Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to handle version upgrades of spring-security-oauth2?

spring-security-oauth2 saves the Authentication object as part of the access token entry in the database as a serialized java object (ByteArrayOutputStream.writeObject(authentication)).

How do you handle version upgrades of either spring-security (which may change the SpringSecurityCoreVersion.SERIAL_VERSION_UID) and spring-security-oauth (which may change the serialVersionUID of the OAuth2Authentication)? If the serialVersionUID changes, the persisted Authentication object cannot be deserialized anymore.

We are coming to the conclusion that deleting the access tokens containing the serialized Authentication objects would be the cleanest and easiest solution when upgrading the framework version. Any ideas how to handle this more gracefully?

like image 333
James Avatar asked Dec 10 '14 11:12

James


People also ask

Is Spring Security OAuth2 deprecated?

End of Life Notice The Spring Security OAuth project has reached end of life and is no longer actively maintained by VMware, Inc. This project has been replaced by the OAuth2 support provided by Spring Security and Spring Authorization Server.

Why Spring Security OAuth project is deprecated?

Since Spring Security doesn't provide Authorization Server support, migrating a Spring Security OAuth Authorization Server is out of scope for this document.

How does OAuth2 2.0 work in spring boot?

Spring Security OAuth2 − Implements the OAUTH2 structure to enable the Authorization Server and Resource Server. Spring Security JWT − Generates the JWT Token for Web security. Spring Boot Starter JDBC − Accesses the database to ensure the user is available or not. Spring Boot Starter Web − Writes HTTP endpoints.


1 Answers

I think that the best solution is to throw the tokens away. There is a big comment next to the declaration of SpringSecurityCoreVersion.SERIAL_VERSION_UID that says this:

/**
 * Global Serialization value for Spring Security classes.
 *
 * N.B. Classes are not intended to be serializable between different versions. See
 * SEC-1709 for why we still need a serial version.
 */

Indeed, they deliberately bump SERIAL_VERSION_UID (at least) on every minor release.

(The issue comments for SEC-1709 explain how they came to this solution.)

What I get from the comments is that if you did attempt to handle version upgrade transparently, you may cause things to break, with unpredictable consequences. (That is "code" for possible security problems.)


On the other hand, OAuth2Authentication.serialVersionUID doesn't appear to have changed in the last 9 years.

like image 99
Stephen C Avatar answered Oct 24 '22 20:10

Stephen C