutputStream
  • Memory using ByteArrayOutputStream
  • Network using Socket streams
  • HTTP session in web applications

Simple Example of Serialization Storage

FileOutputStream fos = new FileOutputStream("data.dat");
ObjectOutputStream oos = new ObjectOutputStream(fos);
oos.writeObject(student);
oos.close();

What is Spring Security Authentication?

In Spring Security, Authentication represents the logged-in user. It contains username, password (credentials), roles, and authentication status.

Authentication authentication = ...;
System.out.println(authentication.getName());

After login, Spring Security stores an Authentication object inside the SecurityContext so it can be accessed anywhere in the application.

What is GrantedAuthority?

GrantedAuthority represents a single role or permission given to a user in Spring Security.

  • ROLE_USER
  • ROLE_ADMIN
  • READ_PRIVILEGES
  • WRITE_PRIVILEGES
GrantedAuthority auth = new SimpleGrantedAuthority("ROLE_ADMIN");
System.out.println(auth.getAuthority());

Spring Security stores multiple GrantedAuthority objects inside a collection returned by getAuthorities().

What does this mean?

Collection<? extends GrantedAuthority> getAuthorities();

This means: return a collection of objects that implement GrantedAuthority. It is used to represent all roles and permissions of a user.

Why does Spring use Serializable?

Spring Security marks Authentication, UserDetails, and GrantedAuthority as Serializable because user data may need to be stored in HTTP sessions or transferred between servers.

  • Session storage
  • Distributed systems
  • Caching
  • Cluster replication

Complete Simple Flow

User Login
AuthenticationManager
UserDetailsService
Password check
Authentication object created
GrantedAuthority added
Stored in SecurityContext
Used in controllers

Final Summary

  • Serializable is a marker interface with no methods
  • It only gives permission for serialization
  • ObjectOutputStream performs actual serialization using reflection
  • You decide where serialized data is stored using streams
  • Spring Security uses Authentication to represent logged-in users
  • GrantedAuthority represents roles and permissions
  • Spring uses Serializable for session storage and distributed systems

This combination of Java core concepts and Spring Security is widely used in real-world enterprise applications like banking systems, APIs, and microservices.