This discussion is archived
8 Replies Latest reply: Jul 14, 2011 11:02 AM by 796440 RSS

Deserialization Question?

25631 Newbie
Currently Being Moderated
Hi,

I have an application that is not mine and I don't have the source code. It seems that there is a table that stores BLOBs that are serialized java objects.
Thus I wanted to see if there was a way I could deserialize the BLOBs so that I can try and parse the objects. As I don't know what the format is is there
anyway I can accomplish this?

I am trying to use the following code from the java website
PreparedStatement pstmt = conn.prepareStatement(READ_OBJECT_SQL);
    pstmt.setLong(1, id);
    ResultSet rs = pstmt.executeQuery();
    rs.next();
    InputStream is = rs.getBlob(1).getBinaryStream();
    ObjectInputStream oip = new ObjectInputStream(is);
    Object object = oip.readObject();
    className = object.getClass().getName();
    oip.close();
    is.close();
    rs.close();
    pstmt.close();
    conn.commit();

    // de-serialize list a java object from a given objectID
    List listFromDatabase = (List) object;
    System.out.println("[After De-Serialization] list=" + listFromDatabase);
    conn.close();
Can I even accomplish what I am trying to do?

Thanks in advance!
  • 1. Re: Deserialization Question?
    796440 Guru
    Currently Being Moderated
    I don't know what you mean by "parse the objects," and it's not really clear overall what you're trying to accomplish or what problems you're having. I can see you're already determining the objects' respective classes, but what is it you hope to do with these objects?
  • 2. Re: Deserialization Question?
    EJP Guru
    Currently Being Moderated
    Yes you can. Does that code execute? If not, it probably throws a ClassCastException where you cast to a List. The exception tells you what the actual class was ... So cast it to that instead. There may well be > 1 object in the stream, so keep reading until you get EOFException. If it really is a List, iterate it what's inside.
  • 3. Re: Deserialization Question?
    BIJ001 Explorer
    Currently Being Moderated
    You do not need a class cast exception to see what that object is:
    className = object.getClass().getName();
    System.out.println(className);
  • 4. Re: Deserialization Question?
    EJP Guru
    Currently Being Moderated
    Of course not, but with that current code he is either getting one, which tells him the name, or he isn't, which tells him it really is a List.
  • 5. Re: Deserialization Question?
    25631 Newbie
    Currently Being Moderated
    Hi,

    Thanks for all of the feedback so far. The code executes but I am getting an error

    java.io.StreamCorruptedException: invalid stream header: 03170000
    at java.io.ObjectInputStream.readStreamHeader(Unknown Source)
    at java.io.ObjectInputStream.<init>(Unknown Source)
    at testjdbc.main(testjdbc.java:53)

    at this line
    ObjectInputStream oip = new ObjectInputStream(is);
    I have this Vendor application which we do not have the source. I have been told though that the data is all stored in a BLOB and it is a serialized java object.
    Thus I want to parse this object to see what is exactly stored in it. I am trying to see if I can parse these BLOBs and parse out the primary key value.
    So as I am a little new to this was wondering if I am approaching it the right way?

    Thanks again for all of your input!!
  • 6. Re: Deserialization Question?
    jtahlborn Expert
    Currently Being Moderated
    if you don't have class files for the objects stored in the blob, this will never work (assuming the BLOB is a valid object stream). the ObjectInputStream will thrown ClassNotFoundException.
  • 7. Re: Deserialization Question?
    25631 Newbie
    Currently Being Moderated
    Thanks so then if I don't have the corresponding class files to cast the ObjectInputStream to I cannot do this?
    Is there no way to just write out each of the objects properties values?
  • 8. Re: Deserialization Question?
    796440 Guru
    Currently Being Moderated
    goochable wrote:
    Thanks so then if I don't have the corresponding class files to cast the ObjectInputStream to I cannot do this?
    You don't cast the ObjectInputStream. You cast the results of calling its readObject() method.
    Is there no way to just write out each of the objects properties values?
    How would it do that? Without the class definition, there's no way to know if, for instance, the 12 bytes we just read are {long, int} or {int, long} or {byte, short, char, int, byte, char}.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points