struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yasser Zamani (JIRA)" <>
Subject [jira] [Commented] (WW-4900) NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using ExecuteAndWait interceptor
Date Wed, 13 Dec 2017 07:38:00 GMT


Yasser Zamani commented on WW-4900:

At all, I think we (Struts) should not put any large or variant unpredictable object in user's
session. For an example for action, user may want to have a non-serializable private field
in action. ActionInvocation is more larger worse object.

I researched last night and found a clear solution, using java {{transient}} keyword. i.e.
we store in session but say java to not serialize these objects. I'm preparing a pull request
now including strict tests :)

Why I think to drop such support? It's not a good practice to try serializing such objects
([CWE-579: J2EE Bad Practices: Non-serializable Object Stored in Session|])
then simply currently we won't support exec and wait or token session from de-serialized session
and maybe add this support some day on user demand.

> NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector
when using ExecuteAndWait interceptor
> --------------------------------------------------------------------------------------------------------------------------------
>                 Key: WW-4900
>                 URL:
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions:
>            Reporter: Erica Kane
>            Assignee: Yasser Zamani
>             Fix For: 2.5.15
> We are running Struts and working on externalizing Tomcat session state. This
requires Serializable sessions. However, our Action with the ExecuteAndWait interceptor fails.
Since our original code was quite complex I wrote a simpler one below which demonstrates the
exact same behavior.
> The simple action is shown here:
> {noformat}
> package com.sentrylink.web.actions;
> import java.util.concurrent.TimeUnit;
> import org.apache.struts2.convention.annotation.InterceptorRef;
> import org.apache.struts2.convention.annotation.InterceptorRefs;
> import org.apache.struts2.convention.annotation.Result;
> import org.apache.struts2.convention.annotation.Results;
> import com.opensymphony.xwork2.ActionSupport;
> @SuppressWarnings("serial")
> @Results({
>     @Result(name="wait", location="/"),
>     @Result(name=ActionSupport.SUCCESS, location="/WEB-INF/content/messagePage.jsp"),
> })
> @InterceptorRefs({
>     @InterceptorRef("webStack"),
>     @InterceptorRef("execAndWait")
> })
> public class TestExecuteAndWait extends ActionSupport {
>     public String execute() throws Exception {
>         TimeUnit.SECONDS.sleep(10);
>         return SUCCESS;
>     }
> }
> {noformat}
> Running this gives
> {noformat}
> WARNING: Cannot serialize session attribute __execWaittest-execute-and-wait for session
> com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector
> {noformat}
> Removing the ExecuteAndWait interceptor fixes the issue.
> According to [~yasser.zamani] in WW-4873 : I reviewed {{ExecuteAndWaitInterceptor}} and
seems has this bug when session goes to being serialized in middle of an background process.

This message was sent by Atlassian JIRA

View raw message