search

spring-attic / spring-security-oauth

Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.
http://github.com/spring-projects/spring-security-oauth
Apache License 2.0
4.69k stars 4.05k forks source link

JdbcTokenStore failed to remove not properly deserialized authentication #920

Open vedmedka opened 7 years ago

vedmedka commented 7 years ago

This happened after the Spring upgrade.

Method "public OAuth2Authentication readAuthentication(String token)" https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStore.java#L191-191 returns null. Then it passed to "public String extractKey(OAuth2Authentication authentication)" https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAuthenticationKeyGenerator.java#L42-42 Where it caused NPE. That itself caused transaction rollback:

Query     SET autocommit=0
Query     select token_id, token from oauth_access_token where authentication_id = 'c15f3618159c9dd19cd195e565012eac'
Query     select token_id, authentication from oauth_access_token where token_id = 'e756ac9f17eb30b6931917af9e6961f1'
Query     delete from oauth_access_token where token_id = 'e756ac9f17eb30b6931917af9e6961f1'
Query     rollback
Query     SET autocommit=1

Stacktrace

[http-nio-8060-exec-1] WARN  org.springframework.security.oauth2.provider.token.store.JdbcTokenStore - Failed to deserialize authentication for b79711ed-87f5-4a21-bc96-5c677a44116b
java.lang.IllegalArgumentException: java.io.InvalidClassException: org.springframework.security.core.authority.SimpleGrantedAuthority; local class incompatible: stream classdesc serialVersionUID = 400, local class serialVersionUID = 410
    at org.springframework.security.oauth2.common.util.SerializationUtils.deserialize(SerializationUtils.java:40)
    at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore.deserializeAuthentication(JdbcTokenStore.java:405)
    at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore$3.mapRow(JdbcTokenStore.java:198)
    at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore$3.mapRow(JdbcTokenStore.java:1)
    at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:93)
    at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:60)
    at org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:697)
    at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:633)
    at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:684)
    at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:716)
    at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:726)
    at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:800)
    at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore.readAuthentication(JdbcTokenStore.java:195)
    at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore.getAccessToken(JdbcTokenStore.java:129)
    at org.springframework.security.oauth2.provider.token.DefaultTokenServices.createAccessToken(DefaultTokenServices.java:84)
iboyko commented 6 years ago

+1