Fields in a Serializable
class must themselves be either Serializable
or transient
even if the class is never explicitly serialized or deserialized. That's because under load, most J2EE application frameworks flush objects to disk, and an allegedly Serializable
object with non-transient, non-serializable data members could cause program crashes, and open the door to attackers.