In Spring Security, when there is an AuthenticationException
, there are some AuthenticationFailureHandler
implementations that save that exception as a session attribute for future use if needed.
Spring Session uses, by default, the JDK mechanism to serialize the Session attributes.
In a scenario where the user-info-uri
does not return the expected Content-Type (application/json
), the RestOperations
throws a UnknownContentTypeException
that is handled by Spring Security and transformed into an AuthenticationException
.
The problem is, when Spring Session tries to serialize the UnknownContentTypeException
it fails because the type
property inside it is not serializable.
A simple test can verify the behavior:
@Test
void shouldBeSerializable() throws IOException {
Type type = new ParameterizedTypeReference<Map<String, Object>>() {
}.getType();
UnknownContentTypeException cause = new UnknownContentTypeException(type, MediaType.APPLICATION_JSON, 200, "OK", null, "body".getBytes());
try (ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
ObjectOutputStream objectOutputStream = new ObjectOutputStream(outputStream)) {
objectOutputStream.writeObject(cause);
}
}
Is that expected that the exception cannot be serialized?
Comment From: sbrannen
Is that expected that the exception cannot be serialized?
Given that UnknownContentTypeException
explicitly declares a serialVersionUID
field, I assume it is unintentional that the exception cannot be serialized.
FWIW, none of the java.lang.reflect
types are Serializable
.
Perhaps we could make use of the internal SerializableTypeWrapper
utility.
Comment From: Pushpa-Mali
Spring Session, by default, uses the JDK mechanism to serialize session attributes. In this scenario, when the UnknownContentTypeException is stored as a session attribute, Spring Session attempts to serialize it. However, the UnknownContentTypeException class itself may not be serializable because it contains a Type field that cannot be serialized.
This can lead to a problem because Spring Session tries to serialize the exception and fails, causing serialization errors.
Comment From: sbrannen
@Pushpa-Mali, please refrain from copying text from an issue's description and posting a summary as a comment.
It adds unnecessary noise to the discussion.
Comment From: rstoyanchev
We'll make the field transient.