Saml2AuthenticationRequests not serializable cause exception when using jdbc session

[bitrecycling]

Summary

Error in serialization of non serializable SAML Requests prevents authentication if session is stored in database.

If spring-session-jdbc (= session is stored in database) is configured / enabled, an exception is thrown during issuing a SAML AuthN request. As per documentation,
spring security saml2 stores the Saml2AuthenticationRequest (either Saml2PostAuthenticationRequest or Saml2RedirectAuthenticationRequest) in the session before
actually sending them to the ipd (asserting party).

Now spring-session jdbc uses object serialization to store the session-data in the db. The Saml2AuthenticationRequests are not serializable and hence an exception
is thrown, preventing successful authentication.

Actual Behavior

Exception is thrown at org.springframework.core.serializer.DefaultSerializer.serialize

Expected Behavior

There should be no issue with saml2 when using jdbc session.

Supposed Solutions:

• make Saml2PostAuthenticationRequest and Saml2RedirectAuthenticationRequest serializable to allow default components to work
• alternatively open to subclassing and/or provide usable public constructor or factory method. This could then be used in a custom
  Saml2AuthenticationRequestRepository

Configuration

spring boot with spring-session-jdbc spring-security-saml2

Version

spring boot 2.6.0 coming with spring-security-saml2-service-provider-5.6.0 and spring-session-jdbc-2.6.0

[matejschwartz]

Same error using spring-session-data-redis:2.6.0, spring-boot:2.6.1, spring-security-saml2-service-provider:5.6.0

org.springframework.data.redis.serializer.SerializationException: Cannot serialize; nested exception is org.springframework.core.serializer.support.SerializationFailedException: Failed to serialize object using DefaultSerializer; nested exception is java.lang.IllegalArgumentException: DefaultSerializer requires a Serializable payload but received an object of type [org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest]

[jzheaux]

We can look into making these Serializable, though we'll likely need to wait until 5.7 since it will change the public API.

In the meantime, I believe you should be able to persist Saml2RedirectAuthenticationRequest's individual fields in the session, reconstructing the request when needed.

[bitrecycling]

Thank you @jzheaux! This is excactly what I did. To deserialize I am using the factory/builder method that uses the "context" and then add the samlrequest String. But it didn't feel exactly right to do that after looking into the code that originally creates the Saml2RedirectAuthenticationRequest. But it works for now.

Is there already a timeline for 5.7?

[bameur]

Hello @marcusdacoregio do you have a date for the correction?

Tks,