8 Replies Latest reply on Jul 14, 2011 6:02 PM by 796440

    Deserialization Question?


      I have an application that is not mine and I don't have the source code. It seems that there is a table that stores BLOBs that are serialized java objects.
      Thus I wanted to see if there was a way I could deserialize the BLOBs so that I can try and parse the objects. As I don't know what the format is is there
      anyway I can accomplish this?

      I am trying to use the following code from the java website
      PreparedStatement pstmt = conn.prepareStatement(READ_OBJECT_SQL);
          pstmt.setLong(1, id);
          ResultSet rs = pstmt.executeQuery();
          InputStream is = rs.getBlob(1).getBinaryStream();
          ObjectInputStream oip = new ObjectInputStream(is);
          Object object = oip.readObject();
          className = object.getClass().getName();
          // de-serialize list a java object from a given objectID
          List listFromDatabase = (List) object;
          System.out.println("[After De-Serialization] list=" + listFromDatabase);
      Can I even accomplish what I am trying to do?

      Thanks in advance!
        • 1. Re: Deserialization Question?
          I don't know what you mean by "parse the objects," and it's not really clear overall what you're trying to accomplish or what problems you're having. I can see you're already determining the objects' respective classes, but what is it you hope to do with these objects?
          • 2. Re: Deserialization Question?
            Yes you can. Does that code execute? If not, it probably throws a ClassCastException where you cast to a List. The exception tells you what the actual class was ... So cast it to that instead. There may well be > 1 object in the stream, so keep reading until you get EOFException. If it really is a List, iterate it what's inside.
            1 person found this helpful
            • 3. Re: Deserialization Question?
              You do not need a class cast exception to see what that object is:
              className = object.getClass().getName();
              1 person found this helpful
              • 4. Re: Deserialization Question?
                Of course not, but with that current code he is either getting one, which tells him the name, or he isn't, which tells him it really is a List.
                1 person found this helpful
                • 5. Re: Deserialization Question?

                  Thanks for all of the feedback so far. The code executes but I am getting an error

                  java.io.StreamCorruptedException: invalid stream header: 03170000
                  at java.io.ObjectInputStream.readStreamHeader(Unknown Source)
                  at java.io.ObjectInputStream.<init>(Unknown Source)
                  at testjdbc.main(testjdbc.java:53)

                  at this line
                  ObjectInputStream oip = new ObjectInputStream(is);
                  I have this Vendor application which we do not have the source. I have been told though that the data is all stored in a BLOB and it is a serialized java object.
                  Thus I want to parse this object to see what is exactly stored in it. I am trying to see if I can parse these BLOBs and parse out the primary key value.
                  So as I am a little new to this was wondering if I am approaching it the right way?

                  Thanks again for all of your input!!
                  • 6. Re: Deserialization Question?
                    if you don't have class files for the objects stored in the blob, this will never work (assuming the BLOB is a valid object stream). the ObjectInputStream will thrown ClassNotFoundException.
                    1 person found this helpful
                    • 7. Re: Deserialization Question?
                      Thanks so then if I don't have the corresponding class files to cast the ObjectInputStream to I cannot do this?
                      Is there no way to just write out each of the objects properties values?
                      • 8. Re: Deserialization Question?
                        goochable wrote:
                        Thanks so then if I don't have the corresponding class files to cast the ObjectInputStream to I cannot do this?
                        You don't cast the ObjectInputStream. You cast the results of calling its readObject() method.
                        Is there no way to just write out each of the objects properties values?
                        How would it do that? Without the class definition, there's no way to know if, for instance, the 12 bytes we just read are {long, int} or {int, long} or {byte, short, char, int, byte, char}.
                        1 person found this helpful