I would like to know the reason why Activiti TaskListener was made to extend java.io.Serializable.
Because TaskListener extends java.io.Serializable , if the implementation classes for TaskListener use references to other classes , the code review tool is suggesting the following :
"Fields in a Serializable class must themselves be either Serializable or transient even if the class is never explicitly serialized or deserialized. That's because under load, most J2EE application frameworks flush objects to disk, and an allegedly Serializable object with non-transient, non-serializable data members could cause program crashes, and open the door to attackers."
@Listener
public class ApproveRejectNotificationListener implements TaskListener {
private static final long serialVersionUID = 1L;
@Resource
private BPMTaskService bpmTaskService; //Noncompliant Code Example
}
To fix the issue, I can make this variable transient.
But I want to know the rationale behind in making this TaskListener extend Serializable. This will allow us to make sure we have designed and implemented the TaskListener classes as expected by Activiti in our application and discover any edge case scenarios if any by violating the contracts .
