[ASF BZ 61150] One of the session attributes on the [host-]manager application is disallowed by the Security Manager

To reproduce: 1) Configure tomcat user for testing (conf/tomcat-users.xml): <user username="tomcat" password="tomcat" roles="admin-gui,manager-gui"/> 2) Start Tomcat bin/catalina.sh start 3) Create a session $ curl -is http://tomcat:tomcat@localhost:8080/manager/html | egrep '(HTTP|JSESSIONID)' HTTP/1.1 200 OK Set-Cookie: JSESSIONID=DAF81E606AED325CB2E5C2773DB866CE; Path=/manager; HttpOnly 4) Stop Tomcat so that the session are serialized bin/catalina.sh stop 5) Start Tomcat with Security Manager to deserialize the sessions bin/catalina.sh start -security 6) Check log for exception after startup: 02-Jun-2017 14:16:46.114 SEVERE [localhost-startStop-1] org.apache.catalina.session.StandardManager.startInternal Exception loading sessions from persistent storage java.io.InvalidClassException: The class [org.apache.catalina.filters.CsrfPreventionFilter$LruCache] did not match the regular expression [java\.lang\.(?:Boolean|Integer|Long|Number|String)] for classes allowed to be deserialized at org.apache.catalina.util.CustomObjectInputStream.resolveClass(CustomObjectInputStream.java:146) at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1612) at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1517) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1771) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370) at org.apache.catalina.session.StandardSession.doReadObject(StandardSession.java:1624) at org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:1090) at org.apache.catalina.session.StandardManager.doLoad(StandardManager.java:218) at org.apache.catalina.session.StandardManager$PrivilegedDoLoad.run(StandardManager.java:74) at org.apache.catalina.session.StandardManager$PrivilegedDoLoad.run(StandardManager.java:65) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.session.StandardManager.load(StandardManager.java:149) at org.apache.catalina.session.StandardManager.startInternal(StandardManager.java:356) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5331) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:753) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:727) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745)