spring-security-oauth2 saves the Authentication
object as part of the access token entry in the database as a serialized java object (ByteArrayOutputStream.writeObject(authentication)
).
How do you handle version upgrades of either spring-security (which may change the SpringSecurityCoreVersion.SERIAL_VERSION_UID) and spring-security-oauth (which may change the serialVersionUID of the OAuth2Authentication
)? If the serialVersionUID changes, the persisted Authentication object cannot be deserialized anymore.
We are coming to the conclusion that deleting the access tokens containing the serialized Authentication objects would be the cleanest and easiest solution when upgrading the framework version. Any ideas how to handle this more gracefully?
End of Life Notice The Spring Security OAuth project has reached end of life and is no longer actively maintained by VMware, Inc. This project has been replaced by the OAuth2 support provided by Spring Security and Spring Authorization Server.
Since Spring Security doesn't provide Authorization Server support, migrating a Spring Security OAuth Authorization Server is out of scope for this document.
Spring Security OAuth2 − Implements the OAUTH2 structure to enable the Authorization Server and Resource Server. Spring Security JWT − Generates the JWT Token for Web security. Spring Boot Starter JDBC − Accesses the database to ensure the user is available or not. Spring Boot Starter Web − Writes HTTP endpoints.
I think that the best solution is to throw the tokens away. There is a big comment next to the declaration of SpringSecurityCoreVersion.SERIAL_VERSION_UID
that says this:
/**
* Global Serialization value for Spring Security classes.
*
* N.B. Classes are not intended to be serializable between different versions. See
* SEC-1709 for why we still need a serial version.
*/
Indeed, they deliberately bump SERIAL_VERSION_UID
(at least) on every minor release.
(The issue comments for SEC-1709 explain how they came to this solution.)
What I get from the comments is that if you did attempt to handle version upgrade transparently, you may cause things to break, with unpredictable consequences. (That is "code" for possible security problems.)
On the other hand, OAuth2Authentication.serialVersionUID
doesn't appear to have changed in the last 9 years.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With