Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to handle version upgrades of spring-security-oauth2?

Tags:

java

serialization

spring

spring-security

spring-security-oauth2

spring-security-oauth2 saves the Authentication object as part of the access token entry in the database as a serialized java object (ByteArrayOutputStream.writeObject(authentication)).

How do you handle version upgrades of either spring-security (which may change the SpringSecurityCoreVersion.SERIAL_VERSION_UID) and spring-security-oauth (which may change the serialVersionUID of the OAuth2Authentication)? If the serialVersionUID changes, the persisted Authentication object cannot be deserialized anymore.

We are coming to the conclusion that deleting the access tokens containing the serialized Authentication objects would be the cleanest and easiest solution when upgrading the framework version. Any ideas how to handle this more gracefully?

like image 333
James Avatar asked Dec 10 '14 11:12

James

People also ask

Is Spring Security OAuth2 deprecated?

End of Life Notice The Spring Security OAuth project has reached end of life and is no longer actively maintained by VMware, Inc. This project has been replaced by the OAuth2 support provided by Spring Security and Spring Authorization Server.

Why Spring Security OAuth project is deprecated?

Since Spring Security doesn't provide Authorization Server support, migrating a Spring Security OAuth Authorization Server is out of scope for this document.

How does OAuth2 2.0 work in spring boot?

Spring Security OAuth2 − Implements the OAUTH2 structure to enable the Authorization Server and Resource Server. Spring Security JWT − Generates the JWT Token for Web security. Spring Boot Starter JDBC − Accesses the database to ensure the user is available or not. Spring Boot Starter Web − Writes HTTP endpoints.

1 Answers

I think that the best solution is to throw the tokens away. There is a big comment next to the declaration of SpringSecurityCoreVersion.SERIAL_VERSION_UID that says this:

/**
 * Global Serialization value for Spring Security classes.
 *
 * N.B. Classes are not intended to be serializable between different versions. See
 * SEC-1709 for why we still need a serial version.
 */

Indeed, they deliberately bump SERIAL_VERSION_UID (at least) on every minor release.

(The issue comments for SEC-1709 explain how they came to this solution.)

What I get from the comments is that if you did attempt to handle version upgrade transparently, you may cause things to break, with unpredictable consequences. (That is "code" for possible security problems.)

On the other hand, OAuth2Authentication.serialVersionUID doesn't appear to have changed in the last 9 years.

like image 99
Stephen C Avatar answered Oct 24 '22 20:10

Stephen C
Sign in to Comment

Related questions

Questions on Upgrading Lucene from 2.2 to 2.9 to 3.1
Which PDF Generation API (Java) supports Gujarati Font?
How do I clear up this ambiguous call to Arrays.copyof()?
Android MediaMetadataRetriever returns null values from most keys
Is there a Hello World example for the Google Contacts API in Java, C#, Python or Ruby?
Why isn't getSession() returning the same session in subsequent requests distanced in short time periods?
Does OSGI JNDI allow coexistence with JNDI calls from non-OSGI code?
JAVA SWT/AWT Eclipse Mac OSX Java Cocoa CompatibilityMode Enabled
Java Clipboard: Paste HTML from Firefox on Linux
JPA composite primary key with null value
broken pipe error while Capturing image in android
Continuous integration: ensure new commits are covered with tests
Play Model Objects from External API
Efficient way to allot the next available VM
How to register spring bean in grails that needs a reference to a filter bean
Datanucleus Programmatic API Class Enhancement
When to install keystore & when to install only certificate wrapped in keystore [duplicate]
How to stop Eclipse from moving cursor for closing java parenthesis?
How to monitor the JVM usage of large memory pages in Windows 7?
Eclipse Luna debug slow only up to the very first breakpoint

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!