I find CDI 1.0 section 6.6.4 and some of the TCK tests a little confusing. I know
serialization like the back of my hand and much of that section does not line up with
actual serialization requirements.
The bottom line is that you can't statically check a class's serialization
capabilities. Non-serializable object reference types are ok. Fields of java.lang.Object
and other non-serialzable types are ok. The reference type does not need to be
serializable, just the object at the other end of the reference needs to be serializable.
Obviously you can't check that at deploy time, you need the instance. You can't
even check it at runtime as there are callbacks in the Serialization API that allow the
instance to control it's own serialization. If the class implements Serializable you
just have to trust it will be when the time comes.
Small example: https://gist.github.com/988120
What's the point of mistrusting a class that claims to be serializable and adding
CDI-specific restrictions on its fields, methods and constructor types?