Java Serialization, Marker Interface, and Spring Security (Simple Explanation)
Java uses serialization to convert objects into byte streams, marker interfaces to tag classes with special behavior, and Spring Security uses interfaces like Authentication and GrantedAuthority to manage user login and roles. This document explains all these concepts in a simple, practical way.
What is Serialization in Java?
Serialization is the process of converting a Java object into a byte stream so that it can be stored in a file, sent over a network, or saved in a session. Deserialization is the reverse process.
Student s = new Student("John", 20);
ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream("student.dat"));
out.writeObject(s);
out.close();Here, the object is converted into bytes and stored in a file named student.dat. You control where the data is stored using streams like FileOutputStream, SocketOutputStream, or ByteArrayOutputStream.
Who Actually Does Serialization?
Java itself performs serialization internally using ObjectOutputStream. The developer does not write the conversion logic. Instead, Java uses reflection to inspect object fields and convert them into bytes automatically.
writeObject(obj)
├── checks Serializable
├── uses reflection
├── reads fields (name, age)
└── converts to byte streamWhat is Serializable?
Serializable is a marker interface in Java. It has no methods. Its only purpose is to mark a class as eligible for serialization.
import java.io.Serializable;
class Student implements Serializable {
String name;
int age;
}If a class does not implement Serializable and you try to serialize it, Java throws NotSerializableException.
What is a Marker Interface?
A marker interface is an interface with no methods or fields. It is used only to provide metadata to the JVM or framework.
- Serializable → allows serialization
- Cloneable → allows object cloning
- Remote → used in distributed systems
The JVM checks marker interfaces using instanceof to decide whether an object is allowed for a specific operation.
Why Serializable Has No Methods?
Serializable does not contain methods because the actual serialization logic is already implemented inside Java's standard library classes like ObjectOutputStream. The interface only acts as a permission marker.
Where is Serialized Data Stored?
Serialized data is stored wherever the OutputStream points. You decide the destination in your code.
- File system using FileOutputStream
- Memory using ByteArrayOutputStream
- Network using Socket streams
- HTTP session in web applications
Simple Example of Serialization Storage
FileOutputStream fos = new FileOutputStream("data.dat");
ObjectOutputStream oos = new ObjectOutputStream(fos);
oos.writeObject(student);
oos.close();What is Spring Security Authentication?
In Spring Security, Authentication represents the logged-in user. It contains username, password (credentials), roles, and authentication status.
Authentication authentication = ...;
System.out.println(authentication.getName());After login, Spring Security stores an Authentication object inside the SecurityContext so it can be accessed anywhere in the application.
What is GrantedAuthority?
GrantedAuthority represents a single role or permission given to a user in Spring Security.
- ROLE_USER
- ROLE_ADMIN
- READ_PRIVILEGES
- WRITE_PRIVILEGES
GrantedAuthority auth = new SimpleGrantedAuthority("ROLE_ADMIN");
System.out.println(auth.getAuthority());Spring Security stores multiple GrantedAuthority objects inside a collection returned by getAuthorities().
What does this mean?
Collection<? extends GrantedAuthority> getAuthorities();This means: return a collection of objects that implement GrantedAuthority. It is used to represent all roles and permissions of a user.
Why does Spring use Serializable?
Spring Security marks Authentication, UserDetails, and GrantedAuthority as Serializable because user data may need to be stored in HTTP sessions or transferred between servers.
- Session storage
- Distributed systems
- Caching
- Cluster replication
Complete Simple Flow
User Login
↓
AuthenticationManager
↓
UserDetailsService
↓
Password check
↓
Authentication object created
↓
GrantedAuthority added
↓
Stored in SecurityContext
↓
Used in controllersFinal Summary
- Serializable is a marker interface with no methods
- It only gives permission for serialization
- ObjectOutputStream performs actual serialization using reflection
- You decide where serialized data is stored using streams
- Spring Security uses Authentication to represent logged-in users
- GrantedAuthority represents roles and permissions
- Spring uses Serializable for session storage and distributed systems
This combination of Java core concepts and Spring Security is widely used in real-world enterprise applications like banking systems, APIs, and microservices.