New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
整合 Spring Security 和 Spring Session 反序列化时原因不明的 NullPointerException [BUG] #1286
Comments
https://oss.sonatype.org/content/repositories/snapshots/com/alibaba/fastjson2/fastjson2/2.0.27-SNAPSHOT/ |
@wenshao 哪一个 jar 包 |
@insight720 最后一个 |
我用了最后的 fastjson2-2.0.27-20230326.172629-40 jar 包,看 20230326.172629 这个时间它应该是在昨天修复之后发布的。问题和原来类似,报了另外一个 NPE,下面是报错日志和测试代码。
public class SecurityApplicationTest {
@Test
public void json() throws Throwable {
String delegate = """
{
"@type": "org.springframework.security.authentication.UsernamePasswordAuthenticationToken",
"authenticated": true,
}
""";
String container = """
{
"@type": "org.springframework.security.core.context.SecurityContextImpl",
"authentication": {
"@type": "org.springframework.security.authentication.UsernamePasswordAuthenticationToken",
"authenticated": true,
}
}
""";
ContextAutoTypeBeforeHandler contextAutoTypeBeforeHandler = new ContextAutoTypeBeforeHandler(new String[]{
"org.springframework.security.core.context.SecurityContextImpl",
"org.springframework.security.authentication.UsernamePasswordAuthenticationToken",
});
Object success = JSON.parseObject(delegate.getBytes(StandardCharsets.UTF_8), Object.class, contextAutoTypeBeforeHandler,
JSONReader.Feature.FieldBased, JSONReader.Feature.SupportAutoType);
Object failure = JSON.parseObject(container.getBytes(StandardCharsets.UTF_8), Object.class, contextAutoTypeBeforeHandler,
JSONReader.Feature.FieldBased, JSONReader.Feature.SupportAutoType);
}
} |
@wenshao 不从 Maven 导入的 jar 好像 Debug 不了,我也看不出来哪错了,就是 Class 对象为 null。 |
https://oss.sonatype.org/content/repositories/snapshots/com/alibaba/fastjson2/fastjson2/2.0.27-SNAPSHOT/ |
@wenshao 验证通过,感谢修复。 |
问题描述
整合 Spring Security 和 Spring Session,并使用 FastJson2 的 autoType 序列化 Session 信息到 Redis 中,反序列化时抛出原因不明的 java.lang.NullPointerException: Cannot invoke "Object.hashCode()" because "key" is null,堆栈信息显示异常是因为传入 ConcurrentHashMap 的 key 为 null,我没有找到 key 为 null 的原因。我查看了反序列化的类 SecurityContextImpl,它里面仅委托了一个 Authentication 接口的实现类,我使用的实现是 UsernamePasswordAuthenticationToken。将 UsernamePasswordAuthenticationToken 取出再序列化结果正常,但直接序列化 SecurityContextImpl 会爆 NPE。SecurityContextImpl 这个类比较简单,我在下面贴出源码。
环境信息
重现步骤
如何操作可以重现该问题:
NullPointerException
错误。期待的正确结果
可以直接反序列化 SecurityContextImpl ,而不需要取出 Authentication。
相关日志输出
*java.lang.NullPointerException: Cannot invoke "Object.hashCode()" because "key" is null
The text was updated successfully, but these errors were encountered: