AnsweredAssumed Answered

Why does Activiti TaskListener extend java.io.Serializable

Question asked by gkd.deepak on Feb 24, 2016
Latest reply on Mar 1, 2016 by jbarrez
I would like to know the reason why Activiti TaskListener was made to extend java.io.Serializable.

Because TaskListener extends java.io.Serializable , if the implementation classes for TaskListener use references to other classes , the code review tool is suggesting the following :

"Fields in a Serializable class must themselves be either Serializable or transient even if the class is never explicitly serialized or deserialized. That's because under load, most J2EE application frameworks flush objects to disk, and an allegedly Serializable object with non-transient, non-serializable data members could cause program crashes, and open the door to attackers."


@Listener
public class ApproveRejectNotificationListener implements TaskListener {
   
   private static final long serialVersionUID = 1L;

   @Resource
   private BPMTaskService bpmTaskService;   //Noncompliant Code Example
   
}

To fix the issue, I can make this variable transient.

But I want to know the rationale behind in making this TaskListener  extend Serializable. This will allow us to make sure we have designed and implemented the TaskListener classes as expected by Activiti in our application and discover any edge case scenarios if any by  violating the contracts .









Outcomes