Serialization of KiePackages fails when SecurityManager is enabled ------------------------------------------------------------------ Key: DROOLS-3429 URL: https://issues.jboss.org/browse/DROOLS-3429 Project: Drools Issue Type: Bug Components: core engine Affects Versions: 6.5.0.Final, 7.15.0.Final Environment: Running with IBM JDK 1.8 Reporter: Marcel Abou Khalil Assignee: Tibor Zimányi Priority: Major Our Drools setup: - users write rules in a combination of DSL and Java code - rules are compiled - packages are stored in a database (rules are seldom changed but often ran) This has been working fine but in order to improve security, we've enabled the SecurityManager. This throws an exception while trying to serialize the consequence part of the rule: {code:java} Caused by: java.io.NotSerializableException: com.redacted.Rule_Events_REDACTED61028857611DefaultConsequenceInvoker - field (class "org.drools.core.definitions.rule.impl.RuleImpl$SafeConsequence", name: "delegate", type: "interface org.drools.core.spi.Consequence") - object (class "org.drools.core.definitions.rule.impl.RuleImpl$SafeConsequence", org.drools.core.definitions.rule.impl.RuleImpl$SafeConsequence@93071816) - writeExternal data - object (class "org.drools.core.definitions.rule.impl.RuleImpl", [Rule name=REDACTED, agendaGroup=end, salience=0, no-loop=true]) - writeExternal data - object (class "org.drools.core.rule.JavaDialectRuntimeData", org.drools.core.rule.JavaDialectRuntimeData{...}) - custom writeObject data (class "java.util.HashMap") - object (class "java.util.HashMap", {java=org.drools.core.rule.JavaDialectRuntimeData{...}, mvel=org.drools.core.rule.MVELDialectRuntimeData@b99ea6b2}) - writeExternal data - root object (class "org.drools.core.rule.DialectRuntimeRegistry", org.drools.core.rule.DialectRuntimeRegistry@2d9acae8) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1213) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1615) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1576) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1499) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1209) at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:365) at org.drools.core.definitions.rule.impl.RuleImpl.writeExternal(RuleImpl.java:180) {code} Possible cause: Class {{RuleImpl}}, method {{writeExternal}} will write out {{null}} if the consequence is of type {{CompiledInvoker}}. But if the SecurityManager is enabled, the method {{wire}} will wrap the Consequence inside a {{SafeConsequence}}. A {{SafeConsequence}}, in contrast to the wrapped consequence is not a {{CompiledInvoker}}, so {{writeExternal}} will attempt to serialize it, instead of just writing {{null}} and fails.