Deserialization

Deserialization is the read side of the pair that started in the previous lesson. Where serialization turns a live Java object into a byte stream, deserialization takes a byte stream and rebuilds the object graph in memory. This lesson covers ObjectInputStream and readObject, casting back to the real type, reading until end-of-stream, what happens when the class has changed since the file was written, what transient fields look like after a read, why constructors do not run, the role of readResolve and the private readObject hook, and the security risk that has made teams move away from Java's built-in serialization toward JSON or protobuf.