[
https://issues.apache.org/jira/browse/WW-4873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16290497#comment-16290497
]
ASF GitHub Bot commented on WW-4873:
------------------------------------
yasserzamani opened a new pull request #192: WW-4873 Makes ActionInvocation not
serializable and InvocationSessionStore$InvocationContext transient
URL: https://github.com/apache/struts/pull/192
⚠️ For simpler review, please review each commit separately.
❓ Why `serialize` and `deserialize` methods of `ActionInvocation` deleted?
`ActionInvocation` is a large complex object which contains request, response,
container, value stack and action context. It's hard to maintain it
serializable e.g. user may want to store a private not serializable object in
action. And It's not a good practice ([CWE-579: J2EE Bad Practices:
Non-serializable Object Stored in
Session](https://cwe.mitre.org/data/definitions/579.html)).
ℹ️ I know I also deleted `that.container = actionContext.getContainer();`
(replacing restored invocation container with current container) with
`ActionInvocation.deserialize` method. I saw it's not needed and even it's
better for restored default invocation to work with itself stored container to
keep consistency. Anyway currently it's really not needed because only
`TokenSessionStoreInterceptor` uses it and it only passes the invocation to
result and result is not aware about `DefaultActionInvocation` (only knows
`ActionInvocation`):
```java
if ((result != null) && (savedInvocation.getProxy().getExecuteResult())) {
result.execute(savedInvocation);
}
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> NotSerializableException - org.apache.struts2.dispatcher.StrutsRequestWrapper
> -----------------------------------------------------------------------------
>
> Key: WW-4873
> URL: https://issues.apache.org/jira/browse/WW-4873
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.5.13
> Reporter: Michael Hum
> Assignee: Yasser Zamani
> Fix For: 2.5.15
>
>
> We are attempting to test session replication on our websphere servers but
> run into the given error when websphere tries to serialize the session.
> {code}
> [10/18/17 10:33:38:094 EDT] 00000335 WASSession E MTMBuffWrapper getBytes
> write object exception. e= java.io.NotSerializableException:
> org.apache.struts2.dispatcher.StrutsRequestWrapper
> {code}
> It appears the ActionInvocation stores the ActionContext which stores the
> offending property: com.opensymphony.xwork2.dispatcher.HttpServletRequest -->
> StrutsRequestWrapper
> After a little digging we narrowed it down to our use of the
> TokenSessionStoreInterceptor which stores the value in the session and uses
> it to redirect the failed request to the original one. Is this
> intended/expected? Or is there no requirement that the contents in the
> session be serializable - in which case we would have to look to our own
> solution.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
