Spring Security 3.1 Authentication ProviderManager throwing NotSerializableException

Question

I am building a JSF2 web app with Spring Security 3.1 for security things. Everytime when restarting tomcat, I am getting a NotSerializableException thrown by ProviderManager of Spring Security but the webapp is working perfectly. I am afraid that will causes maybe some problems when deploying to production. Does anyone know how to make the ProviderManager Serializable Here is the exception:

SEVERE: IOException while loading persisted sessions: java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: org.springframework.security.authentication.ProviderManager
java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: org.springframework.security.authentication.ProviderManager
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1355)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1993)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1918)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371)
at org.apache.catalina.session.StandardSession.readObject(StandardSession.java:1619)
at org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:1084)
at org.apache.catalina.session.StandardManager.doLoad(StandardManager.java:282)
at org.apache.catalina.session.StandardManager.load(StandardManager.java:202)
at org.apache.catalina.session.StandardManager.startInternal(StandardManager.java:489)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5537)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.StandardContext.reload(StandardContext.java:4033)
at org.apache.catalina.loader.WebappLoader.backgroundProcess(WebappLoader.java:425)
at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1345)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1546)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1556)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1556)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1524)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.NotSerializableException: org.springframework.security.authentication.ProviderManager
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:348)
at org.apache.catalina.session.StandardSession.writeObject(StandardSession.java:1695)
at org.apache.catalina.session.StandardSession.writeObjectData(StandardSession.java:1101)
at org.apache.catalina.session.StandardManager.doUnload(StandardManager.java:430)
at org.apache.catalina.session.StandardManager.unload(StandardManager.java:351)
at org.apache.catalina.session.StandardManager.stopInternal(StandardManager.java:516)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5719)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
at org.apache.catalina.core.StandardContext.reload(StandardContext.java:4026)
... 7 more

Why are you trying to save a service bean in the session? This is a design problem and should be fixed by not saving a reference to it, not trying to hack serialization onto something that isn't semantically serializable. — chrylis -cautiouslyoptimistic-, Apr 24 '15 at 20:22
I am not saving it in a session but maybe it's JSF `@SessionScoped` which is trying to save it. Have you an idea on how preventing that? — hamza_tn, Apr 24 '15 at 20:44
If it were a new application, I'd say "just don't use JSF, because it's full of this sort of problem". Not sure exactly how to go about troubleshooting this. — chrylis -cautiouslyoptimistic-, Apr 28 '15 at 20:22
It's too late now, I will try to implement a custom authenitcation provider and test it, anyway thanks @chrylis — hamza_tn, Apr 28 '15 at 20:27
A custom authentication provider is the wrong approach. You have to find out why the provider is being added to the session in the first place and fix that. — chrylis -cautiouslyoptimistic-, Apr 28 '15 at 20:32

score 1 · Accepted Answer · answered May 11 '15 at 14:46

In your LoginBean, simply replace the @SessionScoped by @RequestScoped because ther is no need to save the entered user informations while logging in in a session variable, you can access them with the Spring Security features like this

org.springframework.security.core.userdetails.User user = (org.springframework.security.core.userdetails.User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
String name = user.getUsername();

Spring Security 3.1 Authentication ProviderManager throwing NotSerializableException

1 Answers1