How to fix java.io.InvalidClassException: org.springframework.security.core.context.SecurityContextImpl

Question

I have recently upgraded the Spring of my spring boot application, as a result, the underlying Spring Security Core upgraded to 5.4.5.

Now while launching the Spring Boot application, I am seeing following issue:

org.eclipse.jetty.server.HttpChannel - handleException / java.io.InvalidClassException: 
org.springframework.security.core.context.SecurityContextImpl; local class incompatible: 
stream classdesc serialVersionUID = 530, local class serialVersionUID = 540

In this context, I found this post on GitHub: https://github.com/spring-projects/spring-security/issues/9204 and https://github.com/spring-projects/spring-security/issues/3736.

But I could not figure out how to solve this issue. Could anyone please help here? Thanks.

Answer 1

In https://github.com/spring-projects/spring-security/issues/9204 you can find: "Spring Security is not intended to be serialized between versions"

This is mind blowing. So all users need to be logged out on an version upgrade!?

What can you do? For your current upgrade you must log out all users. But you can prepare for next upgrade:

You need to write your own serialization for the session object. Here is one project where they added there own session serialization user Jackson with and some redis library. This code will work without changes even if you are using mysql for example:

https://raw.githubusercontent.com/klboke/apollo/091a757d0a3c2173d6c600cd6a9a1595bb73c10c/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/config/SpringSessionConfig.java

One thing to note. So if you are not in production then you add this configuration and when the security lib get upgraded you are fine, but if you are in production first time you deploy this all users will need to be logged out first as serialization of the session will not fit the previous one!