readObject与readValue

ObjectInputStream的readObject是将二进制数据还原成一个对象

ObjectInputStream ois = new ObjectInputStream(this.mClient.getInputStream())
Object o = ois.readObject();

而objectMapper.readValue（jackson组件，可以实现json跟javabean之间的转换）是根据get/set方法来读写对象
比如这个待序列化的类

public class Demo {
    private String name;  
    private Integer age;
    private String email;

    public String getName_1() {  
        return name;  
    }  
    public void setName_1(String name) {  
        this.name = name;  
    }  

    public Integer getAge() {  
        return age;  
    }  
    public void setAge(Integer age) {  
        this.age = age;  
    }

    public String toString(){
        return "name:" + name + " age:" + age;
    }
}

对他进行序列化

public class DemoSerialize {

    public static void main(String[] args) throws Throwable {
        Demo test = new Demo();
        test.setName_1("novy");
        test.setAge(18);

        ObjectMapper mapper = new ObjectMapper();
        String json = mapper.writeValueAsString(test);
        System.out.println(json);

        List<Demo> test2 = new ArrayList<Demo>();  
        test2.add(test);  
        String jsonlist = mapper.writeValueAsString(test2);  
        System.out.println(jsonlist);  
    }
}

结果输出为

{"age":18,"name_1":"novy"}
[{"age":18,"name_1":"novy"}]

反序列化

public class DemoDeserialize {

    public static void main(String[] args) throws Throwable {
        String json = "{\"name_1\":\"novy\",\"age\":18}"; 
        ObjectMapper mapper = new ObjectMapper();  
        Demo user = mapper.readValue(json, Demo.class); //根据Demo类中存在的set/get方法进行反序列化  
        System.out.println(user.toString());  
    }
}

结果输出为

name:novy age:18

不分析了，看参考链接

参考链接
http://blog.nsfocus.net/jackson-framework-java-vulnerability-analysis/