Describe the bug After upgrading from Spring Security 5.7 to 6.0, we noticed that the logout process initiated by the Saml2 relying party no longer works.
This is because the Saml2RelyingPartyInitiatedLogoutSuccessHandler tries to save the logout request in a HttpSessionLogoutRequestRepository. The HttpSessionLogoutRequestRepository tries to save the logout request inside the session. Our session is managed by redis and the JdkSerializationRedisSerializer is responsable for serializing the deserializing the objects.
But because the Saml2LogoutRequest contains a lambda as the default encoder, the JdkSerializationRedisSerializer is not able to serialize the Saml2LogoutRequest object and does not save the logout request. Upon receving the saml2 logout response from the IDP, no session can be found which contains the logout request and we get an HTTP Status 400 – Bad Request.
Using the Jackson2Json Jackson2JsonRedisSerializer does not work, because the Saml2LogoutRequest does not have any public constructors, only a builder.
Seems like the change with the encoder came attribute with version 5.8 and has not been adressed so far, even though it seems like a general bug that should affect many others. I dont see a simple way how to workaround and would appreciate some help.
Expected behavior The encoder attribute should not lead to a NotSerializableException if redis and JdkSerializationRedisSerializer is used for the management of sessions.
2022-12-28T00:38:16.330+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.s.w.a.l.SecurityContextLogoutHandler : Invalidated session cd26191c-7e36-450a-ac4b-747c3e48a108
2022-12-28T00:38:16.331+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener'
2022-12-28T00:38:16.331+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'springApplicationAdminRegistrar'
2022-12-28T00:38:16.331+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'liveReloadServerEventListener'
2022-12-28T00:38:16.331+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'authenticationLogService'
2022-12-28T00:38:16.332+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.jdbc.datasource.DataSourceUtils : Fetching JDBC Connection from DataSource
2022-12-28T00:38:16.332+01:00 DEBUG 21872 --- [enerContainer-4] o.s.d.redis.core.RedisConnectionUtils : Fetching Redis Connection from RedisConnectionFactory
2022-12-28T00:38:16.334+01:00 DEBUG 21872 --- [enerContainer-4] o.s.d.redis.core.RedisConnectionUtils : Closing Redis Connection
2022-12-28T00:38:16.334+01:00 TRACE 21872 --- [enerContainer-4] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener'
2022-12-28T00:38:16.334+01:00 TRACE 21872 --- [enerContainer-4] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'springApplicationAdminRegistrar'
2022-12-28T00:38:16.334+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.c.e.ApplicationListenerMethodAdapter : No result object given - no result to handle
2022-12-28T00:38:16.334+01:00 TRACE 21872 --- [enerContainer-4] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'sessionEventHttpSessionListenerAdapter'
2022-12-28T00:38:16.334+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'tokenService'
2022-12-28T00:38:16.334+01:00 TRACE 21872 --- [enerContainer-4] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'liveReloadServerEventListener'
2022-12-28T00:38:16.335+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils : Fetching Redis Connection from RedisConnectionFactory
2022-12-28T00:38:16.339+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils : Closing Redis Connection
2022-12-28T00:38:16.339+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils : Fetching Redis Connection from RedisConnectionFactory
2022-12-28T00:38:16.340+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils : Closing Redis Connection
2022-12-28T00:38:16.341+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils : Fetching Redis Connection from RedisConnectionFactory
2022-12-28T00:38:16.344+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils : Closing Redis Connection
2022-12-28T00:38:16.345+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils : Fetching Redis Connection from RedisConnectionFactory
2022-12-28T00:38:16.346+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils : Closing Redis Connection
2022-12-28T00:38:16.346+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.c.e.ApplicationListenerMethodAdapter : No result object given - no result to handle
2022-12-28T00:38:16.346+01:00 TRACE 21872 --- [nio-9500-exec-5] .p.s.w.a.l.OpenSamlLogoutRequestResolver : Attempting to resolve registrationId from Saml2Authentication [Principal=eu.firmax.cms.auth.idp.saml.usermapping.CustomSamlPrincipal[super=eu.firmax.cms.auth.idp.saml.usermapping.CustomSamlPrincipal[principal=eu.firmax.cms.auth.user.CustomUserDetails[username=null, password=, accountNonLocked=false, credentialsNonExpired=false, credentialId=null]], name=test, attributes={bPK2=[98e7aa71-8767-4524-b577-d5770d8552da]}, relyingPartyRegistrationId=keycloak-saml, sessionIndexes=[d2d52bab-e3d9-43ec-9f18-69dcd2364dae::4a8325cf-6f20-4c0c-a5fa-96ee4bdeb232]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=958eeaad-4407-495c-b00e-be00bd801fea], Granted Authorities=[]]
2022-12-28T00:38:16.348+01:00 WARN 21872 --- [nio-9500-exec-5] DEPRECATED : Java class method 'setSessionIndex', (interface org.opensaml.saml.saml2.core.SessionIndex): This will be removed in the next major version of this software; replacement is setValue
2022-12-28T00:38:16.364+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.aop.framework.JdkDynamicAopProxy : Creating JDK dynamic proxy: EmptyTargetSource: no target class, static
2022-12-28T00:38:16.364+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils : Fetching Redis Connection from RedisConnectionFactory
2022-12-28T00:38:16.365+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils : Closing Redis Connection
2022-12-28T00:38:16.366+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.s.w.h.S.SESSION_LOGGER : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
2022-12-28T00:38:16.366+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.s.w.h.S.SESSION_LOGGER : A new session was created. To help you troubleshoot where the session was created we provided a StackTrace (this is not an error). You can prevent this from appearing by disabling DEBUG logging for org.springframework.session.web.http.SessionRepositoryFilter.SESSION_LOGGER
java.lang.RuntimeException: For debugging purposes only (not an error)
at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:313) ~[spring-session-core-3.0.0.jar:3.0.0]
at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:327) ~[spring-session-core-3.0.0.jar:3.0.0]
at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:194) ~[spring-session-core-3.0.0.jar:3.0.0]
at jakarta.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:253) ~[tomcat-embed-core-10.1.1.jar:6.0]
at jakarta.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:253) ~[tomcat-embed-core-10.1.1.jar:6.0]
at org.springframework.security.saml2.provider.service.web.authentication.logout.HttpSessionLogoutRequestRepository.saveLogoutRequest(HttpSessionLogoutRequestRepository.java:75) ~[spring-security-saml2-service-provider-6.0.0.jar:6.0.0]
at org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2RelyingPartyInitiatedLogoutSuccessHandler.onLogoutSuccess(Saml2RelyingPartyInitiatedLogoutSuccessHandler.java:81) ~[spring-security-saml2-service-provider-6.0.0.jar:6.0.0]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:104) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:130) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutResponseFilter.doFilterInternal(Saml2LogoutResponseFilter.java:97) ~[spring-security-saml2-service-provider-6.0.0.jar:6.0.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestFilter.doFilterInternal(Saml2LogoutRequestFilter.java:105) ~[spring-security-saml2-service-provider-6.0.0.jar:6.0.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilterInternal(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.0.0.jar:6.0.0]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:351) ~[spring-web-6.0.2.jar:6.0.2]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) ~[spring-web-6.0.2.jar:6.0.2]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.0.2.jar:6.0.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.0.2.jar:6.0.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:143) ~[spring-session-core-3.0.0.jar:3.0.0]
at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:82) ~[spring-session-core-3.0.0.jar:3.0.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.0.2.jar:6.0.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:119) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:400) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]
2022-12-28T00:38:16.367+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2022-12-28T00:38:16.367+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.b.w.s.f.OrderedRequestContextFilter : Cleared thread-bound request context: org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper@c9f41bf
2022-12-28T00:38:16.367+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.aop.framework.JdkDynamicAopProxy : Creating JDK dynamic proxy: EmptyTargetSource: no target class, static
2022-12-28T00:38:16.371+01:00 ERROR 21872 --- [nio-9500-exec-5] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.data.redis.serializer.SerializationException: Cannot serialize
at org.springframework.data.redis.serializer.JdkSerializationRedisSerializer.serialize(JdkSerializationRedisSerializer.java:96) ~[spring-data-redis-3.0.0.jar:3.0.0]
at org.springframework.data.redis.core.AbstractOperations.rawHashValue(AbstractOperations.java:186) ~[spring-data-redis-3.0.0.jar:3.0.0]
at org.springframework.data.redis.core.DefaultHashOperations.putAll(DefaultHashOperations.java:161) ~[spring-data-redis-3.0.0.jar:3.0.0]
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104) ~[na:na]
at java.base/java.lang.reflect.Method.invoke(Method.java:577) ~[na:na]
at org.springframework.data.redis.core.BoundOperationsProxyFactory$BoundOperationsMethodInterceptor.doInvoke(BoundOperationsProxyFactory.java:183) ~[spring-data-redis-3.0.0.jar:3.0.0]
at org.springframework.data.redis.core.BoundOperationsProxyFactory$BoundOperationsMethodInterceptor.invoke(BoundOperationsProxyFactory.java:153) ~[spring-data-redis-3.0.0.jar:3.0.0]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184) ~[spring-aop-6.0.2.jar:6.0.2]
