struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4873) NotSerializableException - org.apache.struts2.dispatcher.StrutsRequestWrapper
Date Thu, 14 Dec 2017 08:05:00 GMT

    [ https://issues.apache.org/jira/browse/WW-4873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16290497#comment-16290497
] 

ASF GitHub Bot commented on WW-4873:
------------------------------------

yasserzamani opened a new pull request #192: WW-4873 Makes ActionInvocation not serializable
and InvocationSessionStore$InvocationContext transient
URL: https://github.com/apache/struts/pull/192
 
 
   ⚠️  For simpler review, please review each commit separately.
   
   ❓ Why `serialize` and `deserialize` methods of `ActionInvocation` deleted? `ActionInvocation`
is a large complex object which contains request, response, container, value stack and action
context. It's hard to maintain it serializable e.g. user may want to store a private not serializable
object in action. And It's not a good practice ([CWE-579: J2EE Bad Practices: Non-serializable
Object Stored in Session](https://cwe.mitre.org/data/definitions/579.html)).
   
   ℹ️ I know I also deleted `that.container = actionContext.getContainer();` (replacing
restored invocation container with current container) with `ActionInvocation.deserialize`
method. I saw it's not needed and even it's better for restored default invocation to work
with itself stored container to keep consistency. Anyway currently it's really not needed
because only `TokenSessionStoreInterceptor` uses it and it only passes the invocation to result
and result is not aware about `DefaultActionInvocation` (only knows `ActionInvocation`):
   
   ```java
   if ((result != null) && (savedInvocation.getProxy().getExecuteResult())) {
       result.execute(savedInvocation);
   }
   ```

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> NotSerializableException - org.apache.struts2.dispatcher.StrutsRequestWrapper
> -----------------------------------------------------------------------------
>
>                 Key: WW-4873
>                 URL: https://issues.apache.org/jira/browse/WW-4873
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.5.13
>            Reporter: Michael Hum
>            Assignee: Yasser Zamani
>             Fix For: 2.5.15
>
>
> We are attempting to test session replication on our websphere servers but run into the
given error when websphere tries to serialize the session. 
> {code}
> [10/18/17 10:33:38:094 EDT] 00000335 WASSession    E MTMBuffWrapper getBytes write object
exception. e= java.io.NotSerializableException: org.apache.struts2.dispatcher.StrutsRequestWrapper
> {code}
> It appears the ActionInvocation stores the ActionContext which stores the offending property:
com.opensymphony.xwork2.dispatcher.HttpServletRequest --> StrutsRequestWrapper 
> After a little digging we narrowed it down to our use of the TokenSessionStoreInterceptor
which stores the value in the session and uses it to redirect the failed request to the original
one. Is this intended/expected? Or is there no requirement that the contents in the session
be serializable - in which case we would have to look to our own solution.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message