Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JdkSerializationRedisSerializer is not able to serialize Saml2LogoutRequest because of a lambda encoder #12472

Closed
tisch030 opened this issue Dec 28, 2022 · 7 comments
Closed

JdkSerializationRedisSerializer is not able to serialize Saml2LogoutRequest because of a lambda encoder #12472

tisch030 opened this issue Dec 28, 2022 · 7 comments
Assignees
@jzheaux
Labels
in: saml2 An issue in SAML2 modules status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: bug A general bug
Milestone
5.8.3

Comments

@tisch030
Copy link

Describe the bug
After upgrading from Spring Security 5.7 to 6.0, we noticed that the logout process initiated by the Saml2 relying party no longer works.

This is because the Saml2RelyingPartyInitiatedLogoutSuccessHandler tries to save the logout request in a HttpSessionLogoutRequestRepository. The HttpSessionLogoutRequestRepository tries to save the logout request inside the session.
Our session is managed by redis and the JdkSerializationRedisSerializer is responsable for serializing the deserializing the objects.

But because the Saml2LogoutRequest contains a lambda as the default encoder, the JdkSerializationRedisSerializer is not able to serialize the Saml2LogoutRequest object and does not save the logout request. Upon receving the saml2 logout response from the IDP, no session can be found which contains the logout request and we get an HTTP Status 400 – Bad Request.

Using the Jackson2Json Jackson2JsonRedisSerializer does not work, because the Saml2LogoutRequest does not have any public constructors, only a builder.

Seems like the change with the encoder came attribute with version 5.8 and has not been adressed so far, even though it seems like a general bug that should affect many others. I dont see a simple way how to workaround and would appreciate some help.

Expected behavior
The encoder attribute should not lead to a NotSerializableException if redis and JdkSerializationRedisSerializer is used for the management of sessions.

