[jira] [Commented] (WW-4900) NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using ExecuteAndWait interceptor

[Yasser Zamani (JIRA)]

    [ 
https://issues.apache.org/jira/browse/WW-4900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16288832#comment-16288832
 ] 

Yasser Zamani commented on WW-4900:
-----------------------------------

At all, I think we (Struts) should not put any large or variant unpredictable 
object in user's session. For an example for action, user may want to have a 
non-serializable private field in action. ActionInvocation is more larger worse 
object.

I researched last night and found a clear solution, using java {{transient}} 
keyword. i.e. we store in session but say java to not serialize these objects. 
I'm preparing a pull request now including strict tests :)

Why I think to drop such support? It's not a good practice to try serializing 
such objects ([CWE-579: J2EE Bad Practices: Non-serializable Object Stored in 
Session|https://cwe.mitre.org/data/definitions/579.html]) then simply currently 
we won't support exec and wait or token session from de-serialized session and 
maybe add this support some day on user demand.

> NotSerializableException: 
> com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using 
> ExecuteAndWait interceptor
> --------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WW-4900
>                 URL: https://issues.apache.org/jira/browse/WW-4900
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.5.14.1
>            Reporter: Erica Kane
>            Assignee: Yasser Zamani
>             Fix For: 2.5.15
>
>
> We are running Struts 2.5.14.1 and working on externalizing Tomcat session 
> state. This requires Serializable sessions. However, our Action with the 
> ExecuteAndWait interceptor fails. Since our original code was quite complex I 
> wrote a simpler one below which demonstrates the exact same behavior.
> The simple action is shown here:
> {noformat}
> package com.sentrylink.web.actions;
> import java.util.concurrent.TimeUnit;
> import org.apache.struts2.convention.annotation.InterceptorRef;
> import org.apache.struts2.convention.annotation.InterceptorRefs;
> import org.apache.struts2.convention.annotation.Result;
> import org.apache.struts2.convention.annotation.Results;
> import com.opensymphony.xwork2.ActionSupport;
> @SuppressWarnings("serial")
> @Results({
>     @Result(name="wait", location="/"),
>     @Result(name=ActionSupport.SUCCESS, 
> location="/WEB-INF/content/messagePage.jsp"),
> })
> @InterceptorRefs({
>     @InterceptorRef("webStack"),
>     @InterceptorRef("execAndWait")
> })
> public class TestExecuteAndWait extends ActionSupport {
>     public String execute() throws Exception {
>         TimeUnit.SECONDS.sleep(10);
>         return SUCCESS;
>     }
> }
> {noformat}
> Running this gives
> {noformat}
> WARNING: Cannot serialize session attribute __execWaittest-execute-and-wait 
> for session 74CDB9F8D00BBC697030AFC6978E94F6 
> java.io.NotSerializableException: 
> com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector
> {noformat}
> Removing the ExecuteAndWait interceptor fixes the issue.
> According to [~yasser.zamani] in WW-4873 : I reviewed 
> {{ExecuteAndWaitInterceptor}} and seems has this bug when session goes to 
> being serialized in middle of an background process.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)