SEC-1387: Spring beans annotated with @Secured are not serializable #1631

Closed
spring-issuemaster opened this Issue Jan 26, 2010 · 2 comments

1 participant

@spring-issuemaster

Mauricio Noda (Migrated from SEC-1387) said:

If a Spring bean in flow scope is annotated with @Secured, the following exception is thrown when Spring Web Flow tries to serialize the scope:

org.springframework.webflow.execution.repository.snapshot.SnapshotCreationException: Could not serialize flow execution; make sure all objects stored in flow or flash scope are serializable
at org.springframework.webflow.execution.repository.snapshot.SerializedFlowExecutionSnapshot.(SerializedFlowExecutionSnapshot.java:74)
at org.springframework.webflow.execution.repository.snapshot.SerializedFlowExecutionSnapshotFactory.createSnapshot(SerializedFlowExecutionSnapshotFactory.java:70)
at org.springframework.webflow.execution.repository.snapshot.AbstractSnapshottingFlowExecutionRepository.snapshot(AbstractSnapshottingFlowExecutionRepository.java:75)
at org.springframework.webflow.execution.repository.impl.DefaultFlowExecutionRepository.putFlowExecution(DefaultFlowExecutionRepository.java:123)
at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:165)
Truncated. see log file for complete stacktracejava.io.NotSerializableException: java.lang.Object
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1156)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1509)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1474)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1392)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1150)
Truncated. see log file for complete stacktrace

Probably the same issue reported in SPR-6680.

@spring-issuemaster

Luke Taylor said:

I've modified MethodSecurityMetadataSourceAdvisor to give it a readObject() method and supply it with the SecurityMetadataSource bean name in the constructor, as well as making this and the advice reference transient. It reads the bean from the bean factory when deserializing, preventing the need to serialize everything fully (MethodSecurityMetadataSource instances aren't serializable).

@spring-issuemaster

Mauricio Noda said:

Thanks! It is working perfectly in Spring Security 3.0.2.

@spring-issuemaster spring-issuemaster added this to the 3.0.2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment