Do objects in session always need to be serializable?

[Mukarram Baig <mu...@gmail.com>]

 Hello Guys,

I might be asking something that is very fundamental, but please bear with
me here. We are using tomcat in a non-clustered environment. We put certain
domain objects in the session and we have a heartbeat going which ensures
that the sessions are valid in the lifetime of the screen. The domain
objects are not serializable. We have randomly seen NullPointerExceptions
thrown when accessing properties of these domain objects via the session. I
had read about Tomcat deciding to serialize sessions when it thinks that the
available memory is getting tight on some forum (
http://www.coderanch.com/t/86379/Tomcat/Problems-disabling-Session-Persistence-Manager)
but couldn't see the same in the servlet spec or documentation on tomcat's
site. Wanted to verify if this is indeed the case? If yes, under what
(approximate) conditions does tomcat decide to serialize sessions to disk
and back? Overall, is the recommended approach to always make objects in the
session serializable? Also, wouldn't it be great if a better exception like
NotSerializableException be thrown rather than the user stumbling over null
values and NPE's being thrown?

Thanks in advance!

P.S.: We are using tomcat 6.0.16 on Solaris in 64 bit JVM mode with Xms
1024m and Xmx 4096m.

Re: Do objects in session always need to be serializable?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mukarram,

On 4/20/2011 1:41 AM, Mukarram Baig wrote:
> We are using tomcat in a non-clustered environment. We put certain
> domain objects in the session [...]. The domain
> objects are not serializable.

No problem: there is no requirement that session objects be serializable
unless your webapp is marked <distributable /> in web.xml. I suspect
that Tomcat might complain if you put an object into a distributable
webapp's session that does not implement Serializable.

> We have randomly seen NullPointerExceptions
> thrown when accessing properties of these domain objects via the session.

You need perform null-checking when accessing session objects. :)

> I
> had read about Tomcat deciding to serialize sessions when it thinks that the
> available memory is getting tight on some forum (
> http://www.coderanch.com/t/86379/Tomcat/Problems-disabling-Session-Persistence-Manager)

This has to do with Tomcat restarting a webapp, not due to low-memory
conditions.

> but couldn't see the same in the servlet spec or documentation on tomcat's
> site.

http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html

You have to read between the lines a bit, here: the default Manager
implementation persists sessions across webapp restarts using a file
that defaults to "SESSIONS.ser" and standard Java serialization. Any
session objects that are not Serializable will cause the session to fail
to write to that file, and may possible corrupt the file causing all
sessions to be lost.

> If yes, under what
> (approximate) conditions does tomcat decide to serialize sessions to disk
> and back?

During a webapp restart, unless you have configured another Manager
implementation. I suspect not, since you haven't mentioned anything like
that.

> Overall, is the recommended approach to always make objects in the
> session serializable?

I wouldn't worry about it unless you

a) intend to do distributable in the future
or
b) want to persist sessions across webapp restarts

> Also, wouldn't it be great if a better exception like
> NotSerializableException be thrown rather than the user stumbling over null
> values and NPE's being thrown?

You are probably getting both: NSE on the way out and NPE after your
webapp starts up again and tries to read an empty session. Check your
log files, especially catalina.out.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2u8KYACgkQ9CaO5/Lv0PDv6gCeLvwu4JFykrcsBEDrnaPQ6jc/
nyEAniP9O3B01I6AIVa9Y/tgDjNw9duN
=I+u6
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Do objects in session always need to be serializable?

[Thomas Strauß <t....@srs-management.de>]

Am 20.04.2011 um 07:41 schrieb Mukarram Baig:

> Hello Guys,

Hello,


I will not comment on the low memory feature, as I don't know it, but if you do not enable serialization on your session objects and shutdown or reload an app, the sessions will get persisted and you get an exception telling you that the session contains "non-serializable" objects. The session persistence is clearly written in the Tomcat log, does not happen behind the scenes.
I would suggest that this would also happen for the low-mem situation or should prevent Tomcat to unload your session at all.

Having said that, without further details, I can only give a hint as we have seen similar stuff, where we could not explain application behavior until we realized that the users are opening different screens in the same browser. Our application and especially session data handling was not prepared to cope with such a (natural, agreed) situation as different screens where using the same session objects. 

Maybe this could explain your NPEs?

Best regards,

Thomas


> I might be asking something that is very fundamental, but please bear with
> me here. We are using tomcat in a non-clustered environment. We put certain
> domain objects in the session and we have a heartbeat going which ensures
> that the sessions are valid in the lifetime of the screen. The domain
> objects are not serializable. We have randomly seen NullPointerExceptions
> thrown when accessing properties of these domain objects via the session. I
> had read about Tomcat deciding to serialize sessions when it thinks that the
> available memory is getting tight on some forum (
> http://www.coderanch.com/t/86379/Tomcat/Problems-disabling-Session-Persistence-Manager)
> but couldn't see the same in the servlet spec or documentation on tomcat's
> site. Wanted to verify if this is indeed the case? If yes, under what
> (approximate) conditions does tomcat decide to serialize sessions to disk
> and back? Overall, is the recommended approach to always make objects in the
> session serializable? Also, wouldn't it be great if a better exception like
> NotSerializableException be thrown rather than the user stumbling over null
> values and NPE's being thrown?
> 
> Thanks in advance!
> 
> P.S.: We are using tomcat 6.0.16 on Solaris in 64 bit JVM mode with Xms
> 1024m and Xmx 4096m.
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>