In Spring Security, when there is an AuthenticationException, there are some AuthenticationFailureHandler implementations that save that exception as a session attribute for future use if needed. Spring Session uses, by default, the JDK mechanism to serialize the Session attributes.

In a scenario where the user-info-uri does not return the expected Content-Type (application/json), the RestOperations throws a UnknownContentTypeException that is handled by Spring Security and transformed into an AuthenticationException.

The problem is, when Spring Session tries to serialize the UnknownContentTypeException it fails because the type property inside it is not serializable.

A simple test can verify the behavior:

@Test
void shouldBeSerializable() throws IOException {
    Type type = new ParameterizedTypeReference<Map<String, Object>>() {
    }.getType();
    UnknownContentTypeException cause = new UnknownContentTypeException(type, MediaType.APPLICATION_JSON, 200, "OK", null, "body".getBytes());
    try (ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
         ObjectOutputStream objectOutputStream = new ObjectOutputStream(outputStream)) {
        objectOutputStream.writeObject(cause);
    }
}

Is that expected that the exception cannot be serialized?

Comment From: sbrannen

Is that expected that the exception cannot be serialized?

Given that UnknownContentTypeException explicitly declares a serialVersionUID field, I assume it is unintentional that the exception cannot be serialized.

FWIW, none of the java.lang.reflect types are Serializable.

Perhaps we could make use of the internal SerializableTypeWrapper utility.

Comment From: Pushpa-Mali

Spring Session, by default, uses the JDK mechanism to serialize session attributes. In this scenario, when the UnknownContentTypeException is stored as a session attribute, Spring Session attempts to serialize it. However, the UnknownContentTypeException class itself may not be serializable because it contains a Type field that cannot be serialized.

This can lead to a problem because Spring Session tries to serialize the exception and fails, causing serialization errors.

Comment From: sbrannen

@Pushpa-Mali, please refrain from copying text from an issue's description and posting a summary as a comment.

It adds unnecessary noise to the discussion.

Comment From: rstoyanchev

We'll make the field transient.