InvalidClassException at SimpleGrantedAuthority

[scherman]

I'm having this exception at runtime

Caused by: java.io.InvalidClassException: org.springframework.security.core.authority.SimpleGrantedAuthority; local class incompatible: stream classdesc serialVersionUID = 320, local class serialVersionUID = 400
    at java.io.ObjectStreamClass.initNonProxy(ObjectStreamClass.java:621)
    at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1623)
    at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1518)
    at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1774)
    at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
    at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371)
    at java.util.HashSet.readObject(HashSet.java:333)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1017)
    at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1896)
    at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
    at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
    at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1993)
    at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1918)
    at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
    at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
    at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1993)
    at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1918)
    at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
    at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
    at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371)
    at org.springframework.security.oauth2.common.util.SerializationUtils.deserialize(SerializationUtils.java:36)
    ... 139 more

I've seen in this StackOverflow question that this problem is fixed just by adding a generated serialVersionUID. Apparently, SimpleGrantedAuthority class doesn't have a generated one which may cause this problem.

Is there any workaround for this?

[mcirak]

We are running to the same issue if we move to Spring Boot 1.3 from 1.2.8.

[sunilkeshavamurthy]

We are also facing the same problem. Did anybody find a fix for this ?

[mcirak]

We had to downgrade for the time being...

[dsyer]

You have some serialized authentication tokens somewhere (I'm guessing a TokenStore). You need to convert them or just throw them away when you upgrade (users will get a new token, so throwing them away is an option).

[medimohammadise]

Thanks @dsyer it is working for me . I just truncated related table

[msamm-r7]

@dsyer just coming to this now on upgrading SB to 1.5.9 which means spring-sec 4.1.1 to 4.3.2 . we're using Redis. Surely removing the sessions from redis will force the user to relogin will it not?

[dsyer]

This wasn’t originally a question about sessions. But yes.

[ufosaga]

Hi @dsyer, sorry to bother, I have migrated from spring boot 1.5.5 to 2.1.0, I have the same issue.

java.lang.IllegalArgumentException: java.io.InvalidClassException: org.springframework.security.core.authority.SimpleGrantedAuthority;
local class incompatible: stream classdesc serialVersionUID = 420,
local class serialVersionUID = 510
        at org.springframework.security.oauth2.common.util.SerializationUtils.deserialize(SerializationUtils.java:47)
        at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore.deserializeAuthentication(JdbcTokenStore.java:405)
        at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore$3.mapRow(JdbcTokenStore.java:198)
        at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore$3.mapRow(JdbcTokenStore.java:196)
...

I don't want to delete the existing tokens, how can I convert them?

[ufosaga]

I solved this by sending the buffer back to an migrate service running with spring boot 1.5.5 and retrieve the json feedback to compose the new authentication object and save back to DB.

It is really really really bad practice to save serialized class to storage.

[sagarshah1983]

You have some serialized authentication tokens somewhere (I'm guessing a TokenStore). You need to convert them or just throw them away when you upgrade (users will get a new token, so throwing them away is an option).

Does this impact already stored refresh tokens as well? What options do we have to convert them, if we are migrating from spring boot 1 to 2? Please advise!

[michaelmaitland]

Did you ever solve this issue? If so, what was the solution?