RedisTokenStore will break when upgrading spring-security-core

[efenderbosch]

We just encountered this when upgrading to Spring Boot 1.3.0.
Spring Boot 1.2.4 uses security core 3.2.7 but Spring Boot 1.3.0 has upgraded to 4.0.3.

Caused by: java.io.InvalidClassException: org.springframework.security.core.authority.SimpleGrantedAuthority; local class incompatible: stream classdesc serialVersionUID = 320, local class serialVersionUID = 400

This happens because the default serialization strategy is JdkSerializationStrategy and SimpleGrantedAuthority gets its serialVersionUID from SpringSecurityCoreVersion.SERIAL_VERSION_UID. I'm sure other objects in the tree have also had their serialVersionUID changed from 320 to 400 as well.

I'm not sure what to do about this. I guess just a warning to users when they upgrade? We are likely going to have to flush all our token related Redis keys when we deploy our services based on Spring Boot 1.3.0.

We are also considering implementing a Kyro based serialization strategy to avoid this problem in the future.

[ricardoMogg]

did you find any solution for this?

[efenderbosch]

I think a key prefix was added recently. The prefix could be used to keep v3 serialized objects and v4 serialized objects separate. I would effectively expire all tokens, though.

[ricardoMogg]

Cool! You really saved me some hours with this. Thank you!

[sustainablepace]

We have run into the same problem updating from Spring Boot 1.2.8 to 1.3.3.

Our "solution" is to implement a custom JSON serializer that is independent of changes in the SERIAL_VERSION_UID.

However, is anything done to prevent this problem with JdkSerialization in future updates of Spring Security? We can't afford to invalidate thousands of access tokens, but would love to continue working with an uncustomized Spring Boot stack.

Any feedback is welcome, thanks.

[jgrandja]

@dsyer What are your thoughts on this issue? Should the default RedisTokenStoreSerializationStrategy implementation be a JSON serializer instead of a JDK serializer?

[efenderbosch]

I tried writing a JSON serializer, but polymorphism was a problem. I got pretty far in to a Jackson Module to handle it, but it just wasn't quite right.

Something like Kryo would probably work pretty easily, however.

[narup]

I got this exception when I upgraded my Spring boot 1.3.1 to 1.4 Is this related? I haven't been able to upgrade to 1.4 at the moment since I am not sure how to resolve it.

[dsyer]

Probably. You don't really have a choice but to deal with it. Either delete all the tokens and let users generate new ones. Or converts them from the old to the new format in batch.

[narup]

Interesting. Thanks @dsyer