Java Serialization vs JSON vs XML

Question

I am wondering what serialized mechanism should we choose when dealing with object transferring over the network. What are the pros and cons ?

I know most of the tim

Answer 1

I once attended a security engineer training, it's not recommending using Java native serialization due to some security weakness on the Java native deserialization side which can accept any (potentially injected malicious) byte streams. Also XML has a known security issue when definition/schema is not defined correctly, which is called XXE (XML Enternal Entities). It may cause "billion laugh" attack on the consuming side.