[ https://issues.apache.org/jira/browse/WW-4900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16288832#comment-16288832 ]
Yasser Zamani commented on WW-4900: ----------------------------------- At all, I think we (Struts) should not put any large or variant unpredictable object in user's session. For an example for action, user may want to have a non-serializable private field in action. ActionInvocation is more larger worse object. I researched last night and found a clear solution, using java {{transient}} keyword. i.e. we store in session but say java to not serialize these objects. I'm preparing a pull request now including strict tests :) Why I think to drop such support? It's not a good practice to try serializing such objects ([CWE-579: J2EE Bad Practices: Non-serializable Object Stored in Session|https://cwe.mitre.org/data/definitions/579.html]) then simply currently we won't support exec and wait or token session from de-serialized session and maybe add this support some day on user demand. > NotSerializableException: > com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using > ExecuteAndWait interceptor > -------------------------------------------------------------------------------------------------------------------------------- > > Key: WW-4900 > URL: https://issues.apache.org/jira/browse/WW-4900 > Project: Struts 2 > Issue Type: Bug > Affects Versions: 2.5.14.1 > Reporter: Erica Kane > Assignee: Yasser Zamani > Fix For: 2.5.15 > > > We are running Struts 2.5.14.1 and working on externalizing Tomcat session > state. This requires Serializable sessions. However, our Action with the > ExecuteAndWait interceptor fails. Since our original code was quite complex I > wrote a simpler one below which demonstrates the exact same behavior. > The simple action is shown here: > {noformat} > package com.sentrylink.web.actions; > import java.util.concurrent.TimeUnit; > import org.apache.struts2.convention.annotation.InterceptorRef; > import org.apache.struts2.convention.annotation.InterceptorRefs; > import org.apache.struts2.convention.annotation.Result; > import org.apache.struts2.convention.annotation.Results; > import com.opensymphony.xwork2.ActionSupport; > @SuppressWarnings("serial") > @Results({ > @Result(name="wait", location="/"), > @Result(name=ActionSupport.SUCCESS, > location="/WEB-INF/content/messagePage.jsp"), > }) > @InterceptorRefs({ > @InterceptorRef("webStack"), > @InterceptorRef("execAndWait") > }) > public class TestExecuteAndWait extends ActionSupport { > public String execute() throws Exception { > TimeUnit.SECONDS.sleep(10); > return SUCCESS; > } > } > {noformat} > Running this gives > {noformat} > WARNING: Cannot serialize session attribute __execWaittest-execute-and-wait > for session 74CDB9F8D00BBC697030AFC6978E94F6 > java.io.NotSerializableException: > com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector > {noformat} > Removing the ExecuteAndWait interceptor fixes the issue. > According to [~yasser.zamani] in WW-4873 : I reviewed > {{ExecuteAndWaitInterceptor}} and seems has this bug when session goes to > being serialized in middle of an background process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)