Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-1387

Spring beans annotated with @Secured are not serializable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.1
    • Fix Version/s: 3.0.2
    • Component/s: None
    • Labels:
      None

      Description

      If a Spring bean in flow scope is annotated with @Secured, the following exception is thrown when Spring Web Flow tries to serialize the scope:

      org.springframework.webflow.execution.repository.snapshot.SnapshotCreationException: Could not serialize flow execution; make sure all objects stored in flow or flash scope are serializable
      at org.springframework.webflow.execution.repository.snapshot.SerializedFlowExecutionSnapshot.<init>(SerializedFlowExecutionSnapshot.java:74)
      at org.springframework.webflow.execution.repository.snapshot.SerializedFlowExecutionSnapshotFactory.createSnapshot(SerializedFlowExecutionSnapshotFactory.java:70)
      at org.springframework.webflow.execution.repository.snapshot.AbstractSnapshottingFlowExecutionRepository.snapshot(AbstractSnapshottingFlowExecutionRepository.java:75)
      at org.springframework.webflow.execution.repository.impl.DefaultFlowExecutionRepository.putFlowExecution(DefaultFlowExecutionRepository.java:123)
      at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:165)
      Truncated. see log file for complete stacktracejava.io.NotSerializableException: java.lang.Object
      at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1156)
      at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1509)
      at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1474)
      at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1392)
      at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1150)
      Truncated. see log file for complete stacktrace

      Probably the same issue reported in SPR-6680.

        Activity

        Hide
        luke Luke Taylor added a comment -

        I've modified MethodSecurityMetadataSourceAdvisor to give it a readObject() method and supply it with the SecurityMetadataSource bean name in the constructor, as well as making this and the advice reference transient. It reads the bean from the bean factory when deserializing, preventing the need to serialize everything fully (MethodSecurityMetadataSource instances aren't serializable).

        Show
        luke Luke Taylor added a comment - I've modified MethodSecurityMetadataSourceAdvisor to give it a readObject() method and supply it with the SecurityMetadataSource bean name in the constructor, as well as making this and the advice reference transient. It reads the bean from the bean factory when deserializing, preventing the need to serialize everything fully (MethodSecurityMetadataSource instances aren't serializable).
        Hide
        mnoda Mauricio Noda added a comment -

        Thanks! It is working perfectly in Spring Security 3.0.2.

        Show
        mnoda Mauricio Noda added a comment - Thanks! It is working perfectly in Spring Security 3.0.2.

          People

          • Assignee:
            luke Luke Taylor
            Reporter:
            mnoda Mauricio Noda
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: