Spring Security java.io.NotSerializableException: org.springframework.security.kerberos.authentication.JaasSubjectHolder

Describe the bug spring-security-kerberos-core, 2.0.0 introduced org.springframework.security.kerberos.authentication.JaasSubjectHolder.

This object wasn't in spring-security-kerberos-core, 1.0.1-RELEASE version, which used other object: - Class org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider was not using JaasSubjectHolder.

Since 2.0.0, KerberosAuthenticationProvider started using JaasSubjectHolder.

Therefore, if Spring Security session management stores object into session, it has to be Serializable. Especially, if session is backed by Redis, for example.

To Reproduce Use: .sessionManagement(management -> management .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)) + store session in Redis.

Expected behavior No exception.

Sample No sample provided, quite obvious reasoning.

Comment From: rstribrn

Please close this bug, it's duplicate to: https://github.com/spring-projects/spring-security-kerberos/issues/178