Spring Security
  1. Spring Security
  2. SEC-1387

Spring beans annotated with @Secured are not serializable

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.1
    • Fix Version/s: 3.0.2
    • Component/s: None
    • Labels:
      None

      Description

      If a Spring bean in flow scope is annotated with @Secured, the following exception is thrown when Spring Web Flow tries to serialize the scope:

      org.springframework.webflow.execution.repository.snapshot.SnapshotCreationException: Could not serialize flow execution; make sure all objects stored in flow or flash scope are serializable
      at org.springframework.webflow.execution.repository.snapshot.SerializedFlowExecutionSnapshot.<init>(SerializedFlowExecutionSnapshot.java:74)
      at org.springframework.webflow.execution.repository.snapshot.SerializedFlowExecutionSnapshotFactory.createSnapshot(SerializedFlowExecutionSnapshotFactory.java:70)
      at org.springframework.webflow.execution.repository.snapshot.AbstractSnapshottingFlowExecutionRepository.snapshot(AbstractSnapshottingFlowExecutionRepository.java:75)
      at org.springframework.webflow.execution.repository.impl.DefaultFlowExecutionRepository.putFlowExecution(DefaultFlowExecutionRepository.java:123)
      at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:165)
      Truncated. see log file for complete stacktracejava.io.NotSerializableException: java.lang.Object
      at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1156)
      at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1509)
      at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1474)
      at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1392)
      at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1150)
      Truncated. see log file for complete stacktrace

      Probably the same issue reported in SPR-6680.

        Activity

        Hide
        Luke Taylor added a comment -

        I've modified MethodSecurityMetadataSourceAdvisor to give it a readObject() method and supply it with the SecurityMetadataSource bean name in the constructor, as well as making this and the advice reference transient. It reads the bean from the bean factory when deserializing, preventing the need to serialize everything fully (MethodSecurityMetadataSource instances aren't serializable).

        Show
        Luke Taylor added a comment - I've modified MethodSecurityMetadataSourceAdvisor to give it a readObject() method and supply it with the SecurityMetadataSource bean name in the constructor, as well as making this and the advice reference transient. It reads the bean from the bean factory when deserializing, preventing the need to serialize everything fully (MethodSecurityMetadataSource instances aren't serializable).
        Hide
        Mauricio Noda added a comment -

        Thanks! It is working perfectly in Spring Security 3.0.2.

        Show
        Mauricio Noda added a comment - Thanks! It is working perfectly in Spring Security 3.0.2.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Mauricio Noda
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: