Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
13.0.8.Final
-
None
Description
With Infinispan 13.0.8 and Spring Boot 2.6.8 when using remote Spring Session support I'm getting the follow deserialization error
org.infinispan.client.hotrod.exceptions.HotRodClientException:: ISPN004034: Unable to unmarshall bytes ACED0005737200266F72672E737072696E676672616D65776F726B2E73657373696F6E2E4D617053657373696F6E636032C76FC001490200064C000C6372656174696F6E54696D657400134C6A6176612F74696D652F496E7374616E743B4C000269647400124C6A6176612F6C616E672F537472696E673B4C00106C617374416363657373656454696D6571007E00014C00136D6178496E616374697665496E74657276616C7400144C6A6176612F74696D652F4475726174696F6E3B4C000A6F726967696E616C496471007E00024C000C73657373696F6E417474727374000F4C6A6176612F7574696C2F4D61703B78707372000D6A6176612E74696D652E536572955D84BA1B2248B20C00007870770D020000000062974B3517D8E65B7874002438613037353564332D636461662D343639312D626437372D6166316136653561616333617371007E0006770D020000000062974B3517D911F7787371007E0006770D010000000000000708000000007871007E0008737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C7708000000100000000174001D535052494E475F53454355524954595F53415645445F52455155455354737200416F72672E737072696E676672616D65776F726B2E73656375726974792E7765622E7361766564726571756573742E44656661756C745361766564526571756573741E404844F936649402000E49000A736572766572506F72744C000B636F6E746578745061746871007E00024C0007636F6F6B6965737400154C6A6176612F7574696C2F41727261794C6973743B4C00076865616465727371007E00044C00076C6F63616C657371007E000F4C00066D6574686F6471007E00024C000A706172616D657465727371007E00044C000870617468496E666F71007E00024C000B7175657279537472696E6771007E00024C000A7265717565737455524971007E00024C000A7265717565737455524C71007E00024C0006736368656D6571007E00024C000A7365727665724E616D6571007E00024C000B736572766C65745061746871007E00027870000001BB740000737200136A6176612E7574696C2E41727261794C6973747881D21D99C7619D03000149000473697A6578700000000077040000000078737200116A6176612E7574696C2E547265654D61700CC1F63E2D256AE60300014C000A636F6D70617261746F727400164C6A6176612F7574696C2F436F6D70617261746F723B78707372002A6A6176612E6C616E672E537472696E672443617365496E73656E736974697665436F6D70617261746F7277035C7D5C50E5CE020000787077040000001574000F6163636570742D656E636F64696E677371007E00120000000177040000000174000C677A69702C6465666C6174657874000E636F6E74656E742D6C656E6774687371007E001200000001770400000001740004313031317874000C636F6E74656E742D747970657371007E0012000000017704000000017400746170706C69636174696F6E2F736F61702B786D6C3B636861727365743D5554462D383B616374696F6E3D22687474703A2F2F7777772E6574657272612E636F6D2F7075626C69632F73657276696365732F646174612F4461746150726F76696465722F476574436F6E66696775726174696F6E2278740004686F73747371007E00120000000177040000000174003877616D732D6574762D7765622D736572766963652D736572766963652E77616D732E7376632E636C75737465722E6C6F63616C3A383038307874000D756265722D74726163652D69647371007E001200000001770400000001740034373937353932356635386634363631373A333464623533656431613363383864613A373937353932356635386634363631373A317874000A757365722D6167656E747371007E0012000000017704000000017400224170616368652D48747470436C69656E742F342E312E3120286A61766120312E352978740011782D62332D706172656E747370616E69647371007E001200000001770400000001740010313233363164386635656264656662637874000C782D62332D73616D706C65647371007E001200000001770400000001740001307874000B782D62332D7370616E69647371007E001200000001770400000001740010646263623563666264626264396461637874000C782D62332D747261636569647371007E001200000001770400000001740020366164393632613435306663343637393431613330373035653731643537393278740015782D656E766F792D617474656D70742D636F756E747371007E0012000000017704000000017400013178740010782D656E766F792D696E7465726E616C7371007E0012000000017704000000017400047472756578740017782D666F727761726465642D636C69656E742D636572747371007E0012000000017704000000017400C442793D7370696666653A2F2F636C75737465722E6C6F63616C2F6E732F77616D732F73612F77616D732D6574762D7765622D736572766963653B486173683D393931383836333237393034353635353438396639666530633263396362643837383864366333343732646539336636363265333563656331353737303636663B5375626A6563743D22223B5552493D7370696666653A2F2F636C75737465722E6C6F63616C2F6E732F70662F73612F7377732D6F70656E72657374792D6163636F756E7478740010782D666F727761726465642D686F73747371007E00120000000177040000000174000777616D7361707078740010782D666F727761726465642D706F72747371007E00120000000177040000000174000334343378740011782D666F727761726465642D70726F746F7371007E001200000001770400000001740005687474707378740012782D666F727761726465642D736368656D657371007E00120000000177040000000174000568747470737874000E782D6F726967696E616C2D7572697371007E0012000000017704000000017400202F6574657272612D77732F6574762F736F61702F4461746150726F766964657278740009782D7265616C2D69707371007E00120000000177040000000174000C31302E362E3138332E3131337874000C782D726571756573742D69647371007E00120000000177040000000174002435636537623231652D376335372D346133342D383038632D61343234336562303038383578740008782D736368656D657371007E001200000001770400000001740005687474707378787371007E001200000001770400000001737200106A6176612E7574696C2E4C6F63616C657EF811609C30F9EC03000649000868617368636F64654C0007636F756E74727971007E00024C000A657874656E73696F6E7371007E00024C00086C616E677561676571007E00024C000673637269707471007E00024C000776617269616E7471007E00027870FFFFFFFF740002555371007E0011740002656E71007E001171007E00117878740004504F53547371007E0014707704000000007874000D2F4461746150726F76696465727074001C2F6574657272612D77732F736F61702F4461746150726F766964657274002B68747470733A2F2F77616D736170702F6574657272612D77732F736F61702F4461746150726F7669646572740005687474707371007E004274000F2F6574657272612D77732F736F617078| at org.infinispan.client.hotrod.marshall.MarshallerUtil.bytes2obj(MarshallerUtil.java:73)| at org.infinispan.client.hotrod.DataFormat.valueToObj(DataFormat.java:155)| at org.infinispan.spring.remote.session.RemoteApplicationPublishedBridge.readEvent(RemoteApplicationPublishedBridge.java:77)| at org.infinispan.spring.remote.session.RemoteApplicationPublishedBridge.processCacheEntryCreated(RemoteApplicationPublishedBridge.java:52)| ... 41 more|Caused by: org.infinispan.commons.CacheException: ISPN000936: Class 'java.lang.String$CaseInsensitiveComparator' blocked by deserialization allow list. Adjust the configuration serialization allow list regular expression to include this class.| at org.infinispan.commons.marshall.CheckedInputStream.resolveClass(CheckedInputStream.java:26)| at java.base/java.io.ObjectInputStream.readNonProxyDesc(Unknown Source)| at java.base/java.io.ObjectInputStream.readClassDesc(Unknown Source)| at java.base/java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)| at java.base/java.io.ObjectInputStream.readObject0(Unknown Source)| at java.base/java.io.ObjectInputStream$FieldValues.<init>(Unknown Source)| at java.base/java.io.ObjectInputStream.defaultReadObject(Unknown Source)| at java.base/java.util.TreeMap.readObject(Unknown Source)| at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)| at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)| at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)| at java.base/java.lang.reflect.Method.invoke(Unknown Source)| at java.base/java.io.ObjectStreamClass.invokeReadObject(Unknown Source)| at java.base/java.io.ObjectInputStream.readSerialData(Unknown Source)| at java.base/java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)| at java.base/java.io.ObjectInputStream.readObject0(Unknown Source)| at java.base/java.io.ObjectInputStream$FieldValues.<init>(Unknown Source)| at java.base/java.io.ObjectInputStream.readSerialData(Unknown Source)| at java.base/java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)| at java.base/java.io.ObjectInputStream.readObject0(Unknown Source)| at java.base/java.io.ObjectInputStream.readObject(Unknown Source)| at java.base/java.io.ObjectInputStream.readObject(Unknown Source)| at java.base/java.util.HashMap.readObject(Unknown Source)| at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)| at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)| at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)| at java.base/java.lang.reflect.Method.invoke(Unknown Source)| at java.base/java.io.ObjectStreamClass.invokeReadObject(Unknown Source)| at java.base/java.io.ObjectInputStream.readSerialData(Unknown Source)| at java.base/java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)| at java.base/java.io.ObjectInputStream.readObject0(Unknown Source)| at java.base/java.io.ObjectInputStream$FieldValues.<init>(Unknown Source)| at java.base/java.io.ObjectInputStream.readSerialData(Unknown Source)| at java.base/java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)| at java.base/java.io.ObjectInputStream.readObject0(Unknown Source)| at java.base/java.io.ObjectInputStream.readObject(Unknown Source)| at java.base/java.io.ObjectInputStream.readObject(Unknown Source)| at org.infinispan.commons.marshall.JavaSerializationMarshaller.objectFromByteBuffer(JavaSerializationMarshaller.java:53)| at org.infinispan.commons.marshall.AbstractMarshaller.objectFromByteBuffer(AbstractMarshaller.java:82)| at org.infinispan.client.hotrod.marshall.MarshallerUtil.bytes2obj(MarshallerUtil.java:57)| ... 44 more
Confirmed that by adding java.lang.String$CaseInsensitiveComparator to the default serialization list I can unmarhsall those hex bytes.
On further analysis it looks like this comparator is part of https://github.com/spring-projects/spring-security/blob/a3e996a66bd5b9f12b52d83d9babc6bd5bb8b22f/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java#L77 which can be an attribute of a session.
Should it be one of the types allowed by default when using Spring support?
I also noticed that the line causing the error https://github.com/infinispan/infinispan/blob/760bd9772686de5b7a3d04d18eb680307a0f2d59/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/marshall/MarshallerUtil.java#L57 doesn't use the allowList instance that is passed to the method which means I can only workaround via the system property? And not a Spring Boot application property?
