All geek questions in one place

How to handle spring version updates -security-oauth2?

spring -security-oauth2 saves the Authentication object as part of the access token entry in the database as a serialized java object ( ByteArrayOutputStream.writeObject(authentication) ).

How do you handle version updates either spring-security (which can change SpringSecurityCoreVersion.SERIAL_VERSION_UID) and spring security-oauth (which can change serialVersionUID OAuth2Authentication )? If the serialVersionUID has changed, the object with the stored authentication can no longer be deserialized.

We conclude that removing access tokens containing serialized authentication objects would be the easiest and easiest solution when updating the framework version. Any ideas how to handle this more elegantly?

+14
source share
1 answer

I think the best solution is to throw out tokens. Next to the SpringSecurityCoreVersion.SERIAL_VERSION_UID expression there is a big comment that states:

 /** * Global Serialization value for Spring Security classes. * * NB Classes are not intended to be serializable between different versions. See * SEC-1709 for why we still need a serial version. */

Indeed, they deliberately beat SERIAL_VERSION_UID (at least) with every minor release.

(The problem comments for SEC-1709 explain how they arrived at this solution.)

From the comments, I realized that if you really tried to transparently handle the version update, this can lead to a breakdown, which can lead to unpredictable consequences. (This is the "code" for possible security issues.)

OAuth2Authentication.serialVersionUID , on the other hand, does not seem to have changed over the past 9 years.

+1
source

Source: https://habr.com/ru/post/979394/

More articles:


All Articles