Open kristofferpeterhansel opened 8 years ago
The default was kept for backwards compatibility with an old version. I'll consider changing it.
I'm suffering this issue trying to integrate okta in my spring boot app. I tried to find a workaround to make it possible add a custom serializer that manages that problem but no luck. There's any workaround I can use to make this work?
So Spring Security (and the SAML extension) rely on being able to store Authentication objects in the Servlet Session scope.
But due to SAMLAuthenticationProvider storing objects from OpenSAML in the Authentication object that are not Serializable. These session objects cannot be stored easily be saved to a persistent store. Making it very hard to work with at any serious scale (and it is also breaking API compliance that Authentication implementations are to be Serializable).
It can be worked around by setting forcePrincipalAsString and excludeCredential. But it seems problematic that the default settings don't work correctly.