I have been using spring-security-saml2-service-provider with the latest spring boot version 2.6.1, Everything appears to be working as expected, however when i added spring-boot-starter-data-redis in order to externalize the session i hit the serialization error.
Im not entirely sure why Saml2RedirectAuthenticationRequest is not serializable, also trying to figure out if this is an issue with spring-session or spring-security-saml
Caused by: java.lang.IllegalArgumentException: DefaultSerializer requires a Serializable payload but received an object of type [org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest] at org.springframework.core.serializer.DefaultSerializer.serialize(DefaultSerializer.java:43) ~[spring-core-5.3.13.jar:5.3.13] at org.springframework.core.serializer.Serializer.serializeToByteArray(Serializer.java:56) ~[spring-core-5.3.13.jar:5.3.13] at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:60) ~[spring-core-5.3.13.jar:5.3.13] at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:33) ~[spring-core-5.3.13.jar:5.3.13] at org.springframework.data.redis.serializer.JdkSerializationRedisSerializer.serialize(JdkSerializationRedisSerializer.java:94) ~[spring-data-redis-2.6.0
This is my security config
Converter<HttpServletRequest, RelyingPartyRegistration> relyingPartyRegistrationResolver =
new DefaultRelyingPartyRegistrationResolver(relyingPartyRegistrations());
Saml2MetadataFilter filter = new Saml2MetadataFilter(
relyingPartyRegistrationResolver,
new OpenSamlMetadataResolver());
http .csrf().disable()
.saml2Login(withDefaults())
.addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class)
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/actuator/**","/css/**", "/images/**", "/js/**","/favicon.ico")
.permitAll()
.anyRequest().authenticated()
.and().logout().addLogoutHandler((request, response, authentication) -> {
request.getSession().invalidate();
try {
response.sendRedirect(logoutUrl);
} catch (IOException e) {
logger.error("Failed to redirect to portal");
throw new RuntimeException("Failed to redirect to portal",e);
}
});
I have been using spring-security-saml2-service-provider with the latest spring boot version 2.6.1, Everything appears to be working as expected, however when i added spring-boot-starter-data-redis in order to externalize the session i hit the serialization error.
Im not entirely sure why Saml2RedirectAuthenticationRequest is not serializable, also trying to figure out if this is an issue with spring-session or spring-security-saml
Caused by: java.lang.IllegalArgumentException: DefaultSerializer requires a Serializable payload but received an object of type [org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest] at org.springframework.core.serializer.DefaultSerializer.serialize(DefaultSerializer.java:43) ~[spring-core-5.3.13.jar:5.3.13] at org.springframework.core.serializer.Serializer.serializeToByteArray(Serializer.java:56) ~[spring-core-5.3.13.jar:5.3.13] at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:60) ~[spring-core-5.3.13.jar:5.3.13] at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:33) ~[spring-core-5.3.13.jar:5.3.13] at org.springframework.data.redis.serializer.JdkSerializationRedisSerializer.serialize(JdkSerializationRedisSerializer.java:94) ~[spring-data-redis-2.6.0
This is my security config