The transient keyword is used in Java to indicate class fields that should be excluded from the serialization process – that is, these fields will not be saved when the object is written to a byte stream.
This is useful when:
Example usage:
import java.io.*; class User implements Serializable { private String username; private transient String password; // will not be serialized public User(String username, String password) { this.username = username; this.password = password; } }
After deserialization, the password field will have a value of null.
What happens if a transient field is a reference to an object that itself implements Serializable?
Answer: The field will still not be serialized – this applies to the field, not the type of the object. Even if the object implements Serializable, if the field is marked as transient, it will not survive the serialization of the object where it is transient.
Example:
class Credentials implements Serializable { String password; } class Account implements Serializable { transient Credentials credentials; }
The credentials field will always be null after deserialization, even if Credentials itself is serializable.
Story
In an online banking system, while designing the "User Session" object, the authorization session field was forgotten to be declared as transient, which led to serialized objects being logged with confidential information in a file. This resulted in a data leak.
Story
In a brokerage service, some cache fields were serialized by default. After recovering from the serialized state, the application began to use outdated data from the cache, leading to discrepancies between the actual and displayed account balances.
Story
A developer implemented a transient field, assuming that the value would be automatically filled after deserialization. He did not implement a custom readObject/writeObject structure, resulting in the field remaining null – the program crashed upon first access to this field.