Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom principal from web application cannot be deserialized #443

Open
jungm opened this issue Feb 14, 2022 · 0 comments · May be fixed by #444
Open

Custom principal from web application cannot be deserialized #443

jungm opened this issue Feb 14, 2022 · 0 comments · May be fixed by #444

Comments

@jungm
Copy link

jungm commented Feb 14, 2022

Sessions from inside a webapp using a custom Principal cannot be deserialized because the wrong ClassLoader gets used implicitly using the ObjectInputStream in TranscoderService#deserializePrincipal.

See this Stracktrace:

        java.lang.ClassNotFoundException: org.example.CustomPrincipal
                at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:476)
                at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:589)
                at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
                at java.base/java.lang.Class.forName0(Native Method)
                at java.base/java.lang.Class.forName(Class.java:398)
                at java.base/java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:756)
                at java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1997)
                at java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1864)
                at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2195)
                at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1681)
                at java.base/java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2490)
                at java.base/java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2384)
                at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2222)
                at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1681)
                at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:493)
                at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:451)
                at de.javakaffee.web.msm.MemcachedBackupSessionManager.readPrincipal(MemcachedBackupSessionManager.java:895)
                at de.javakaffee.web.msm.TranscoderService.deserializePrincipal(TranscoderService.java:365)
                ... 67 more

A CustomObjectInputStream (as used with the actual session attributes) should be used instead with the correct ClassLoader.

jungm added a commit to jungm/memcached-session-manager that referenced this issue Feb 14, 2022
@jungm jungm linked a pull request Feb 14, 2022 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant