Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1291

Coverity static analysis: Non-Serializable SecurityIdentity is contained in Serializable ElytronAccount

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • None
    • None

      Coverity static analysis found Serializable ElytronAccount contains non-Serializable SecurityIdentity.

      https://scan7.coverity.com/reports.htm#v23632/p12664/fileInstanceId=8622358&defectInstanceId=2151938&mergedDefectId=1389592

      Please resolve this inconsistent situation.

      By dev feedback SecurityIdentity can't be made Serializable. Rework to remove SecurityIdentity from ElytronAccount was suggested.

      hipchat.log
      [3:23 PM] Martin Choma: Shouldn't be SecurityIdentity Serializable? - because of HttpSession replication?
      [3:23 PM] Darran Lofthouse: No it can't be
      [3:24 PM] Darran Lofthouse: it is backed by implementation as well as state
      [3:25 PM] David M. Lloyd: right it would essentially be a security hole to be able to deserialize an identity
      [3:26 PM] David M. Lloyd: among other problems
      [3:26 PM] Darran Lofthouse: on the far side we restore the identity instead of deserializing it
      [3:31 PM] Martin Choma: I got it. Thing is static analyzer is complaining elytron-web ElytronAccount (Serializable class) is referencing SecurityIdentity, but probably problem is ElytronAccount does not have to be mark as Serializable, right?
      [3:34 PM] Darran Lofthouse: @MartinChoma we may be able to re-work that and remove the reference to SI
      

              Unassigned Unassigned
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: