9:43 a.m.
The compatibility tests we ran before AS5.0.GA release should have
caught this. It did not.
One way to fix this is:
If the loading platform is non-JBAS 5.x, then use the longer suid. If
the loading platform is JBAS5.x, then suid = 1L. This way versions
5.xGA onwards will be fine.
Dimitris Andreadis wrote:
Well Jaikiran really means that changing the serialVersionUID for
SimplePrincipal breaks serialization compatibility with AS 5.0.1.GA
https://jira.jboss.org/jira/browse/SECURITY-341
But I understand what is fixed here is having serialVersionUID
compatibility with older 4.2.x releases. The only way to have both is
using special flags to switch IDs at load time, there is no other way.
Obviously the mistake was that serialVersionUID for SimplePrincipal
changed in AS 5.0 but I'm curious how we didn't catch this in the
SerialVersionUIDUnitTestCase.
It turns out we didn't check for libs in JBOSS_HOME/lib and
JBOSS_HOME/server/all, so when JBOSS_HOME/common/lib was added we've
missed the libs in there.
Also, shouldn't errors of this type show in some of the compatibility
matrix tests?
Anil Saldhana wrote:
> https://jira.jboss.org/jira/browse/JBAS-6410 is fixed in Branch_5_0.
> That is where this was done.
>
> I still have jira issues open for 5.1 and trunk.
>
> Jaikiran Pai wrote:
>> While working on a unrelated issue, i noticed that the
>> serialVersionUID of org.jboss.security.SimplePrincipal (in
>> jbosssx.jar) has changed between JBossAS5.0 GA and the current 5.0
>> branch. The 5.0 branch uses 2.0.2.SP6 version of jbosssx.jar whereas
>> JBossAS5.0 GA uses 2.0.2.SP3. Between these versions, the
>> serialVersionUID of the SimplePrincipal class has changed from
>>
>> private static final long serialVersionUID = 1L; // In 2.0.2.SP3
>>
>> to
>>
>> private static final long serialVersionUID = 7701951188631723261L;
>> // In 2.0.2.SP6
>>
>> As a result JBossAS-5.0 GA clients (ex: servlets on JBossAS-5.0 GA)
>> fail against JBossAS-5.0.1.GA server (current 5.0 branch) when doing
>> the following:
>>
>> import org.jboss.security.client.SecurityClient;
>> import org.jboss.security.client.SecurityClientFactory;
>>
>> // psuedo code - do login
>> SecurityClient securityClient =
>> SecurityClientFactory.getSecurityClient();
>> securityClient.setSimple("jai", "pass");
>> securityClient.login();
>>
>> // lookup bean hosted on 5.0.1 GA
>> Properties props = new Properties();
>> props.put(Context.INITIAL_CONTEXT_FACTORY,
>> "org.jnp.interfaces.NamingContextFactory");
>> props.put(Context.PROVIDER_URL,"jnp://localhost:1199");
>> Context ctx = new InitialContext(props);
>>
>> MySecureBean bean = (MySecureBean) ctx.lookup("MySecureBean");
>> System.out.println("Got bean");
>> bean.doSomethingSecure("jai", 2);
>>
>>
>> 12:33:51,261 ERROR [STDERR] Caused by:
>> java.io.InvalidClassException: org.jboss.security.SimplePrincipal;
>> local class incompatible: stream classdesc serialVersionUID = 1,
>> local class serialVersionUID = 7701951188631723261
>> 12:33:51,261 ERROR [STDERR] at
>> java.io.ObjectStreamClass.initNonProxy(ObjectStreamClass.java:546)
>> 12:33:51,261 ERROR [STDERR] at
>> java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1552)
>> 12:33:51,261 ERROR [STDERR] at
>> java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1466)
>> 12:33:51,261 ERROR [STDERR] at
>> java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1699)
>>
>> 12:33:51,261 ERROR [STDERR] at
>> java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1305)
>> 12:33:51,261 ERROR [STDERR] at
>> java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1908)
>>
>> 12:33:51,261 ERROR [STDERR] at
>> java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1832)
>> 12:33:51,261 ERROR [STDERR] at
>> java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1719)
>>
>> 12:33:51,261 ERROR [STDERR] at
>> java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1305)
>>
>> ... // trimmed most of the unrelevant logs
>> 12:33:51,264 ERROR [STDERR] at
>>
org.jboss.ejb3.proxy.handler.ProxyInvocationHandlerBase.invoke(ProxyInvocationHandlerBase.java:261)
>>
>> 12:33:51,264 ERROR [STDERR] at
>>
org.jboss.ejb3.proxy.handler.session.SessionSpecProxyInvocationHandlerBase.invoke(SessionSpecProxyInvocationHandlerBase.java:101)
>>
>> 12:33:51,264 ERROR [STDERR] at $Proxy95.doSomething(Unknown Source)
>> 12:33:51,264 ERROR [STDERR] at
>> org.myapp.servlet.SimpleServlet.doPost(SimpleServlet.java:40)
>>
>> The other way (5.0.1 GA clients against 5.0 GA server) fails too.
>> From SVN logs, it appears that the serialVersionUID change was meant
>> for compatibility with external tools like JBoss Tools. Any way to
>> make 5.0.1.GA and 5.0 GA compatible?
>>
>> On a related note, in the component-matrix for Branch_5_x is see
>> that the jbosssx package is still at 2.0.2.SP3:
>>
>> <version.org.jboss.security>2.0.2.SP3</version.org.jboss.security>
>>
>> It's only upgraded to 2.0.2.SP6 in 5.0 branch.
>>
>> regards,
>> -Jaikiran