Coverity static analysis: Non-Serializable SecurityIdentity is contained in Serializable ElytronAccount ------------------------------------------------------------------------------------------------------- Key: WFCORE-2414 URL: https://issues.jboss.org/browse/WFCORE-2414 Project: WildFly Core Issue Type: Bug Components: Security Affects Versions: 3.0.0.Beta7 Reporter: Martin Choma Assignee: Darran Lofthouse Coverity static analysis found Serializable ElytronAccount contains non-Serializable SecurityIdentity. https://scan7.coverity.com/reports.htm#v23632/p12664/fileInstanceId=86223... Please resolve this inconsistent situation. By dev feedback SecurityIdentity can't be made Serializable. Rework to remove SecurityIdentity from ElytronAccount was suggested. {code:title=hipchat.log} [3:23 PM] Martin Choma: Shouldn't be SecurityIdentity Serializable? - because of HttpSession replication? [3:23 PM] Darran Lofthouse: No it can't be [3:24 PM] Darran Lofthouse: it is backed by implementation as well as state [3:25 PM] David M. Lloyd: right it would essentially be a security hole to be able to deserialize an identity [3:26 PM] David M. Lloyd: among other problems [3:26 PM] Darran Lofthouse: on the far side we restore the identity instead of deserializing it [3:31 PM] Martin Choma: I got it. Thing is static analyzer is complaining elytron-web ElytronAccount (Serializable class) is referencing SecurityIdentity, but probably problem is ElytronAccount does not have to be mark as Serializable, right? [3:34 PM] Darran Lofthouse: @MartinChoma we may be able to re-work that and remove the reference to SI {code}