Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DefaultSaml2AuthenticatedPrincipal should define a serialVersionUID #16163

Closed
OrangeDog opened this issue Nov 25, 2024 · 1 comment
Closed

DefaultSaml2AuthenticatedPrincipal should define a serialVersionUID #16163

OrangeDog opened this issue Nov 25, 2024 · 1 comment
Assignees
@jzheaux
Labels
in: saml2 An issue in SAML2 modules type: bug A general bug
Milestone
6.4.2

Comments

@OrangeDog
Copy link
Contributor

Describe the bug
As a Serializable class, DefaultSaml2AuthenticatedPrincipal should define serialVersionUID to avoid unnecessarily breaking compatibility across versions.

To Reproduce
Serialise a DefaultSaml2AuthenticatedPrincipal using Spring Security 6.3.5 and then deserialzie using 6.4.1.

Expected behavior
The field layout of the classes has not changed so they should be compatible, but the methods have (equalsand hashCode were added), which changes the auto-generated serialVersionUID.
@OrangeDog OrangeDog added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 25, 2024
@Rednas92-spec
Copy link

Rednas92-spec commented Dec 6, 2024
edited
Loading

Hi,

We had this issue when upgrading to Spring Boot 3.4.0 . When a user had a session prior upgrade; it will throw following stack trace after upgrade:

