SEC-1220: Google App Engine compatibility issues #1471

Closed
spring-issuemaster opened this Issue Aug 12, 2009 · 6 comments

1 participant

@spring-issuemaster

Guido García (Migrated from SEC-1220) said:

Currently, Spring Security 3 is not compatible with Google App Engine (GAE), as it uses classes not listed in the JRE Class White List (http://code.google.com/intl/en/appengine/docs/java/jrewhitelist.html).

It would be great to have at least a compatibility mode.

The changes to be done :

STRING COMPARATIONS

UNMODIFIABLE COLLECTIONS

  • Rest of code : remove references to Collections.unmodifiableXXX. Instead, use the raw collection in case you are in a GAE environment.

For example, in AbstractAuthenticationToken.java, use
this.authorities = authorities
instead of
this.authorities = Collections.unmodifiableList(authorities)

@spring-issuemaster

Luke Taylor said:

Removing the Collections.unmodifiableList call would make the authorities list mutable and it's a basic assumption that the Authenticaition object is immutable with respect to the key security data it contains. Is there a particular reason why this class isn't available in GAE?

@spring-issuemaster

Guido García said:

I do not know the reason why java.lang.String$CaseInsensitiveComparator and Collections$UnmodifiableXXX classes are not available in GAE. Is there any alternative to make a collection inmutable?

I modified SavedRequest and java.lang.String$CaseInsensitiveComparator class not found exception disapears when deployed in GAE.

I was not able to modify the rest of code to check in GAE that the other exception (Collections$UnmodifiableXXX class not found) also goes away, as there are a lot of dependencies in Spring Security and I was not able to compile the whole project and regenerate the jars following the steps in http://static.springsource.org/spring-security/site/build.html.

@spring-issuemaster

Guido García said:

It is documented as a bug in GAE : http://code.google.com/p/googleappengine/issues/detail?id=1290 (do not forget to vote for it :)

Seems to be an object serialization issue with some JRE classes, so the only workaround in the short term is to modify Spring Security source to avoid using that JRE classes in Spring Security classes intended to be serialized.

@spring-issuemaster

Luke Taylor said:

Realistically this will have to wait for Google to sort things out. Changing core design or adding substitute classes to the framework to compensate for those missing from the JDK isn't really a viable option.

@spring-issuemaster

jimbo said:

Hi,

Thanks for the info on this issue, I managed to get spring security working by amending the source as suggested. If anyone would like a link to the re-compiled core jar I created please feel free to download at: http://www.google-app-engine.com/blog/post/Spring-security-fix-for-google-app-engine.aspx

Jim

@spring-issuemaster

Guido García said:

Google guys say it has been fixed in GAE 1.2.5
http://code.google.com/p/googleappengine/issues/detail?id=1290

Just in case anyone here is interested.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment