Return-Path: X-Original-To: apmail-shiro-user-archive@www.apache.org Delivered-To: apmail-shiro-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9B28E996D for ; Tue, 27 Sep 2011 12:09:09 +0000 (UTC) Received: (qmail 92025 invoked by uid 500); 27 Sep 2011 12:09:09 -0000 Delivered-To: apmail-shiro-user-archive@shiro.apache.org Received: (qmail 92003 invoked by uid 500); 27 Sep 2011 12:09:09 -0000 Mailing-List: contact user-help@shiro.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@shiro.apache.org Delivered-To: mailing list user@shiro.apache.org Received: (qmail 91994 invoked by uid 99); 27 Sep 2011 12:09:09 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Sep 2011 12:09:09 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [85.10.207.80] (HELO sam.metaphysis.net) (85.10.207.80) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Sep 2011 12:09:00 +0000 Received: from p4fc36f6b.dip.t-dialin.net ([79.195.111.107] helo=[192.168.7.3]) by sam.metaphysis.net with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1R8WSl-0005CE-MU for user@shiro.apache.org; Tue, 27 Sep 2011 14:08:39 +0200 Message-ID: <4E81BCBD.8060909@metaphysis.net> Date: Tue, 27 Sep 2011 14:08:29 +0200 From: =?UTF-8?B?QW5kcmVhcyBQcmllw58=?= Organization: metaphysis User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.21) Gecko/20110901 Lightning/1.0b2 Thunderbird/3.1.13 MIME-Version: 1.0 To: user@shiro.apache.org Subject: Re: SimpleSession serialization - fields written twice References: <1316819991340-6826037.post@n2.nabble.com> In-Reply-To: X-Enigmail-Version: 1.1.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Hi Les, I just had a look at the chapter about serialization in "Effective Java" to see what the rationale is about. As you mentioned defaultWriteObject() should be used, but the example in the book also clearly shows that all fields with customized serialization must not be serializable for the default mechanism executed by defaultWriteObject(), so they should normally be transient. The problem with shiros SimpleSession is that the fields are _not_ marked transient and are therefore in fact written out twice. The solution should not be to remove defaultWriteObject() but to mark all the fields transient. (Looked at source checked out on 2011-09-06.) HTH, Andreas On 25.09.2011 20:02, Les Hazlewood wrote: > Wrt Java serialization, in.defaultReadObject() and > out.defaultWriteObject() should pretty much always be called as the > very first line in the readObject and writeObject implementations, > respectively. > > Josh Bloch covers this in his Effective Java book (2nd edition), page > 299. While too lengthy to repeat here, it boils down to ensuring the > class functions properly even as future modifications occur, as well > as for real security reasons. > > I can't comment as to whether or not your solution is fine for your > needs, but this explains the reason why they are in Shiro's current > implementation. > > Cheers, > > Les > > P.S. As an aside if anyone finds this next comment helpful, there are > two Java books that I have at my desk that are indispensable to me: > Josh Bloch's Effective Java (2nd edition) and Brian Goetz (et. al.)'s > Java Concurrency in Practice. >