2022-12-28T00:38:16.330+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.s.w.a.l.SecurityContextLogoutHandler : Invalidated session cd26191c-7e36-450a-ac4b-747c3e48a108
2022-12-28T00:38:16.331+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.b.f.s.DefaultListableBeanFactory     : Returning cached instance of singleton bean 'delegatingApplicationListener'
2022-12-28T00:38:16.331+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.b.f.s.DefaultListableBeanFactory     : Returning cached instance of singleton bean 'springApplicationAdminRegistrar'
2022-12-28T00:38:16.331+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.b.f.s.DefaultListableBeanFactory     : Returning cached instance of singleton bean 'liveReloadServerEventListener'
2022-12-28T00:38:16.331+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.b.f.s.DefaultListableBeanFactory     : Returning cached instance of singleton bean 'authenticationLogService'
2022-12-28T00:38:16.332+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.jdbc.datasource.DataSourceUtils      : Fetching JDBC Connection from DataSource
2022-12-28T00:38:16.332+01:00 DEBUG 21872 --- [enerContainer-4] o.s.d.redis.core.RedisConnectionUtils    : Fetching Redis Connection from RedisConnectionFactory
2022-12-28T00:38:16.334+01:00 DEBUG 21872 --- [enerContainer-4] o.s.d.redis.core.RedisConnectionUtils    : Closing Redis Connection
2022-12-28T00:38:16.334+01:00 TRACE 21872 --- [enerContainer-4] o.s.b.f.s.DefaultListableBeanFactory     : Returning cached instance of singleton bean 'delegatingApplicationListener'
2022-12-28T00:38:16.334+01:00 TRACE 21872 --- [enerContainer-4] o.s.b.f.s.DefaultListableBeanFactory     : Returning cached instance of singleton bean 'springApplicationAdminRegistrar'
2022-12-28T00:38:16.334+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.c.e.ApplicationListenerMethodAdapter : No result object given - no result to handle
2022-12-28T00:38:16.334+01:00 TRACE 21872 --- [enerContainer-4] o.s.b.f.s.DefaultListableBeanFactory     : Returning cached instance of singleton bean 'sessionEventHttpSessionListenerAdapter'
2022-12-28T00:38:16.334+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.b.f.s.DefaultListableBeanFactory     : Returning cached instance of singleton bean 'tokenService'
2022-12-28T00:38:16.334+01:00 TRACE 21872 --- [enerContainer-4] o.s.b.f.s.DefaultListableBeanFactory     : Returning cached instance of singleton bean 'liveReloadServerEventListener'
2022-12-28T00:38:16.335+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils    : Fetching Redis Connection from RedisConnectionFactory
2022-12-28T00:38:16.339+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils    : Closing Redis Connection
2022-12-28T00:38:16.339+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils    : Fetching Redis Connection from RedisConnectionFactory
2022-12-28T00:38:16.340+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils    : Closing Redis Connection
2022-12-28T00:38:16.341+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils    : Fetching Redis Connection from RedisConnectionFactory
2022-12-28T00:38:16.344+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils    : Closing Redis Connection
2022-12-28T00:38:16.345+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils    : Fetching Redis Connection from RedisConnectionFactory
2022-12-28T00:38:16.346+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils    : Closing Redis Connection
2022-12-28T00:38:16.346+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.c.e.ApplicationListenerMethodAdapter : No result object given - no result to handle
2022-12-28T00:38:16.346+01:00 TRACE 21872 --- [nio-9500-exec-5] .p.s.w.a.l.OpenSamlLogoutRequestResolver : Attempting to resolve registrationId from Saml2Authentication [Principal=eu.firmax.cms.auth.idp.saml.usermapping.CustomSamlPrincipal[super=eu.firmax.cms.auth.idp.saml.usermapping.CustomSamlPrincipal[principal=eu.firmax.cms.auth.user.CustomUserDetails[username=null, password=, accountNonLocked=false, credentialsNonExpired=false, credentialId=null]], name=test, attributes={bPK2=[98e7aa71-8767-4524-b577-d5770d8552da]}, relyingPartyRegistrationId=keycloak-saml, sessionIndexes=[d2d52bab-e3d9-43ec-9f18-69dcd2364dae::4a8325cf-6f20-4c0c-a5fa-96ee4bdeb232]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=958eeaad-4407-495c-b00e-be00bd801fea], Granted Authorities=[]]
2022-12-28T00:38:16.348+01:00  WARN 21872 --- [nio-9500-exec-5] DEPRECATED                               : Java class method 'setSessionIndex', (interface org.opensaml.saml.saml2.core.SessionIndex): This will be removed in the next major version of this software; replacement is setValue
2022-12-28T00:38:16.364+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.aop.framework.JdkDynamicAopProxy     : Creating JDK dynamic proxy: EmptyTargetSource: no target class, static
2022-12-28T00:38:16.364+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils    : Fetching Redis Connection from RedisConnectionFactory
2022-12-28T00:38:16.365+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.d.redis.core.RedisConnectionUtils    : Closing Redis Connection
2022-12-28T00:38:16.366+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.s.w.h.S.SESSION_LOGGER               : No session found by id: Caching result for getSession(false) for this HttpServletRequest.
2022-12-28T00:38:16.366+01:00 DEBUG 21872 --- [nio-9500-exec-5] o.s.s.w.h.S.SESSION_LOGGER               : A new session was created. To help you troubleshoot where the session was created we provided a StackTrace (this is not an error). You can prevent this from appearing by disabling DEBUG logging for org.springframework.session.web.http.SessionRepositoryFilter.SESSION_LOGGER

java.lang.RuntimeException: For debugging purposes only (not an error)
	at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:313) ~[spring-session-core-3.0.0.jar:3.0.0]
	at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:327) ~[spring-session-core-3.0.0.jar:3.0.0]
	at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:194) ~[spring-session-core-3.0.0.jar:3.0.0]
	at jakarta.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:253) ~[tomcat-embed-core-10.1.1.jar:6.0]
	at jakarta.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:253) ~[tomcat-embed-core-10.1.1.jar:6.0]
	at org.springframework.security.saml2.provider.service.web.authentication.logout.HttpSessionLogoutRequestRepository.saveLogoutRequest(HttpSessionLogoutRequestRepository.java:75) ~[spring-security-saml2-service-provider-6.0.0.jar:6.0.0]
	at org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2RelyingPartyInitiatedLogoutSuccessHandler.onLogoutSuccess(Saml2RelyingPartyInitiatedLogoutSuccessHandler.java:81) ~[spring-security-saml2-service-provider-6.0.0.jar:6.0.0]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:104) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:130) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutResponseFilter.doFilterInternal(Saml2LogoutResponseFilter.java:97) ~[spring-security-saml2-service-provider-6.0.0.jar:6.0.0]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestFilter.doFilterInternal(Saml2LogoutRequestFilter.java:105) ~[spring-security-saml2-service-provider-6.0.0.jar:6.0.0]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.security.web.context.SecurityContextHolderFilter.doFilterInternal(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.0.0.jar:6.0.0]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:351) ~[spring-web-6.0.2.jar:6.0.2]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) ~[spring-web-6.0.2.jar:6.0.2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.0.2.jar:6.0.2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.0.2.jar:6.0.2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:143) ~[spring-session-core-3.0.0.jar:3.0.0]
	at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:82) ~[spring-session-core-3.0.0.jar:3.0.0]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.0.2.jar:6.0.2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:119) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:400) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]