2024-12-06T13:11:38.676Z ERROR [-,,,ONBEKEND] 1 --- [nio-8000-exec-1] o.a.c.c.C.[Tomcat].[localhost] : Exception Processing [ErrorPage[errorCode=0, location=/error]] org.springframework.core.convert.ConversionFailedException: Failed to convert from type [byte[]] to type [java.lang.Object] for value [{...}] at org.springframework.core.convert.support.ConversionUtils.invokeConverter(ConversionUtils.java:47) ~[spring-core-6.1.14.jar:6.1.14] at org.springframework.core.convert.support.GenericConversionService.convert(GenericConversionService.java:182) ~[spring-core-6.1.14.jar:6.1.14] at org.springframework.session.jdbc.JdbcIndexedSessionRepository.deserialize(JdbcIndexedSessionRepository.java:689) ~[spring-session-jdbc-3.3.3.jar:3.3.3] at org.springframework.session.jdbc.JdbcIndexedSessionRepository$SessionResultSetExtractor.lambda$extractData$0(JdbcIndexedSessionRepository.java:977) ~[spring-session-jdbc-3.3.3.jar:3.3.3] at org.springframework.session.jdbc.JdbcIndexedSessionRepository$4.get(JdbcIndexedSessionRepository.java:721) ~[spring-session-jdbc-3.3.3.jar:3.3.3] at org.springframework.session.jdbc.JdbcIndexedSessionRepository$JdbcSession.getAttribute(JdbcIndexedSessionRepository.java:801) ~[spring-session-jdbc-3.3.3.jar:3.3.3] at org.springframework.session.PrincipalNameIndexResolver.resolveIndexValueFor(PrincipalNameIndexResolver.java:55) ~[spring-session-core-3.3.3.jar:3.3.3] at org.springframework.session.SingleIndexResolver.resolveIndexesFor(SingleIndexResolver.java:48) ~[spring-session-core-3.3.3.jar:3.3.3] at org.springframework.session.DelegatingIndexResolver.resolveIndexesFor(DelegatingIndexResolver.java:49) ~[spring-session-core-3.3.3.jar:3.3.3] at org.springframework.session.jdbc.JdbcIndexedSessionRepository$JdbcSession.lambda$save$11(JdbcIndexedSessionRepository.java:913) ~[spring-session-jdbc-3.3.3.jar:3.3.3] at org.springframework.transaction.support.TransactionOperations.lambda$executeWithoutResult$0(TransactionOperations.java:68) ~[spring-tx-6.1.14.jar:6.1.14] at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:140) ~[spring-tx-6.1.14.jar:6.1.14] at org.springframework.transaction.support.TransactionOperations.executeWithoutResult(TransactionOperations.java:67) ~[spring-tx-6.1.14.jar:6.1.14] at org.springframework.session.jdbc.JdbcIndexedSessionRepository$JdbcSession.save(JdbcIndexedSessionRepository.java:910) ~[spring-session-jdbc-3.3.3.jar:3.3.3] at org.springframework.session.jdbc.JdbcIndexedSessionRepository.save(JdbcIndexedSessionRepository.java:477) ~[spring-session-jdbc-3.3.3.jar:3.3.3] at org.springframework.session.jdbc.JdbcIndexedSessionRepository.save(JdbcIndexedSessionRepository.java:141) ~[spring-session-jdbc-3.3.3.jar:3.3.3] at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.commitSession(SessionRepositoryFilter.java:229) ~[spring-session-core-3.3.3.jar:3.3.3] at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:145) ~[spring-session-core-3.3.3.jar:3.3.3] at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:82) ~[spring-session-core-3.3.3.jar:3.3.3] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362) ~[spring-web-6.1.14.jar:6.1.14] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278) ~[spring-web-6.1.14.jar:6.1.14] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.1.14.jar:6.1.14] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:632) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:410) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:330) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:267) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:362) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:222) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:308) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:149) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:731) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:384) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:905) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-embed-core-10.1.31.jar:10.1.31] at java.base/java.lang.Thread.run(Unknown Source) ~[na:na] Caused by: org.springframework.core.serializer.support.SerializationFailedException: Failed to deserialize payload. Is the byte array a result of corresponding serialization for DefaultDeserializer? at org.springframework.core.serializer.support.DeserializingConverter.convert(DeserializingConverter.java:80) ~[spring-core-6.1.14.jar:6.1.14] at org.springframework.core.serializer.support.DeserializingConverter.convert(DeserializingConverter.java:37) ~[spring-core-6.1.14.jar:6.1.14] at org.springframework.core.convert.support.GenericConversionService$ConverterAdapter.convert(GenericConversionService.java:358) ~[spring-core-6.1.14.jar:6.1.14] at org.springframework.core.convert.support.ConversionUtils.invokeConverter(ConversionUtils.java:41) ~[spring-core-6.1.14.jar:6.1.14] ... 46 common frames omitted Caused by: java.io.InvalidClassException: org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal; local class incompatible: stream classdesc serialVersionUID = -7601324133433139825, local class serialVersionUID = 1067069248264210993 at java.base/java.io.ObjectStreamClass.initNonProxy(Unknown Source) ~[na:na] at java.base/java.io.ObjectInputStream.readNonProxyDesc(Unknown Source) ~[na:na] at java.base/java.io.ObjectInputStream.readClassDesc(Unknown Source) ~[na:na] at java.base/java.io.ObjectInputStream.readOrdinaryObject(Unknown Source) ~[na:na] at java.base/java.io.ObjectInputStream.readObject0(Unknown Source) ~[na:na] at java.base/java.io.ObjectInputStream$FieldValues.<init>(Unknown Source) ~[na:na] at java.base/java.io.ObjectInputStream.readSerialData(Unknown Source) ~[na:na] at java.base/java.io.ObjectInputStream.readOrdinaryObject(Unknown Source) ~[na:na] at java.base/java.io.ObjectInputStream.readObject0(Unknown Source) ~[na:na] at java.base/java.io.ObjectInputStream$FieldValues.<init>(Unknown Source) ~[na:na] at java.base/java.io.ObjectInputStream.readSerialData(Unknown Source) ~[na:na] at java.base/java.io.ObjectInputStream.readOrdinaryObject(Unknown Source) ~[na:na] at java.base/java.io.ObjectInputStream.readObject0(Unknown Source) ~[na:na] at java.base/java.io.ObjectInputStream.readObject(Unknown Source) ~[na:na] at java.base/java.io.ObjectInputStream.readObject(Unknown Source) ~[na:na] at org.springframework.core.serializer.DefaultDeserializer.deserialize(DefaultDeserializer.java:71) ~[spring-core-6.1.14.jar:6.1.14] at org.springframework.core.serializer.support.DeserializingConverter.convert(DeserializingConverter.java:75) ~[spring-core-6.1.14.jar:6.1.14] ... 49 common frames omitted

The user sesion was corrupted. We had to remove all sessions from database. Maybe I can make a contribution setting serialVersionUID to -7601324133433139825 (new serialVersionUID ) so this will not happen in future upgrades?

Tx,
Sander

@jzheaux jzheaux self-assigned this Dec 13, 2024
@jzheaux jzheaux added in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 13, 2024
@jzheaux jzheaux added this to the 6.4.2 milestone Dec 13, 2024
@jzheaux jzheaux changed the title DefaultSaml2AuthenticatedPrincipal does not define serialVersionUID DefaultSaml2AuthenticatedPrincipal should define a serialVersionUID Dec 16, 2024
@jzheaux jzheaux mentioned this issue Jan 14, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: saml2 An issue in SAML2 modules type: bug A general bug
Projects
None yet
Milestone
6.4.2
Development

No branches or pull requests
3 participants
@OrangeDog @jzheaux @Rednas92-spec