Skip to content

Stop increasing serialVersionUIDs with every minor version #15015

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
christopher-thumberger-whizus opened this issue May 7, 2024 · 2 comments
Closed

Stop increasing serialVersionUIDs with every minor version #15015

christopher-thumberger-whizus opened this issue May 7, 2024 · 2 comments
Assignees
@marcusdacoregio
Labels
status: invalid An issue that we don't feel is valid

Comments

@christopher-thumberger-whizus
Copy link

Expected Behavior

The serialVersionUID field in Serializable classes should only be increased after introducing breaking changes (eg. new fields/methods) in a class.

https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/io/Serializable.html

The serialization runtime associates with each serializable class a version number, called a serialVersionUID, which is used during deserialization to verify that the sender and receiver of a serialized object have loaded classes for that object that are compatible with respect to serialization

Current Behavior

Currently, every Serializable class's serialVersionUID field is changed with every minor version.

Context

The company I work for uses a cluster of servers as a gateway that check Authentication/Authorization, before forwarding requests to other web applications. The servers in this cluster have to share sessions with each other. When doing a rolling update, the new and old versions cannot communicate with each other if they have different versions of spring security. This results in two negative outcomes.

  1. Negative impact on uptime, as we have to shutdown the entire cluster once in a while to remove all stale caches (some cluster only use embedded infinispan/hazelcast)
  2. Negative impact on user experience, as every user has to sign themselves in again each time such an update happens.
@christopher-thumberger-whizus christopher-thumberger-whizus added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels May 7, 2024
@OrangeDog
Copy link
Contributor

OrangeDog commented May 7, 2024
edited
Loading

Dupe of #3737, which may have been closed incorrectly.

You can work around it by implementing a custom ObjectInputStream:

@Override
protected ObjectStreamClass readClassDescriptor() throws IOException, ClassNotFoundException {
    ObjectStreamClass descriptor = super.readClassDescriptor();
    if (descriptor.getName().startsWith("org.springframework.security.")) {
        // ignore the serialized version and use the current version instead
        return ObjectStreamClass.lookupAny(Class.forName(descriptor.getName()));
    } else {
       return descriptor;
    }
}

@marcusdacoregio
Copy link
Contributor

Hi, @christopher-thumberger-whizus. This is a duplicate of #3737 which has been solved in 6.3. See the docs https://docs.spring.io/spring-security/reference/6.3-SNAPSHOT/whats-new.html#_passive_jdk_serialization_support

@marcusdacoregio marcusdacoregio self-assigned this May 9, 2024
@marcusdacoregio marcusdacoregio added status: invalid An issue that we don't feel is valid and removed status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels May 9, 2024
@seabamirum seabamirum mentioned this issue Jun 24, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@OrangeDog @marcusdacoregio @christopher-thumberger-whizus