2022-12-28T00:38:16.367+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]
2022-12-28T00:38:16.367+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.b.w.s.f.OrderedRequestContextFilter  : Cleared thread-bound request context: org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper@c9f41bf
2022-12-28T00:38:16.367+01:00 TRACE 21872 --- [nio-9500-exec-5] o.s.aop.framework.JdkDynamicAopProxy     : Creating JDK dynamic proxy: EmptyTargetSource: no target class, static
2022-12-28T00:38:16.371+01:00 ERROR 21872 --- [nio-9500-exec-5] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception

org.springframework.data.redis.serializer.SerializationException: Cannot serialize
	at org.springframework.data.redis.serializer.JdkSerializationRedisSerializer.serialize(JdkSerializationRedisSerializer.java:96) ~[spring-data-redis-3.0.0.jar:3.0.0]
	at org.springframework.data.redis.core.AbstractOperations.rawHashValue(AbstractOperations.java:186) ~[spring-data-redis-3.0.0.jar:3.0.0]
	at org.springframework.data.redis.core.DefaultHashOperations.putAll(DefaultHashOperations.java:161) ~[spring-data-redis-3.0.0.jar:3.0.0]
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104) ~[na:na]
	at java.base/java.lang.reflect.Method.invoke(Method.java:577) ~[na:na]
	at org.springframework.data.redis.core.BoundOperationsProxyFactory$BoundOperationsMethodInterceptor.doInvoke(BoundOperationsProxyFactory.java:183) ~[spring-data-redis-3.0.0.jar:3.0.0]
	at org.springframework.data.redis.core.BoundOperationsProxyFactory$BoundOperationsMethodInterceptor.invoke(BoundOperationsProxyFactory.java:153) ~[spring-data-redis-3.0.0.jar:3.0.0]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184) ~[spring-aop-6.0.2.jar:6.0.2]
	at org.springframework.data.projection.DefaultMethodInvokingMethodInterceptor.invoke(DefaultMethodInvokingMethodInterceptor.java:77) ~[spring-data-commons-3.0.0.jar:3.0.0]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184) ~[spring-aop-6.0.2.jar:6.0.2]
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:218) ~[spring-aop-6.0.2.jar:6.0.2]
	at jdk.proxy4/jdk.proxy4.$Proxy111.putAll(Unknown Source) ~[na:na]
	at org.springframework.session.data.redis.RedisIndexedSessionRepository$RedisSession.saveDelta(RedisIndexedSessionRepository.java:851) ~[spring-session-data-redis-3.0.0.jar:3.0.0]
	at org.springframework.session.data.redis.RedisIndexedSessionRepository$RedisSession.save(RedisIndexedSessionRepository.java:839) ~[spring-session-data-redis-3.0.0.jar:3.0.0]
	at org.springframework.session.data.redis.RedisIndexedSessionRepository.save(RedisIndexedSessionRepository.java:477) ~[spring-session-data-redis-3.0.0.jar:3.0.0]
	at org.springframework.session.data.redis.RedisIndexedSessionRepository.save(RedisIndexedSessionRepository.java:257) ~[spring-session-data-redis-3.0.0.jar:3.0.0]
	at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.commitSession(SessionRepositoryFilter.java:228) ~[spring-session-core-3.0.0.jar:3.0.0]
	at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:146) ~[spring-session-core-3.0.0.jar:3.0.0]
	at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:82) ~[spring-session-core-3.0.0.jar:3.0.0]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.0.2.jar:6.0.2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:119) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:400) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-10.1.1.jar:10.1.1]
	at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]
Caused by: org.springframework.core.serializer.support.SerializationFailedException: Failed to serialize object using DefaultSerializer
	at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:64) ~[spring-core-6.0.2.jar:6.0.2]
	at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:33) ~[spring-core-6.0.2.jar:6.0.2]
	at org.springframework.data.redis.serializer.JdkSerializationRedisSerializer.serialize(JdkSerializationRedisSerializer.java:94) ~[spring-data-redis-3.0.0.jar:3.0.0]
	... 40 common frames omitted
Caused by: java.io.NotSerializableException: org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest$$Lambda$1574/0x00000008017530b0
	at java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1192) ~[na:na]
	at java.base/java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1577) ~[na:na]
	at java.base/java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1534) ~[na:na]
	at java.base/java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1443) ~[na:na]
	at java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1186) ~[na:na]
	at java.base/java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:358) ~[na:na]
	at org.springframework.core.serializer.DefaultSerializer.serialize(DefaultSerializer.java:46) ~[spring-core-6.0.2.jar:6.0.2]
	at org.springframework.core.serializer.Serializer.serializeToByteArray(Serializer.java:56) ~[spring-core-6.0.2.jar:6.0.2]
	at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:60) ~[spring-core-6.0.2.jar:6.0.2]
	... 42 common frames omitted
@tisch030 tisch030 added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Dec 28, 2022
@jzheaux
Copy link
Contributor

