Spring Security
  1. Spring Security
  2. SEC-1220

Google App Engine compatibility issues

    Details

    • Type: Refactoring Refactoring
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.0 M1
    • Fix Version/s: 3.0.0 RC1
    • Component/s: None
    • Labels:
      None
    • Environment:
      Google App Engine SDK 1.2.2

      Description

      Currently, Spring Security 3 is not compatible with Google App Engine (GAE), as it uses classes not listed in the JRE Class White List (http://code.google.com/intl/en/appengine/docs/java/jrewhitelist.html).

      It would be great to have at least a compatibility mode.

      The changes to be done :

      STRING COMPARATIONS

      UNMODIFIABLE COLLECTIONS

      • Rest of code : remove references to Collections.unmodifiableXXX. Instead, use the raw collection in case you are in a GAE environment.

      For example, in AbstractAuthenticationToken.java, use
      this.authorities = authorities
      instead of
      this.authorities = Collections.unmodifiableList(authorities)

        Activity

        Hide
        Luke Taylor added a comment -

        Removing the Collections.unmodifiableList call would make the authorities list mutable and it's a basic assumption that the Authenticaition object is immutable with respect to the key security data it contains. Is there a particular reason why this class isn't available in GAE?

        Show
        Luke Taylor added a comment - Removing the Collections.unmodifiableList call would make the authorities list mutable and it's a basic assumption that the Authenticaition object is immutable with respect to the key security data it contains. Is there a particular reason why this class isn't available in GAE?
        Hide
        Guido García added a comment -

        I do not know the reason why java.lang.String$CaseInsensitiveComparator and Collections$UnmodifiableXXX classes are not available in GAE. Is there any alternative to make a collection inmutable?

        I modified SavedRequest and java.lang.String$CaseInsensitiveComparator class not found exception disapears when deployed in GAE.

        I was not able to modify the rest of code to check in GAE that the other exception (Collections$UnmodifiableXXX class not found) also goes away, as there are a lot of dependencies in Spring Security and I was not able to compile the whole project and regenerate the jars following the steps in http://static.springsource.org/spring-security/site/build.html.

        Show
        Guido García added a comment - I do not know the reason why java.lang.String$CaseInsensitiveComparator and Collections$UnmodifiableXXX classes are not available in GAE. Is there any alternative to make a collection inmutable? I modified SavedRequest and java.lang.String$CaseInsensitiveComparator class not found exception disapears when deployed in GAE. I was not able to modify the rest of code to check in GAE that the other exception (Collections$UnmodifiableXXX class not found) also goes away, as there are a lot of dependencies in Spring Security and I was not able to compile the whole project and regenerate the jars following the steps in http://static.springsource.org/spring-security/site/build.html .
        Hide
        Guido García added a comment -

        It is documented as a bug in GAE : http://code.google.com/p/googleappengine/issues/detail?id=1290 (do not forget to vote for it

        Seems to be an object serialization issue with some JRE classes, so the only workaround in the short term is to modify Spring Security source to avoid using that JRE classes in Spring Security classes intended to be serialized.

        Show
        Guido García added a comment - It is documented as a bug in GAE : http://code.google.com/p/googleappengine/issues/detail?id=1290 (do not forget to vote for it Seems to be an object serialization issue with some JRE classes, so the only workaround in the short term is to modify Spring Security source to avoid using that JRE classes in Spring Security classes intended to be serialized.
        Hide
        Luke Taylor added a comment -

        Realistically this will have to wait for Google to sort things out. Changing core design or adding substitute classes to the framework to compensate for those missing from the JDK isn't really a viable option.

        Show
        Luke Taylor added a comment - Realistically this will have to wait for Google to sort things out. Changing core design or adding substitute classes to the framework to compensate for those missing from the JDK isn't really a viable option.
        Hide
        jimbo added a comment -

        Hi,

        Thanks for the info on this issue, I managed to get spring security working by amending the source as suggested. If anyone would like a link to the re-compiled core jar I created please feel free to download at: http://www.google-app-engine.com/blog/post/Spring-security-fix-for-google-app-engine.aspx

        Jim

        Show
        jimbo added a comment - Hi, Thanks for the info on this issue, I managed to get spring security working by amending the source as suggested. If anyone would like a link to the re-compiled core jar I created please feel free to download at: http://www.google-app-engine.com/blog/post/Spring-security-fix-for-google-app-engine.aspx Jim
        Hide
        Guido García added a comment -

        Google guys say it has been fixed in GAE 1.2.5
        http://code.google.com/p/googleappengine/issues/detail?id=1290

        Just in case anyone here is interested.

        Show
        Guido García added a comment - Google guys say it has been fixed in GAE 1.2.5 http://code.google.com/p/googleappengine/issues/detail?id=1290 Just in case anyone here is interested.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Guido García
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: