What is the difference between Serializable and Externalizable in Java?

To add to the other answers, by implementating java.io.Serializable, you get "automatic" serialization capability for objects of your class. No need to implement any other logic, it'll just work. The Java runtime will use reflection to figure out how to marshal and unmarshal your objects.

In earlier version of Java, reflection was very slow, and so serializaing large object graphs (e.g. in client-server RMI applications) was a bit of a performance problem. To handle this situation, the java.io.Externalizable interface was provided, which is like java.io.Serializable but with custom-written mechanisms to perform the marshalling and unmarshalling functions (you need to implement readExternal and writeExternal methods on your class). This gives you the means to get around the reflection performance bottleneck.

In recent versions of Java (1.3 onwards, certainly) the performance of reflection is vastly better than it used to be, and so this is much less of a problem. I suspect you'd be hard-pressed to get a meaningful benefit from Externalizable with a modern JVM.

Also, the built-in Java serialization mechanism isn't the only one, you can get third-party replacements, such as JBoss Serialization, which is considerably quicker, and is a drop-in replacement for the default.

A big downside of Externalizable is that you have to maintain this logic yourself - if you add, remove or change a field in your class, you have to change your writeExternal/readExternal methods to account for it.

In summary, Externalizable is a relic of the Java 1.1 days. There's really no need for it any more.

Serialization provides default functionality to store and later recreate the object. It uses verbose format to define the whole graph of objects to be stored e.g. suppose you have a linkedList and you code like below, then the default serialization will discover all the objects which are linked and will serialize. In default serialization the object is constructed entirely from its stored bits, with no constructor calls.

  ObjectOutputStream oos = new ObjectOutputStream(      new FileOutputStream("/Users/Desktop/files/temp.txt"));  oos.writeObject(linkedListHead); //writing head of linked list  oos.close();

But if you want restricted serialization or don't want some portion of your object to be serialized then use Externalizable. The Externalizable interface extends the Serializable interface and adds two methods, writeExternal() and readExternal(). These are automatically called while serialization or deserialization. While working with Externalizable we should remember that the default constructer should be public else the code will throw exception. Please follow the below code:

public class MyExternalizable implements Externalizable{private String userName;private String passWord;private Integer roll;public MyExternalizable(){}public MyExternalizable(String userName, String passWord, Integer roll){    this.userName = userName;    this.passWord = passWord;    this.roll = roll;}@Overridepublic void writeExternal(ObjectOutput oo) throws IOException {    oo.writeObject(userName);    oo.writeObject(roll);}@Overridepublic void readExternal(ObjectInput oi) throws IOException, ClassNotFoundException {    userName = (String)oi.readObject();    roll = (Integer)oi.readObject();}public String toString(){    StringBuilder b = new StringBuilder();    b.append("userName: ");    b.append(userName);    b.append("  passWord: ");    b.append(passWord);    b.append("  roll: ");    b.append(roll);       return b.toString();}public static void main(String[] args){    try    {        MyExternalizable m  = new MyExternalizable("nikki", "student001", 20);        System.out.println(m.toString());        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("/Users/Desktop/files/temp1.txt"));        oos.writeObject(m);        oos.close();                System.out.println("***********************************************************************");        ObjectInputStream ois = new ObjectInputStream(new FileInputStream("/Users/Desktop/files/temp1.txt"));        MyExternalizable mm = (MyExternalizable)ois.readObject();        mm.toString();        System.out.println(mm.toString());    }     catch (ClassNotFoundException ex)     {        Logger.getLogger(MyExternalizable.class.getName()).log(Level.SEVERE, null, ex);    }    catch(IOException ex)    {        Logger.getLogger(MyExternalizable.class.getName()).log(Level.SEVERE, null, ex);    }}}

Here if you comment the default constructer then the code will throw below exception:

 java.io.InvalidClassException: javaserialization.MyExternalizable;      javaserialization.MyExternalizable; no valid constructor.

We can observe that as password is sensitive information, so i am not serializing it in writeExternal(ObjectOutput oo) method and not setting the value of same in readExternal(ObjectInput oi). That's the flexibility that is provided by Externalizable.

The output of the above code is as per below:

userName: nikki  passWord: student001  roll: 20***********************************************************************userName: nikki  passWord: null  roll: 20

We can observe as we are not setting the value of passWord so it's null.

The same can also be achieved by declaring the password field as transient.

private transient String passWord;

Hope it helps. I apologize if i made any mistakes. Thanks.

Key differences between Serializable and Externalizable

1. Marker interface: Serializable is marker interface without any methods. Externalizable interface contains two methods: writeExternal() and readExternal().
2. Serialization process: Default Serialization process will be kicked-in for classes implementing Serializable interface. Programmer defined Serialization process will be kicked-in for classes implementing Externalizable interface.
3. Maintenance: Incompatible changes may break serialisation.
4. Backward Compatibility and Control: If you have to support multiple versions, you can have full control with Externalizable interface. You can support different versions of your object. If you implement Externalizable, it's your responsibility to serialize super class
5. public No-arg constructor: Serializable uses reflection to construct object and does not require no arg constructor. But Externalizable demands public no-arg constructor.

Refer to blog by Hitesh Garg for more details.