[jboss-jira] [JBoss JIRA] (WFLY-13619) Elytron: org.wildfly.security.auth.server.SecurityIdentity not Serializable

Thu Jun 25 04:24:25 EDT 2020

Andrej Kolontai created WFLY-13619:
--------------------------------------

             Summary: Elytron: org.wildfly.security.auth.server.SecurityIdentity not Serializable
                 Key: WFLY-13619
                 URL: https://issues.redhat.com/browse/WFLY-13619
             Project: WildFly
          Issue Type: Bug
          Components: Security
    Affects Versions: 20.0.0.Final
            Reporter: Andrej Kolontai
            Assignee: Darran Lofthouse

Since the old security subsystem has been deprecated for a while I decided to move my applications to elytron which worked just fine up to the point where I tried to migrate an application that is:
 * distributed
 * uses Jaspic in form of a JSR375 HttpAuthenticationMechanism which has {{@AutoApplySession }}

In the logs I see stacktraces like this:

{{09:37:22,045 WARN [org.infinispan.PERSISTENCE] (default task-1) ISPN000559: Cannot marshall 'class org.infinispan.marshall.protostream.impl.MarshallableUserObject': java.io.NotSerializableException: org.wildfly.security.auth.server.SecurityIdentity}}
{{ at org.jboss.marshalling.river at 2.0.9.Final//org.jboss.marshalling.river.RiverMarshaller.doWriteObject(RiverMarshaller.java:272)}}
{{ at org.jboss.marshalling.river at 2.0.9.Final//org.jboss.marshalling.river.RiverMarshaller.doWriteFields(RiverMarshaller.java:1141)}}
{{ at org.jboss.marshalling.river at 2.0.9.Final//org.jboss.marshalling.river.RiverMarshaller.doWriteSerializableObject(RiverMarshaller.java:1099)}}
{{ at org.jboss.marshalling.river at 2.0.9.Final//org.jboss.marshalling.river.RiverMarshaller.doWriteObject(RiverMarshaller.java:266)}}
{{ at org.jboss.marshalling at 2.0.9.Final//org.jboss.marshalling.AbstractObjectOutput.writeObject(AbstractObjectOutput.java:58)}}
{{ at org.jboss.marshalling at 2.0.9.Final//org.jboss.marshalling.AbstractMarshaller.writeObject(AbstractMarshaller.java:111)}}

{{.....}}

{{Caused by: an exception which occurred:}}
{{ in field org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl$IdentityContainer.securityIdentity}}
{{ in object org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl$IdentityContainer at 7bf2af9a}}
{{ in object org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl$IdentityContainer at 7bf2af9a}}
{{ in object java.util.concurrent.ConcurrentHashMap at d02a9ca2}}
{{ in object org.wildfly.clustering.marshalling.jboss.SimpleMarshalledValue at d02a9ca2}}

Looks to me like it's trying to serialize the session to replicate it to the other nodes in the cluster and fails because the user identity, which is part of the session because of AutoApplySession, is not serializable. I have checked the source and it is really not serializable.

I had no problems with the old security subsystem (i.e. jaspitest).

--
This message was sent by Atlassian Jira
(v7.13.8#713008)