at org.springframework.data.projection.DefaultMethodInvokingMethodInterceptor.invoke(DefaultMethodInvokingMethodInterceptor.java:77) ~[spring-data-commons-3.0.0.jar:3.0.0]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184) ~[spring-aop-6.0.2.jar:6.0.2]
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:218) ~[spring-aop-6.0.2.jar:6.0.2]
at jdk.proxy4/jdk.proxy4.$Proxy111.putAll(Unknown Source) ~[na:na]
at org.springframework.session.data.redis.RedisIndexedSessionRepository$RedisSession.saveDelta(RedisIndexedSessionRepository.java:851) ~[spring-session-data-redis-3.0.0.jar:3.0.0]
at org.springframework.session.data.redis.RedisIndexedSessionRepository$RedisSession.save(RedisIndexedSessionRepository.java:839) ~[spring-session-data-redis-3.0.0.jar:3.0.0]
at org.springframework.session.data.redis.RedisIndexedSessionRepository.save(RedisIndexedSessionRepository.java:477) ~[spring-session-data-redis-3.0.0.jar:3.0.0]
at org.springframework.session.data.redis.RedisIndexedSessionRepository.save(RedisIndexedSessionRepository.java:257) ~[spring-session-data-redis-3.0.0.jar:3.0.0]
at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.commitSession(SessionRepositoryFilter.java:228) ~[spring-session-core-3.0.0.jar:3.0.0]
at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:146) ~[spring-session-core-3.0.0.jar:3.0.0]
at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:82) ~[spring-session-core-3.0.0.jar:3.0.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.0.2.jar:6.0.2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:119) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:400) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]
Caused by: org.springframework.core.serializer.support.SerializationFailedException: Failed to serialize object using DefaultSerializer
at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:64) ~[spring-core-6.0.2.jar:6.0.2]
at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:33) ~[spring-core-6.0.2.jar:6.0.2]
at org.springframework.data.redis.serializer.JdkSerializationRedisSerializer.serialize(JdkSerializationRedisSerializer.java:94) ~[spring-data-redis-3.0.0.jar:3.0.0]
... 40 common frames omitted
Caused by: java.io.NotSerializableException: org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest$$Lambda$1574/0x00000008017530b0
at java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1192) ~[na:na]
at java.base/java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1577) ~[na:na]
at java.base/java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1534) ~[na:na]
at java.base/java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1443) ~[na:na]
at java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1186) ~[na:na]
at java.base/java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:358) ~[na:na]
at org.springframework.core.serializer.DefaultSerializer.serialize(DefaultSerializer.java:46) ~[spring-core-6.0.2.jar:6.0.2]
at org.springframework.core.serializer.Serializer.serializeToByteArray(Serializer.java:56) ~[spring-core-6.0.2.jar:6.0.2]
at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:60) ~[spring-core-6.0.2.jar:6.0.2]
... 42 common frames omitted
Comment From: jzheaux
Thanks, @tisch030, and my apologies for the trouble. This appears to be an oversight. Are you able to submit a PR that marks the encoder as transient? It would also be nice to create a test that confirms that Java serialization of Saml2LogoutRequest works.
Comment From: tisch030
Thanks for the reply and the confirmation that it was indeed an oversight and not necessarily a mistake on my part @jzheaux . I would really like to contribute (it would be my first ever PR for an open source project), but unfortunately I'm in the middle of my bachelor thesis and already a bit behind schedule. Marking an attribute as transient is not hard, but I wouldn't have the time to read through the contributor guidelines, set up gradle (I only have experience with maven) and write the appropriate test for serialization. That's why it would probably make the most sense for someone else to create a PR for it. I will keep my eyes on this and if the issue is still open in 4 weeks, I would most likely take it on myself and be very happy to provide a PR.
Thank you again and happy new year everyone.
Thanks, @tisch030, and my apologies for the trouble. This appears to be an oversight. Are you able to submit a PR that marks the
encoderastransient? It would also be nice to create a test that confirms that Java serialization ofSaml2LogoutRequestworks.
Comment From: jzheaux
No problem, @tisch030. I'll leave the issue marked as ideal-for-contribution for the time being and see if anyone picks it up in the meantime.
Comment From: dkodippily
@jzheaux can i work on this ? @tisch030 is it ok if i pick this ?
Comment From: tisch030
@dkodippily yes, absolutely.
Comment From: dkodippily
Hi @jzheaux , can I raise a PR for this?
Comment From: dkodippily
Hi @jzheaux , I'm pretty sure you got busy with SpringOne, I raised a PR #12638 before I could get any update if I can work on this issue, please take a look.