Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1387: Spring beans annotated with @Secured are not serializable #1631

spring-issuemaster opened this Issue Jan 26, 2010 · 2 comments


None yet
1 participant

Mauricio Noda (Migrated from SEC-1387) said:

If a Spring bean in flow scope is annotated with @secured, the following exception is thrown when Spring Web Flow tries to serialize the scope:

org.springframework.webflow.execution.repository.snapshot.SnapshotCreationException: Could not serialize flow execution; make sure all objects stored in flow or flash scope are serializable
at org.springframework.webflow.execution.repository.snapshot.SerializedFlowExecutionSnapshot.(SerializedFlowExecutionSnapshot.java:74)
at org.springframework.webflow.execution.repository.snapshot.SerializedFlowExecutionSnapshotFactory.createSnapshot(SerializedFlowExecutionSnapshotFactory.java:70)
at org.springframework.webflow.execution.repository.snapshot.AbstractSnapshottingFlowExecutionRepository.snapshot(AbstractSnapshottingFlowExecutionRepository.java:75)
at org.springframework.webflow.execution.repository.impl.DefaultFlowExecutionRepository.putFlowExecution(DefaultFlowExecutionRepository.java:123)
at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:165)
Truncated. see log file for complete stacktracejava.io.NotSerializableException: java.lang.Object
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1156)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1509)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1474)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1392)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1150)
Truncated. see log file for complete stacktrace

Probably the same issue reported in SPR-6680.

Luke Taylor said:

I've modified MethodSecurityMetadataSourceAdvisor to give it a readObject() method and supply it with the SecurityMetadataSource bean name in the constructor, as well as making this and the advice reference transient. It reads the bean from the bean factory when deserializing, preventing the need to serialize everything fully (MethodSecurityMetadataSource instances aren't serializable).

Mauricio Noda said:

Thanks! It is working perfectly in Spring Security 3.0.2.

@spring-issuemaster spring-issuemaster added this to the 3.0.2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment