Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FlashMap's cannot be easily serialized by means other than java serialization [SPR-12757] #17354

Closed
spring-issuemaster opened this issue Feb 25, 2015 · 5 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link
Collaborator

commented Feb 25, 2015

Jelmer Kuperus opened SPR-12757 and commented

Currently it is not easy to serialize a org.springframework.web.servlet.FlashMap using anything other than regular java serialization or frameworks that use reflective field access

The problem is that the expirationStartTime and timeToLive fields can only be set by invoking startExpirationPeriod.

So suppose that I wanted to serialize this object to a json object to store in a cookie then i would not be able to do this

Using java serialization in this context would be ill advised as this post points out

http://stackoverflow.com/questions/19054460/what-is-the-security-impact-of-deserializing-untrusted-data-in-java


Affects: 4.1.5

Issue Links:

  • #13637 Make flash attributes use cookie to enable stateless webapp

Referenced from: commits 83ff0ad

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Feb 26, 2015

Rossen Stoyanchev commented

To provide getters and setters would compromise the design too much. Perhaps we could provide a method to return a SerializableFlashMap type with proper getters and setters and also a reverse method for creating a FlashMap from a SerializableFlashMap. Or did you have something else in mind?

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Feb 26, 2015

Rossen Stoyanchev commented

This is related to #13637.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Feb 26, 2015

Jelmer Kuperus commented

That does immediately strike me as the most elegant solution one of the problems i think is, that for some reason it stores what is effectively an expiry date as two fields and then does calculations on every request to arrive at this date. Doing the calculation once in startExpirationPeriod and then exposing a getter for this field plus a static factory method for creating a FlashMap with this value would not compromise design that much i think

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Feb 27, 2015

Rossen Stoyanchev commented

Thanks for the suggestion, seems reasonable. Feel free to submit a PR if you're in the middle of it.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Mar 19, 2015

Rossen Stoyanchev commented

I've switched to a single expirationTime property in FlashMap as suggested and have provided setter and getter for it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.