ApplicationListenerDetector should prevent serialization of its ApplicationContext reference [SPR-14214] #18788
Description
Ricardo Fanjul Fandiño opened SPR-14214 and commented
I'm trying to migrate Spring Web Application from 3.x version to 4.2 version of Spring.
My application is deployed in a cluster of Tomcat 7 using for serialize the session: memcached-session-manager: https://github.com/magro/memcached-session-manager and serializing the objects with Kryo.
When serialize the session I found a mistake that made me suspect that I'm trying to serialize the Spring ApplicationContext.
Debugging my application I found this:
!imagen1.png|thumbnail!
Inside the session exist a key “org.springframework.web.context.request.ServletRequestAttributes.DESTRUCTION_CALLBACK.scopedTarget.restSessionDataHolder” whose value reference the ApplicationContext.
I find that, for each bean declared in Session Scope. For example:
@Component
@Scope(proxyMode=ScopedProxyMode.TARGET_CLASS,value="session")
public class RestSessionDataHolder implements Serializable{
...Spring in the method “org.springframework.web.context.request.ServletRequestAttributes.registerSessionDestructionCallback
(String name, Runnable callback)”, store in the session a key named “org.springframework.web.context.request.ServletRequestAttributes.DESTRUCTION_CALLBACK.scopedTarget.[BEAN_NAME]” with a value that indirectly reference the ApplicatonContext.
!imagen2.png|thumbnail!
!imagen3.png|thumbnail!
Inside this atribute exist two “DestructionAwareBeanPostProcessor”: “CommonAnnotationBeanPostProcessor” and “org.springframework.context.support.PostProcessorRegistrationDelegate$ApplicationListenerDetector”.
“PostProcessorRegistrationDelegate$ApplicationListenerDetector” exist since Spring 4.0 and maybe have a bug:
private static class ApplicationListenerDetector implements MergedBeanDefinitionPostProcessor, DestructionAwareBeanPostProcessor {
...
private final AbstractApplicationContext applicationContext;I think that attribute “private final AbstractApplicationContext applicationContext” should be “transient”.
For example the similar attributes of “CommonAnnotationBeanPostProcessor” are transient:
public class CommonAnnotationBeanPostProcessor extends InitDestroyAnnotationBeanPostProcessor
implements InstantiationAwareBeanPostProcessor, BeanFactoryAware, Serializable {
...
private transient BeanFactory jndiFactory = new SimpleJndiBeanFactory();
private transient BeanFactory resourceFactory;
private transient BeanFactory beanFactory;
private transient final Map<String, InjectionMetadata> injectionMetadataCache =
new ConcurrentHashMap<String, InjectionMetadata>(256);Affects: 4.1.7, 4.1.8, 4.1.9, 4.2 GA, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5
Attachments:
- imagen1.png (56.23 kB)
- imagen2.png (81.84 kB)
- imagen3.png (116.81 kB)
Issue Links:
- Avoid scoped destruction callbacks in case of no post-processor actually applying [SPR-13744] #18317 Avoid scoped destruction callbacks in case of no post-processor actually applying
- Inner bean behind BeanFactoryPostProcessor should be able to receive application events [SPR-14783] #19349 Inner bean behind BeanFactoryPostProcessor should be able to receive application events