search

magro / memcached-session-manager

A tomcat session manager that backups sessions in memcached and pulls them from there if asked for unknown sessions
Apache License 2.0
758 stars 348 forks source link

Custom principal from web application cannot be deserialized #443

Open jungm opened 2 years ago

jungm commented 2 years ago

Sessions from inside a webapp using a custom Principal cannot be deserialized because the wrong ClassLoader gets used implicitly using the ObjectInputStream in TranscoderService#deserializePrincipal.

See this Stracktrace:

        java.lang.ClassNotFoundException: org.example.CustomPrincipal
                at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:476)
                at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:589)
                at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
                at java.base/java.lang.Class.forName0(Native Method)
                at java.base/java.lang.Class.forName(Class.java:398)
                at java.base/java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:756)
                at java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1997)
                at java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1864)
                at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2195)
                at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1681)
                at java.base/java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2490)
                at java.base/java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2384)
                at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2222)
                at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1681)
                at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:493)
                at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:451)
                at de.javakaffee.web.msm.MemcachedBackupSessionManager.readPrincipal(MemcachedBackupSessionManager.java:895)
                at de.javakaffee.web.msm.TranscoderService.deserializePrincipal(TranscoderService.java:365)
                ... 67 more

A CustomObjectInputStream (as used with the actual session attributes) should be used instead with the correct ClassLoader.