Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-14214

ApplicationListenerDetector should prevent serialization of its ApplicationContext reference

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 4.1.7, 4.1.8, 4.1.9, 4.2 GA, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5
    • Fix Version/s: 4.2.6, 4.3 RC2
    • Component/s: Web
    • Labels:
      None
    • Last commented by a User:
      true

      Description

      I'm trying to migrate Spring Web Application from 3.x version to 4.2 version of Spring.

      My application is deployed in a cluster of Tomcat 7 using for serialize the session: memcached-session-manager: https://github.com/magro/memcached-session-manager and serializing the objects with Kryo.

      When serialize the session I found a mistake that made me suspect that I'm trying to serialize the Spring ApplicationContext.

      Debugging my application I found this:

      Inside the session exist a key “org.springframework.web.context.request.ServletRequestAttributes.DESTRUCTION_CALLBACK.scopedTarget.restSessionDataHolder” whose value reference the ApplicationContext.

      I find that, for each bean declared in Session Scope. For example:

      @Component
      @Scope(proxyMode=ScopedProxyMode.TARGET_CLASS,value="session")
      public class RestSessionDataHolder implements Serializable{
      ...
      

      Spring in the method “org.springframework.web.context.request.ServletRequestAttributes.registerSessionDestructionCallback
      (String name, Runnable callback)”, store in the session a key named “org.springframework.web.context.request.ServletRequestAttributes.DESTRUCTION_CALLBACK.scopedTarget.[BEAN_NAME]” with a value that indirectly reference the ApplicatonContext.

      Inside this atribute exist two “DestructionAwareBeanPostProcessor”: “CommonAnnotationBeanPostProcessor” and “org.springframework.context.support.PostProcessorRegistrationDelegate$ApplicationListenerDetector”.

      “PostProcessorRegistrationDelegate$ApplicationListenerDetector” exist since Spring 4.0 and maybe have a bug:

      private static class ApplicationListenerDetector implements MergedBeanDefinitionPostProcessor, DestructionAwareBeanPostProcessor {
      ...
      		private final AbstractApplicationContext applicationContext;
      
      

      I think that attribute “private final AbstractApplicationContext applicationContext” should be “transient”.

      For example the similar attributes of “CommonAnnotationBeanPostProcessor” are transient:

      public class CommonAnnotationBeanPostProcessor extends InitDestroyAnnotationBeanPostProcessor
      		implements InstantiationAwareBeanPostProcessor, BeanFactoryAware, Serializable {
      
      ...
      
      	private transient BeanFactory jndiFactory = new SimpleJndiBeanFactory();
      
      	private transient BeanFactory resourceFactory;
      
      	private transient BeanFactory beanFactory;
      
      	private transient final Map<String, InjectionMetadata> injectionMetadataCache =
      			new ConcurrentHashMap<String, InjectionMetadata>(256);
      

        Attachments

        1. imagen1.png
          imagen1.png
          56 kB
        2. imagen2.png
          imagen2.png
          82 kB
        3. imagen3.png
          imagen3.png
          117 kB

          Issue Links

            Activity

              People

              Assignee:
              juergen.hoeller Juergen Hoeller
              Reporter:
              fanjulito Ricardo Fanjul Fandiño
              Last updater:
              Spring Issuemaster
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                1 year, 40 weeks, 6 days ago