Objects which implement the Externalizable interface must provide a public readExternal method. Since this method is public, it can be called at arbitrary times by anyone with access to the object. To prevent overwriting of the object's internal state by multiple (illegal) calls to readExternal, implementors may choose to add checks to insure that internal values are only set when appropriate:
public synchronized void readExternal(ObjectInput in)
throws IOException, ClassNotFoundException
{
if (! initialized) {
initialized = true;
// read in and set field values ...
} else {
throw new IllegalStateException();
}
}