Skip to content

Serialization error when using LDAP authentication and user entered wrong password #685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
etlweather opened this issue Dec 1, 2016 · 7 comments
Assignees
Labels
for: stack-overflow A question that's better suited to stackoverflow.com

Comments

@etlweather
Copy link

I am using Spring Security with LDAP (well Active Directory to be precise) and when the user enters a wrong password, with Spring Session enabled, with Redis, we get a serialization error.

There was an unexpected error (type=Internal Server Error, status=500).
Cannot serialize; nested exception is org.springframework.core.serializer.support.SerializationFailedException: Failed to serialize object using DefaultSerializer;     nested exception is java.io.NotSerializableException: com.sun.jndi.ldap.LdapCtx

Been also mentioned on StackOverflow: http://stackoverflow.com/questions/32751094/spring-boot-with-session-redis-serialization-error-with-bad-active-directory-lda

Using Spring Session 1.2.2.RELEASE

@restoreddev
Copy link

I second this issue. I'm using Spring Session for JDBC sessions and I get a serialization failure when it tries to serialize the BadCredentials exception for storage in the session. I'm using the ActiveDirectoryLdapAuthenticationProvider.

@iKrushYou
Copy link

Bump, this is still an issue

@vpavic vpavic self-assigned this Apr 7, 2018
@vpavic vpavic added the for: stack-overflow A question that's better suited to stackoverflow.com label Apr 7, 2018
@vpavic
Copy link
Contributor

vpavic commented Apr 7, 2018

This is actually a Spring Security issue as there's not much we can do from Spring Session side.

If standard Java serialization is used, everything that goes into session has to implement Serializable. Alternatively, for some session stores (Redis, MongoDB) Jackson based JSON serialization can be used (see this sample) however this still requires presence of Jackson Mixin to handle 3rd party classes.

There was a similar issue (see #1013) reported recently for Jackson serialization, and was addressed in spring-projects/spring-security#5087.

@iKrushYou
Copy link

@vpavic
I followed the sample code and implemented the SessionConfig over what i have now. I keep getting this popup:
is not whitelisted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See spring-projects/spring-security#4370 for details

but the link for some reason (am I reading it wrong) gives zero information on resolving the issue. through research it seems that i need to add a Mixin, but i'm searching around for examples and am not finding anything that seems to apply.. is there any way to enable a global whitelist of everything? this is an internal application without any suspicion of malicious activity

@vpavic
Copy link
Contributor

vpavic commented Apr 13, 2018

@iKrushYou You should really be reporting this to Spring Security as it provides support for Jackson based JSON serialization via appropriate mixins. When you do so, feel free to update this issue with link to Spring Security issue you created.

@iKrushYou
Copy link

@vpavic thanks for the response. What about the error message itself? Specifically this part "If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin."

How can I 'provide an explicit mapping using Jackson annotations'
And why is it that the link to issue #4370 doesn't actually contain any seemingly useful information? It's a bit strange to include that link in an error message without it containing a solution

@vpavic
Copy link
Contributor

vpavic commented May 2, 2018

I'm closing this as answered - @iKrushYou please report this to Spring Security, as suggested before.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
for: stack-overflow A question that's better suited to stackoverflow.com
Projects
None yet
Development

No branches or pull requests

4 participants