You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Les Hazlewood (Updated) (JIRA)" <ji...@apache.org> on 2011/09/28 00:08:45 UTC
[jira] [Updated] (SHIRO-325) SimpleSession serializes fields twice
[ https://issues.apache.org/jira/browse/SHIRO-325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Les Hazlewood updated SHIRO-325:
--------------------------------
Description:
org.apache.shiro.session.mgt.SimpleSession serializes fields twice - once via the 'writeObject' implementations' call to out.writeDefaultObject(), and again via the custom bitmask-based serialization that follows it.
The internal fields should be marked as transient to prevent this. out.writeDefaultObject should still be called for JVM security reasons, but SimpleSession's custom field-based serialization is more efficient so it should be retained. The solution is to mark all custom-serialized fields as transient.
was:
SimpleSession serializes fields twice - once via the 'writeObject' implementations' call to out.writeDefaultObject(), and again via the custom bitmask-based serialization that follows it.
The internal fields should be marked as transient to prevent this. out.writeDefaultObject should still be called for JVM security reasons, but SimpleSession's custom field-based serialization is more efficient so it should be retained. The solution is to mark all custom-serialized fields as transient.
Summary: SimpleSession serializes fields twice (was: org.apache.shiro.session.mgt.SimpleSession serializes fields twice)
> SimpleSession serializes fields twice
> -------------------------------------
>
> Key: SHIRO-325
> URL: https://issues.apache.org/jira/browse/SHIRO-325
> Project: Shiro
> Issue Type: Bug
> Components: Session Management
> Affects Versions: 1.0.0, 1.1.0
> Reporter: Les Hazlewood
> Assignee: Les Hazlewood
> Fix For: 1.2.0
>
>
> org.apache.shiro.session.mgt.SimpleSession serializes fields twice - once via the 'writeObject' implementations' call to out.writeDefaultObject(), and again via the custom bitmask-based serialization that follows it.
> The internal fields should be marked as transient to prevent this. out.writeDefaultObject should still be called for JVM security reasons, but SimpleSession's custom field-based serialization is more efficient so it should be retained. The solution is to mark all custom-serialized fields as transient.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira