SEC-1220: Google App Engine compatibility issues

[spring-projects-issues]

Guido García (Migrated from SEC-1220) said:

Currently, Spring Security 3 is not compatible with Google App Engine (GAE), as it uses classes not listed in the JRE Class White List (http://code.google.com/intl/en/appengine/docs/java/jrewhitelist.html).

It would be great to have at least a compatibility mode.

The changes to be done :

STRING COMPARATIONS

• SavedRequest : remove references to String.CASE_INSENSITIVE_ORDER. Instead, use a custom class "StringInsensitiveComparator" based on Collator, as described at http://groups.google.com/group/google-appengine-java/msg/9500e505d67df1bf

UNMODIFIABLE COLLECTIONS

• Rest of code : remove references to Collections.unmodifiableXXX. Instead, use the raw collection in case you are in a GAE environment.

For example, in AbstractAuthenticationToken.java, use
this.authorities = authorities
instead of
this.authorities = Collections.unmodifiableList(authorities)

[spring-projects-issues]

Luke Taylor said:

Removing the Collections.unmodifiableList call would make the authorities list mutable and it's a basic assumption that the Authenticaition object is immutable with respect to the key security data it contains. Is there a particular reason why this class isn't available in GAE?

[spring-projects-issues]

Guido García said:

I do not know the reason why java.lang.String$CaseInsensitiveComparator and Collections$UnmodifiableXXX classes are not available in GAE. Is there any alternative to make a collection inmutable?

I modified SavedRequest and java.lang.String$CaseInsensitiveComparator class not found exception disapears when deployed in GAE.

I was not able to modify the rest of code to check in GAE that the other exception (Collections$UnmodifiableXXX class not found) also goes away, as there are a lot of dependencies in Spring Security and I was not able to compile the whole project and regenerate the jars following the steps in http://static.springsource.org/spring-security/site/build.html.

[spring-projects-issues]

Guido García said:

It is documented as a bug in GAE : http://code.google.com/p/googleappengine/issues/detail?id=1290 (do not forget to vote for it :)

Seems to be an object serialization issue with some JRE classes, so the only workaround in the short term is to modify Spring Security source to avoid using that JRE classes in Spring Security classes intended to be serialized.

[spring-projects-issues]

Luke Taylor said:

Realistically this will have to wait for Google to sort things out. Changing core design or adding substitute classes to the framework to compensate for those missing from the JDK isn't really a viable option.

[spring-projects-issues]

jimbo said:

Hi,

Thanks for the info on this issue, I managed to get spring security working by amending the source as suggested. If anyone would like a link to the re-compiled core jar I created please feel free to download at: http://www.google-app-engine.com/blog/post/Spring-security-fix-for-google-app-engine.aspx

Jim

[spring-projects-issues]

Guido García said:

Google guys say it has been fixed in GAE 1.2.5
http://code.google.com/p/googleappengine/issues/detail?id=1290

Just in case anyone here is interested.