NotSerializableException: DefaultListableBeanFactory has no serialization id

[BenDol]

I noticed that this issue has come up already and has been closed as "fixed". I'm running into this issue still:

• Spring Boot 2.0.4.RELEASE
• Spring Session JDBC 2.0.6.RELEASE
• Spring Cloud Starter OAuth2 2.0.0.RELEASE

org.springframework.core.convert.ConversionFailedException: Failed to convert from type [java.lang.Object] to type [byte[]] for value 'org.springframework.security.oauth2.client.DefaultOAuth2ClientContext@775af3c3'; nested exception is org.springframework.core.serializer.support.SerializationFailedException: Failed to serialize object using DefaultSerializer; nested exception is java.io.NotSerializableException: DefaultListableBeanFactory has no serialization id
	at org.springframework.core.convert.support.ConversionUtils.invokeConverter(ConversionUtils.java:46)
	at org.springframework.core.convert.support.GenericConversionService.convert(GenericConversionService.java:191)
	at com.insclix.core.spring.session.jdbc.JdbcOperationsSessionRepository.serialize(JdbcOperationsSessionRepository.java:625)
	at com.insclix.core.spring.session.jdbc.JdbcOperationsSessionRepository.lambda$updateSessionAttributes$5(JdbcOperationsSessionRepository.java:539)
	at org.springframework.jdbc.core.JdbcTemplate.lambda$update$0(JdbcTemplate.java:853)
	at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:605)
	at org.springframework.jdbc.core.JdbcTemplate.update(JdbcTemplate.java:850)
	at org.springframework.jdbc.core.JdbcTemplate.update(JdbcTemplate.java:905)
	at com.insclix.core.spring.session.jdbc.JdbcOperationsSessionRepository.updateSessionAttributes(JdbcOperationsSessionRepository.java:537)
	at com.insclix.core.spring.session.jdbc.JdbcOperationsSessionRepository.access$700(JdbcOperationsSessionRepository.java:115)
	at com.insclix.core.spring.session.jdbc.JdbcOperationsSessionRepository$2.doInTransactionWithoutResult(JdbcOperationsSessionRepository.java:409)
	at org.springframework.transaction.support.TransactionCallbackWithoutResult.doInTransaction(TransactionCallbackWithoutResult.java:36)
	at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:140)
	at com.insclix.core.spring.session.jdbc.JdbcOperationsSessionRepository.save(JdbcOperationsSessionRepository.java:380)
	at com.insclix.core.spring.session.jdbc.JdbcOperationsSessionRepository.save(JdbcOperationsSessionRepository.java:115)
	at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.commitSession(SessionRepositoryFilter.java:234)
	at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.access$100(SessionRepositoryFilter.java:197)
	at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:150)
	at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:81)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:155)
	at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:123)
	at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)
Caused by: org.springframework.core.serializer.support.SerializationFailedException: Failed to serialize object using DefaultSerializer; nested exception is java.io.NotSerializableException: DefaultListableBeanFactory has no serialization id
	at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:68)
	at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:35)
	at org.springframework.core.convert.support.GenericConversionService$ConverterAdapter.convert(GenericConversionService.java:385)
	at org.springframework.core.convert.support.ConversionUtils.invokeConverter(ConversionUtils.java:40)
	... 46 common frames omitted
Caused by: java.io.NotSerializableException: DefaultListableBeanFactory has no serialization id
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.writeReplace(DefaultListableBeanFactory.java:1587)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at java.io.ObjectStreamClass.invokeWriteReplace(ObjectStreamClass.java:1218)
	at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1136)
	at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
	at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
	at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
	at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
	at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
	at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
	at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
	at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
	at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
	at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
	at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
	at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
	at java.io.ObjectOutputStream.writeArray(ObjectOutputStream.java:1378)
	at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174)
	at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
	at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
	at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
	at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
	at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
	at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
	at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
	at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
	at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
	at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
	at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
	at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
	at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
	at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
	at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
	at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
	at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:348)
	at org.springframework.core.serializer.DefaultSerializer.serialize(DefaultSerializer.java:46)
	at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:63)
	... 49 common frames omitted

I tried some of the suggestions from this thread, but it didn't resolve it.

Any help is greatly appreciated.

[vpavic]

Thanks for the report @BenDol. A minimal sample app that we could use to reproduce this issue would be really helpful, would you be able to provide one?

[BenDol]

Once I know how to actually reproduce this issue I will put a sample app together. Right now it seems somewhat sporadic and I haven't had the issue in a while.

