Description
In Spring Security, when there is an AuthenticationException, there are some AuthenticationFailureHandler implementations that save that exception as a session attribute for future use if needed.
Spring Session uses, by default, the JDK mechanism to serialize the Session attributes.
In a scenario where the user-info-uri does not return the expected Content-Type (application/json), the RestOperations throws a UnknownContentTypeException that is handled by Spring Security and transformed into an AuthenticationException.
The problem is, when Spring Session tries to serialize the UnknownContentTypeException it fails because the type property inside it is not serializable.
A simple test can verify the behavior:
@Test
void shouldBeSerializable() throws IOException {
Type type = new ParameterizedTypeReference<Map<String, Object>>() {
}.getType();
UnknownContentTypeException cause = new UnknownContentTypeException(type, MediaType.APPLICATION_JSON, 200, "OK", null, "body".getBytes());
try (ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
ObjectOutputStream objectOutputStream = new ObjectOutputStream(outputStream)) {
objectOutputStream.writeObject(cause);
}
}Is that expected that the exception cannot be serialized?