Spring Security Add Documentation About Serialization Between Minor Versions

Documentation and maybe a blog post should be added for https://github.com/spring-projects/spring-security/issues/3737

Comment From: marcusdacoregio

https://spring.io/blog/2024/01/19/spring-security-6-3-adds-passive-jdk-serialization-deserialization-for/

Comment From: seabamirum

For those who would like to upgrade to 6.3 but are still on 6.x versions before 6.2.0, you can use the custom ObjectInputStream solution provided by OrangeDog. If you're using Redis, implement your own Deserializer and pass it in to the JdkSerializationRedisSerializer constructor.

public class CustomObjectInputStream extends ObjectInputStream {

    public CustomObjectInputStream(InputStream in) throws IOException {
        super(in);
    }

    @Override
    protected ObjectStreamClass readClassDescriptor() throws IOException, ClassNotFoundException {
        ObjectStreamClass descriptor = super.readClassDescriptor();
        if (descriptor.getName().startsWith("org.springframework.security.")) {
            // Ignore the serialized version and use the current version instead
            return ObjectStreamClass.lookupAny(Class.forName(descriptor.getName()));
        } else {
            return descriptor;
        }
    }
}

public class CustomDeserializer implements Deserializer<Object> {

    @SuppressWarnings("resource")
    @Override
    public Object deserialize(InputStream inputStream) throws IOException 
    {       
        try
        {
            return new CustomObjectInputStream(inputStream).readObject();
        }
        catch (ClassNotFoundException ex) {
            throw new IOException("Failed to deserialize object type", ex);
        }
    }
}

@Bean
    JdkSerializationRedisSerializer springSessionDefaultRedisSerializer() {
        return new JdkSerializationRedisSerializer(new SerializingConverter(), new DeserializingConverter(new CustomDeserializer()));
    }