Guido García (Migrated from SEC-1220) said:
Currently, Spring Security 3 is not compatible with Google App Engine (GAE), as it uses classes not listed in the JRE Class White List (http://code.google.com/intl/en/appengine/docs/java/jrewhitelist.html).
It would be great to have at least a compatibility mode.
The changes to be done :
For example, in AbstractAuthenticationToken.java, use
this.authorities = authorities
this.authorities = Collections.unmodifiableList(authorities)
Luke Taylor said:
Removing the Collections.unmodifiableList call would make the authorities list mutable and it's a basic assumption that the Authenticaition object is immutable with respect to the key security data it contains. Is there a particular reason why this class isn't available in GAE?
Guido García said:
I do not know the reason why java.lang.String$CaseInsensitiveComparator and Collections$UnmodifiableXXX classes are not available in GAE. Is there any alternative to make a collection inmutable?
I modified SavedRequest and java.lang.String$CaseInsensitiveComparator class not found exception disapears when deployed in GAE.
I was not able to modify the rest of code to check in GAE that the other exception (Collections$UnmodifiableXXX class not found) also goes away, as there are a lot of dependencies in Spring Security and I was not able to compile the whole project and regenerate the jars following the steps in http://static.springsource.org/spring-security/site/build.html.
It is documented as a bug in GAE : http://code.google.com/p/googleappengine/issues/detail?id=1290 (do not forget to vote for it :)
Seems to be an object serialization issue with some JRE classes, so the only workaround in the short term is to modify Spring Security source to avoid using that JRE classes in Spring Security classes intended to be serialized.
Realistically this will have to wait for Google to sort things out. Changing core design or adding substitute classes to the framework to compensate for those missing from the JDK isn't really a viable option.
Thanks for the info on this issue, I managed to get spring security working by amending the source as suggested. If anyone would like a link to the re-compiled core jar I created please feel free to download at: http://www.google-app-engine.com/blog/post/Spring-security-fix-for-google-app-engine.aspx
Google guys say it has been fixed in GAE 1.2.5
Just in case anyone here is interested.