Treat a SerializationException retrieving a session at though there were no session.

This makes zero-downtime / seamless upgrades possible in more cases instead of requiring manual deletion of cached sessions when e.g. upgrading spring-security across versions that change SpringSecurityCoreVersion.SERIAL_VERSION_ID.

Author: dbyron-sf

spring-session-data-redis/src/main/java/org/springframework/session/data/redis/RedisIndexedSessionRepository.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2021 the original author or authors.
+ * Copyright 2014-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,6 +37,7 @@
 import org.springframework.data.redis.core.RedisOperations;
 import org.springframework.data.redis.serializer.JdkSerializationRedisSerializer;
 import org.springframework.data.redis.serializer.RedisSerializer;
+import org.springframework.data.redis.serializer.SerializationException;
 import org.springframework.data.redis.util.ByteUtils;
 import org.springframework.session.DelegatingIndexResolver;
 import org.springframework.session.FindByIndexNameSessionRepository;
@@ -454,7 +455,15 @@ public Map<String, RedisSession> findByIndexNameAndIndexValue(String indexName,
 	 * @return the Redis session
 	 */
 	private RedisSession getSession(String id, boolean allowExpired) {
-		Map<Object, Object> entries = getSessionBoundHashOperations(id).entries();
+		Map<Object, Object> entries;
+		try {
+			entries = getSessionBoundHashOperations(id).entries();
+		}
+		catch (SerializationException ex) {
+			// An error deserializing is equivalent to not having any information at all.
+			logger.warn("exception getting session " + id, ex);
+			return null;
+		}
 		if (entries.isEmpty()) {
 			return null;
 		}

spring-session-data-redis/src/test/java/org/springframework/session/data/redis/RedisIndexedSessionRepositoryTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,6 +43,7 @@
 import org.springframework.data.redis.core.RedisOperations;
 import org.springframework.data.redis.serializer.JdkSerializationRedisSerializer;
 import org.springframework.data.redis.serializer.RedisSerializer;
+import org.springframework.data.redis.serializer.SerializationException;
 import org.springframework.session.FindByIndexNameSessionRepository;
 import org.springframework.session.FlushMode;
 import org.springframework.session.MapSession;
@@ -394,6 +395,15 @@ void getSessionExpired() {
 		assertThat(this.redisRepository.findById(expiredId)).isNull();
 	}
 
+	@Test
+	void getSessionIncompatible() {
+		String incompatibleId = "incompatible";
+
+		given(this.redisOperations.boundHashOps(getKey(incompatibleId))).willReturn(this.boundHashOperations);
+		given(this.boundHashOperations.entries()).willThrow(new SerializationException("arbitrary exception"));
+		assertThat(this.redisRepository.findById(incompatibleId)).isNull();
+	}
+
 	@Test
 	@SuppressWarnings("unchecked")
 	void findByPrincipalNameExpired() {