Name: ooR10001 Date: 07/13/2000


Serialization of java.rmi.server.RemoteObject does not match the spec.
RemoteObject.java contains:
    private void readObject(java.io.ObjectInputStream in)
throws java.io.IOException, java.lang.ClassNotFoundException
    {
try {
String refClassName = in.readUTF();
if (refClassName == null || refClassName.length() == 0) {
/*
* No reference class name specified, so construct
* remote reference from its serialized form.
*/
ref = (RemoteRef) in.readObject();
} else {
/*
* Built-in reference class specified, so delegate
* to reference to initialize its fields from its
* external form.
*/
Class refClass = Class.forName(RemoteRef.packagePrefix + "." +
refClassName);
ref = (RemoteRef) refClass.newInstance();
ref.readExternal(in);
...................
--------------------------------------------------
The javadoc says:
readObject

private void readObject(ObjectInputStream in)
                 throws IOException,
                        ClassNotFoundException

      readObject for object serialization. Reads in the unqualified class name of the remote reference
      field, ref, in UTF-8 and delegates to the ref field to read in its representation. The ref field is
      read via a direct call to ref.readExternal(ObjectInputStream in). Default serialization is not used.

---------------------------------------------------
The first branch in implementation analyzing whether refClassName is null
and if so it calls readObject() method but javadoc says nothing about
this case - this is undocumented step.

In second branch (after else) implementation uses RemoteRef.packagePrefix
package name but javadoc also says nothing about this.

RemoteObject.java:

    private void writeObject(java.io.ObjectOutputStream out)
throws java.io.IOException, java.lang.ClassNotFoundException
    {
if (ref == null) {
throw new java.rmi.MarshalException("Invalid remote object");
} else {
String refClassName = ref.getRefClass(out);
if (refClassName == null || refClassName.length() == 0) {
/*
* No reference class name specified, so serialize
* remote reference.
*/
out.writeUTF("");
out.writeObject(ref);
} else {
/*
* Built-in reference class specified, so delegate
* to reference to write out its external form.
*/
out.writeUTF(refClassName);
ref.writeExternal(out);
}
}
    }
----------------------

The javadoc says:

writeObject

private void writeObject(ObjectOutputStream out)
                  throws IOException,
                         ClassNotFoundException

      writeObject for object serialization. Writes out the class name of the remote reference contained in
      this class and delegates to the reference to write out its representation.
      Serial Data:
            Writes out the unqualified class name of the remote reference field, ref, in UTF-8 and
            delegates to the ref field to write out its representation. Different information will be
            written to out depending upon the ref field's type. Default serialization is not used.
--------------------------
if ref.getRefClass(out) returns null then a behavior of implementation is undocumented again.
In this case it calls out.writeObject(ref) but the javadoc says that default serialization
is not used.

Also, javadoc says nothing about ref.getRefClass() value and its meaning for
the java.rmi.server.RemoteObject serialization, but implementation use it
for its own goals.

======================================================================