If a flow is called with missing mandatory inputs, a FlowInputMappingException occurs. If that flows runs in a tomcat with enabled session persistence, a NotSerializableException occurs when tomcat tries to persist the session.
The root cause for this seems to be, that FlowInputmappingException contains MappingResults, by default implemented by the non-serializable Class DefaultMappingResults. The Exception is then handled by the TransitionExecutingFlowExecutionExceptionHandler. In its exposeException() method a comment states:
This is not true however as FlowInputmappingException implements Serializable, but contains a non-serializable member.
The result of this is, that a serialization of the session will break. For some reason I do not understand yet, we saw an even more severe problem in Tomcat 8. When the session is persisted there, no Exception is thrown. But reloading the session upon the next requests fails because it cannot be deserialized. The basically means the user's session is broken und the user cannot work anymore.
I could not find the reason for this but the root cause still seems to be, that webflow stores a non-serializable Object in the session.
I think this should be fixed by either making DefaultMappingResults serializable oder transforming to some serializable form before storing in to the session.