[vreynolds]

We're running into something that looks to be related, if not the same, issue. Here's a sample app

Steps to reproduce:

1. Add a valid google clientid and secret in application.yml before running sample app
2. Run the app
3. Visit localhost and authenticate with a Google account
4. Restart the app

We're seeing the following symptoms:

• the following exception in app logs:
  java.lang.ClassCastException: java.io.ObjectStreamClass cannot be cast to java.lang.String at java.io.ObjectInputStream.readTypeString(ObjectInputStream.java:1612) ~[na:1.8.0_144] at java.io.ObjectStreamClass.readNonProxy(ObjectStreamClass.java:719) ~[na:1.8.0_144] at java.io.ObjectInputStream.readClassDescriptor(ObjectInputStream.java:882) ~[na:1.8.0_144] at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1815) ~[na:1.8.0_144] at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1713) ~[na:1.8.0_144] at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2000) ~[na:1.8.0_144] at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535) ~[na:1.8.0_144] at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2245) ~[na:1.8.0_144] at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2169) ~[na:1.8.0_144] at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2027) ~[na:1.8.0_144] at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535) ~[na:1.8.0_144] at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422) ~[na:1.8.0_144] at org.apache.catalina.session.StandardSession.doReadObject(StandardSession.java:1611) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:1077) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.session.StandardManager.doLoad(StandardManager.java:217) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.session.StandardManager.load(StandardManager.java:161) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.session.StandardManager.startInternal(StandardManager.java:351) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5273) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1420) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1410) [tomcat-embed-core-8.5.34.jar:8.5.34] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_144] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_144] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_144] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_144]
• if we debug while the app is restarting, we catch the following in SESSION.ser file:
  NotSerializableException with DefaultListableBeanFactory has no serialization id reason
• session is not persisted across restarts

@vpavic ^ thanks!

[BenDol]

Any progress on this issue? It has been occurring for me again.

[BenDol]

Upon further research I think my issue is actually related to this: #395

However I am using Spring 5.x with Spring Boot 2, so either this bug still exists in another form or I have done something wrong. Any hints?

The attribute that is failing is scopedTarget.oauth2ClientContext

[vpavic]

@BenDol Without a way to reproduce this, it's hard for us to make any progress.

@vreynolds I've taken a look at your sample, but that doesn't actually involve Spring Session. Even the stacktrace you've posted shows org.apache.catalina.session.StandardManager which is Tomcat's standard session management.

[BenDol]

So I resolved this issue by changing the server.servlet.contextPath of my 2 SSO applications, previously I was only changing the server.servlet.session.cookie.name which isn't enough apparently. I'm wondering if there is an underlying session issue here?

[vpavic]

Are you having two different apps share the same session store?

[BenDol]

They don't share the same session, but they are authenticating off the same OAuth2 client-id

[vpavic]

Closing due to lack of feedback. Please comment back if you can provide more details and we can re-open the issue.

[Johannes-Rost]

Hello,

We have here exactly the same exception that @BenDol described in his first entry. We are running a web application in a JBoss-Cluster using a shared JDBC-Session-Store. As long as we use "sticky" connections in the load balancer everything works fine. As soon as we disable it the error occurs.
As far as I can reconstruct this from the logs, the error always occurs when the user lands on a different node after OAuth authentication than the one from which he jumped. If the node is the same before and after jumping to the OAuth provider, it works fine.

Before the application redirects the user to the OAuth provider, a DefaultOAuth2ClientContext is saved to the database succesfully. After returning from the OAuth provider Spring Session tries to save the DefaultOAuth2ClientContext again and the the exception is thrown. Seems like a proxy is generated which holds a reference to the BeanFactory.

We use:

• Spring Framework 4.3.18
• Spring Security 4.2.7
• Spring Session 1.3.3
• Spring Security OAuth 2.3.3
• Microsoft Azure AD B2C

By the way: For internal users we use normal ActiveDirectory/LDAP authentication, which works fine in all cases.

[ShinobiSlayer]

I had this same problem but found it was just because one of the classes did not implement Serializable

[vpavic]

@Johannes-Rost Could you open a new issue and provide a sample that can be used to reproduce the problem? It isn't obvious that this is the problem with Spring Session itself.

[huberchrigu]

We have the same issue for local development:

1. A session is created (and persisted in a DB)
2. A @controller is renamed and the application restarted
3. Every request fails with the mentioned exceptions until the session is deleted (in the DB or the cookie)

Is this expected? I would not expect that controller classes affect serialization of DefaultOAuth2ClientContext. If it is not an expected behavior, I can provide a sample repository.

We use Spring Boot 2.0.6 with the spring-cloud-starter-oauth2 (Finchley.SR2).