我们可以拒绝序列化的java对象,而不是给出transient关键字

SUMMARY:Preventing Serialization of
Sensitive Data Fields containing
sensitive data should not be
serialized; doing so exposes their
values to any party with access to the
serialization stream. There are
several methods for preventing a field
from being serialized:

1. Declare the field as private transient.
2. Define the serialPersistentFields
   field of the class in question,and
   omit the field from the list of
   field descriptors.
3. Write a class-specific serialization
   method (i.e.,writeObject or
   writeExternal) which does not write
   the field to the serialization
   stream (i.e.,by not calling
   ObjectOutputStream.defaultWriteObject).

这里有一些链接.

Declaring serialPersistenetFields.

Serialization architecture specification.

Security in Object Serialization.