Serialization error when using LDAP authentication and user entered wrong password

[etlweather]

I am using Spring Security with LDAP (well Active Directory to be precise) and when the user enters a wrong password, with Spring Session enabled, with Redis, we get a serialization error.

There was an unexpected error (type=Internal Server Error, status=500).
Cannot serialize; nested exception is org.springframework.core.serializer.support.SerializationFailedException: Failed to serialize object using DefaultSerializer;     nested exception is java.io.NotSerializableException: com.sun.jndi.ldap.LdapCtx

Been also mentioned on StackOverflow: http://stackoverflow.com/questions/32751094/spring-boot-with-session-redis-serialization-error-with-bad-active-directory-lda

Using Spring Session 1.2.2.RELEASE

[restoreddev]

I second this issue. I'm using Spring Session for JDBC sessions and I get a serialization failure when it tries to serialize the BadCredentials exception for storage in the session. I'm using the ActiveDirectoryLdapAuthenticationProvider.

[iKrushYou]

Bump, this is still an issue

[vpavic]

This is actually a Spring Security issue as there's not much we can do from Spring Session side.

If standard Java serialization is used, everything that goes into session has to implement Serializable. Alternatively, for some session stores (Redis, MongoDB) Jackson based JSON serialization can be used (see this sample) however this still requires presence of Jackson Mixin to handle 3rd party classes.

There was a similar issue (see #1013) reported recently for Jackson serialization, and was addressed in spring-projects/spring-security#5087.

[iKrushYou]

@vpavic
I followed the sample code and implemented the SessionConfig over what i have now. I keep getting this popup:
is not whitelisted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See spring-projects/spring-security#4370 for details

but the link for some reason (am I reading it wrong) gives zero information on resolving the issue. through research it seems that i need to add a Mixin, but i'm searching around for examples and am not finding anything that seems to apply.. is there any way to enable a global whitelist of everything? this is an internal application without any suspicion of malicious activity

[vpavic]

@iKrushYou You should really be reporting this to Spring Security as it provides support for Jackson based JSON serialization via appropriate mixins. When you do so, feel free to update this issue with link to Spring Security issue you created.

[iKrushYou]

@vpavic thanks for the response. What about the error message itself? Specifically this part "If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin."

How can I 'provide an explicit mapping using Jackson annotations'
And why is it that the link to issue #4370 doesn't actually contain any seemingly useful information? It's a bit strange to include that link in an error message without it containing a solution

[vpavic]

I'm closing this as answered - @iKrushYou please report this to Spring Security, as suggested before.