[jira] [Commented] (WW-4900) NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using ExecuteAndWait interceptor

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/WW-4900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16288935#comment-16288935
 ] 

ASF GitHub Bot commented on WW-4900:
------------------------------------

yasserzamani opened a new pull request #191: WW-4900 Makes BackgroundProcess 
transient
URL: https://github.com/apache/struts/pull/191
 
 
   Currently we won't support exec and wait from de-serialized session and 
maybe add this support some day on user demand. Why I think to drop such 
support? It's not a good practice to try serializing such large or variant 
unpredictable objects like action and invocation ([CWE-579: J2EE Bad Practices: 
Non-serializable Object Stored in 
Session](https://cwe.mitre.org/data/definitions/579.html)).

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> NotSerializableException: 
> com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using 
> ExecuteAndWait interceptor
> --------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WW-4900
>                 URL: https://issues.apache.org/jira/browse/WW-4900
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.5.14.1
>            Reporter: Erica Kane
>            Assignee: Yasser Zamani
>             Fix For: 2.5.15
>
>
> We are running Struts 2.5.14.1 and working on externalizing Tomcat session 
> state. This requires Serializable sessions. However, our Action with the 
> ExecuteAndWait interceptor fails. Since our original code was quite complex I 
> wrote a simpler one below which demonstrates the exact same behavior.
> The simple action is shown here:
> {noformat}
> package com.sentrylink.web.actions;
> import java.util.concurrent.TimeUnit;
> import org.apache.struts2.convention.annotation.InterceptorRef;
> import org.apache.struts2.convention.annotation.InterceptorRefs;
> import org.apache.struts2.convention.annotation.Result;
> import org.apache.struts2.convention.annotation.Results;
> import com.opensymphony.xwork2.ActionSupport;
> @SuppressWarnings("serial")
> @Results({
>     @Result(name="wait", location="/"),
>     @Result(name=ActionSupport.SUCCESS, 
> location="/WEB-INF/content/messagePage.jsp"),
> })
> @InterceptorRefs({
>     @InterceptorRef("webStack"),
>     @InterceptorRef("execAndWait")
> })
> public class TestExecuteAndWait extends ActionSupport {
>     public String execute() throws Exception {
>         TimeUnit.SECONDS.sleep(10);
>         return SUCCESS;
>     }
> }
> {noformat}
> Running this gives
> {noformat}
> WARNING: Cannot serialize session attribute __execWaittest-execute-and-wait 
> for session 74CDB9F8D00BBC697030AFC6978E94F6 
> java.io.NotSerializableException: 
> com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector
> {noformat}
> Removing the ExecuteAndWait interceptor fixes the issue.
> According to [~yasser.zamani] in WW-4873 : I reviewed 
> {{ExecuteAndWaitInterceptor}} and seems has this bug when session goes to 
> being serialized in middle of an background process.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)