serialization incompatibility from 0.6 -> 0.6.1

**sjivan** · Oct 19th, 2004, 10:53 AM

The UsernamePasswordAuthenticationToken serializable class is not versioned. I upgraded from version 0.6 to 0.6.1 and get the following error.

-----------------------------------------------------------------

004-10-19 11:54:42 StandardManager[/tbr] IOException while loading persisted sessions: java.io.InvalidClassException: net.sf.acegisecurity.providers.UsernamePasswordAut henticationToken; local class incompatible: stream classdesc serialVersionUID = -7294159914012923185, local class serialVersionUID = 2383602471895018131
java.io.InvalidClassException: net.sf.acegisecurity.providers.UsernamePasswordAut henticationToken; local class incompatible: stream classdesc serialVersionUID = -7294159914012923185, local class serialVersionUID = 2383602471895018131
at java.io.ObjectStreamClass.initNonProxy(ObjectStrea mClass.java:459)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectI nputStream.java:1521)
at java.io.ObjectInputStream.readClassDesc(ObjectInpu tStream.java:1435)
at java.io.ObjectInputStream.readOrdinaryObject(Objec tInputStream.java:1626)
at java.io.ObjectInputStream.readObject0(ObjectInputS tream.java:1274)
at java.io.ObjectInputStream.defaultReadFields(Object InputStream.java:1845)
at java.io.ObjectInputStream.readSerialData(ObjectInp utStream.java:1769)
at java.io.ObjectInputStream.readOrdinaryObject(Objec tInputStream.java:1646)
at java.io.ObjectInputStream.readObject0(ObjectInputS tream.java:1274)
at java.io.ObjectInputStream.readObject(ObjectInputSt ream.java:324)

**Ben Alex** · Oct 19th, 2004, 04:30 PM

You're persisting the Authentication token in the HttpSession? This is not a use case I can think of a good reason for. Could you please elaborate on why this is necessary?

**sjivan** · Oct 21st, 2004, 03:58 PM

I didn't explicitly persist the Authentication token in the HttpSession, but the web container must have. I stopped my web app, upgraded Acegi and restarted when I ran into this issue. This might not be a legitimate use case however in a clustered web app, this could happen during session synchronization if the nodes of the cluster are running different versions of Acegi.

**Ben Alex** · Oct 21st, 2004, 05:17 PM

Originally Posted by sjivan

This might not be a legitimate use case however in a clustered web app, this could happen during session synchronization if the nodes of the cluster are running different versions of Acegi.

I'm not sure I agree this is a common requirement.

My reluctance to simply put a

Code:

static final long serialVersionUID

into the class is it will have a flow-on effect from Authentication to GrantedAuthority implementations and UserDetails implementations. Both of these interfaces (especially the latter) are implemented by users and I don't want to impose an additional requirement on them, especially for a use case I personally can't see as being needed.

If people disagree with me on this, please speak up and I'll add it.

Let's not also forget you're free to implement your own Authentication object (and related objects) which can use the serialVersionUID. The joys of everything being a interface!

Thread: serialization incompatibility from 0.6 -> 0.6.1

Thread Tools

Display

serialization incompatibility from 0.6 -> 0.6.1

Similar Threads

Serialization error using <lookup-method>

UpgradeAcegi Security System from 0.6.1 to 0.8.3

Serialization and backing object

Spring enums and serialization

Announcement: Acegi Security - new release 0.6.1

Posting Permissions