jzheaux commented Jan 3, 2023

Thanks, @tisch030, and my apologies for the trouble. This appears to be an oversight. Are you able to submit a PR that marks the encoder as transient? It would also be nice to create a test that confirms that Java serialization of Saml2LogoutRequest works.

@jzheaux jzheaux self-assigned this Jan 3, 2023
@jzheaux jzheaux added status: ideal-for-contribution An issue that we actively are looking for someone to help us with in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 3, 2023
@jzheaux jzheaux added this to the 5.8.2 milestone Jan 3, 2023
@tisch030
Copy link
Author

tisch030 commented Jan 4, 2023

Thanks for the reply and the confirmation that it was indeed an oversight and not necessarily a mistake on my part @jzheaux . I would really like to contribute (it would be my first ever PR for an open source project), but unfortunately I'm in the middle of my bachelor thesis and already a bit behind schedule. Marking an attribute as transient is not hard, but I wouldn't have the time to read through the contributor guidelines, set up gradle (I only have experience with maven) and write the appropriate test for serialization. That's why it would probably make the most sense for someone else to create a PR for it. I will keep my eyes on this and if the issue is still open in 4 weeks, I would most likely take it on myself and be very happy to provide a PR.

Thank you again and happy new year everyone.

Thanks, @tisch030, and my apologies for the trouble. This appears to be an oversight. Are you able to submit a PR that marks the encoder as transient? It would also be nice to create a test that confirms that Java serialization of Saml2LogoutRequest works.

@jzheaux
Copy link
Contributor

jzheaux commented Jan 4, 2023

No problem, @tisch030. I'll leave the issue marked as ideal-for-contribution for the time being and see if anyone picks it up in the meantime.

@dkodippily
Copy link
Contributor

@jzheaux can i work on this ? @tisch030 is it ok if i pick this ?

@tisch030
Copy link
Author

@dkodippily yes, absolutely.

@dkodippily
Copy link
Contributor

Hi @jzheaux , can I raise a PR for this?

@dkodippily
Copy link
Contributor

Hi @jzheaux , I'm pretty sure you got busy with SpringOne, I raised a PR #12638 before I could get any update if I can work on this issue, please take a look.

@sjohnr sjohnr modified the milestones: 5.8.2, 5.8.3 Feb 17, 2023
dkodippily added a commit to dkodippily/spring-security that referenced this issue Feb 18, 2023
@dkodippily
Closes spring-projectsgh-12472
7c108b0
dkodippily added a commit to dkodippily/spring-security that referenced this issue Feb 19, 2023
@dkodippily
Closes spring-projectsgh-12472
58ad381
@jzheaux jzheaux mentioned this issue Feb 22, 2023
Closed
@jzheaux jzheaux mentioned this issue Feb 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: saml2 An issue in SAML2 modules status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: bug A general bug
Projects
None yet
Milestone
5.8.3
Development

No branches or pull requests
4 participants
@jzheaux @sjohnr @dkodippily @tisch030