Ensure Serializable Security Components declare serialVersionUID #16276
Comments
jzheaux
added
status: waiting-for-triage
This allows testing of classes that are serializable, but do not use Security's serialVersionUID. Issue gh-16276
|
Here is an example: e3cd433 |
The following inner classes are used only internally by a non-Serializable component Issue gh-16276
jzheaux
added
in: core
Upgrading my application storing sessions in database from Spring Boot 3.3.6 to Spring Boot 3.4.1 (i.e. Spring Security 6.4.2), I ran into this issue: So it looks like that the I'm surprised that no one has been hit by the same issue 🤔 |
|
Hi, @dalbani, thanks for the report. I'm a little surprised to see a difference as we internally tested several dozen JVMs to check the calculated value. That may be why no one else has reported just yet. We need to set a value at some point; otherwise folks will break every time one of these classes is edited. I'll take a look at the JVM you listed and get back to you. |
|
Here is my output from the latest from RedHat: This appears to agree with the value in However, if I look at older versions: Spring Security 6.2.7~/Downloads/java-21-openjdk-21.0.5.0.11-1.portable.jdk.x86_64/bin/serialver \
-classpath oauth2/oauth2-core/build/libs/spring-security-oauth2-core-6.2.7-SNAPSHOT.jar:core/build/libs/spring-security-core-6.2.7-SNAPSHOT.jar \
org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority
org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority: private static final long serialVersionUID = -196018737016047617L;
Spring Security 6.3.0~/Downloads/java-21-openjdk-21.0.5.0.11-1.portable.jdk.x86_64/bin/serialver \
-classpath oauth2/oauth2-core/build/libs/spring-security-oauth2-core-6.3.0-SNAPSHOT.jar:core/build/libs/spring-security-core-6.3.0-SNAPSHOT.jar \
org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority
org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority: private static final long serialVersionUID = -196018737016047617L;
Then I think it's a little clearer what's going on. Because In other words, this is something you would have experienced when upgrading, independent of the commit that added As a whole, this is something that we are addressing in order to eliminate deserialization issues across minor versions in Spring Security. You can read #16163 to learn about the issue that triggered the need for this specific ticket. |
|
Thanks @jzheaux for your feedback. I was actually aware of the effort mentioned in https://docs.spring.io/spring-security/reference/6.3/whats-new.html#_passive_jdk_serialization_support — and I very much appreciate the improvement. Though I'm not sure this "concern [has become] a thing of the past" as mentioned on https://spring.io/blog/2024/01/19/spring-security-6-3-adds-passive-jdk-serialization-deserialization-for. I suppose I need to ask the people in charge of Spring Session, but what do think of introducing a behaviour in Spring Session that failing to deserialize a session automatically invalidates it? |
|
You are correct that @dalbani was perhaps too confldent in hindsight. At the time, there was not an analysis performed to see which classes were missing an id. I think this point in the description: Will go a long way to catching these before future releases. |
To ensure backward compatibility, Security components that implement
Serializableshould have aserialVersionUID.Based on internal testing across a few dozen JVMs, it appears that the
serialVersionUIDis consistent for Security's components. As such, we can safely add the calculatedserialVersionUIDvalue to each class that is missing it during the 6.4.x maintenance cycle.Serializableclasses missingserialVersionUIDSerializableclass is missing aserialVersionUIDWhen addressing a class that is missing its
serialVersionUID, please do the following:Add the calculated
serialVersionUID(IDEs can usually do this for you, or you can useserialverwhich ships with the JVM)In
SpringSecurityCoreVersionSerializableTests, add the class and an example construction to thegeneratorByClassNamemapRun
SpringSecurityCoreVersionSerializableTests#serializeCurrentVersionClasses.If successful, it will create a
{className}.serializedfile inconfig/src/main/resources/serialized:Run the other tests in
SpringSecurityCoreVersionSerializableTests; because it's new, the class will not be added to the list inshouldBeAbleToDeserializeClassFromPreviousVersion; however, the class should no longer be in the output forlistClassesMissingSerialVersionCommit the
Serialiizableclass(es) andSpringSecurityCoreVersionSerializableTestsIf unsuccessful, it is usually because one of its members is not serializable. Find the unserializable member; file a ticket to ensure that it is made
SerializableHere are the classes:
org.springframework.security.web.access.expression.WebExpressionConfigAttributeYou can also see the list of
Serializablefiles by running:./gradlew :spring-security-config:test --tests "*MissingSerialVersion*" -PserializationThe text was updated successfully, but these errors were encountered: