You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Les Hazlewood (Updated) (JIRA)" <ji...@apache.org> on 2011/09/28 00:08:45 UTC

[jira] [Updated] (SHIRO-325) SimpleSession serializes fields twice

     [ https://issues.apache.org/jira/browse/SHIRO-325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Les Hazlewood updated SHIRO-325:
--------------------------------

    Description: 
org.apache.shiro.session.mgt.SimpleSession serializes fields twice - once via the 'writeObject' implementations' call to out.writeDefaultObject(), and again via the custom bitmask-based serialization that follows it.

The internal fields should be marked as transient to prevent this.  out.writeDefaultObject should still be called for JVM security reasons, but SimpleSession's custom field-based serialization is more efficient so it should be retained.  The solution is to mark all custom-serialized fields as transient.

  was:
SimpleSession serializes fields twice - once via the 'writeObject' implementations' call to out.writeDefaultObject(), and again via the custom bitmask-based serialization that follows it.

The internal fields should be marked as transient to prevent this.  out.writeDefaultObject should still be called for JVM security reasons, but SimpleSession's custom field-based serialization is more efficient so it should be retained.  The solution is to mark all custom-serialized fields as transient.

        Summary: SimpleSession serializes fields twice  (was: org.apache.shiro.session.mgt.SimpleSession serializes fields twice)
    
> SimpleSession serializes fields twice
> -------------------------------------
>
>                 Key: SHIRO-325
>                 URL: https://issues.apache.org/jira/browse/SHIRO-325
>             Project: Shiro
>          Issue Type: Bug
>          Components: Session Management
>    Affects Versions: 1.0.0, 1.1.0
>            Reporter: Les Hazlewood
>            Assignee: Les Hazlewood
>             Fix For: 1.2.0
>
>
> org.apache.shiro.session.mgt.SimpleSession serializes fields twice - once via the 'writeObject' implementations' call to out.writeDefaultObject(), and again via the custom bitmask-based serialization that follows it.
> The internal fields should be marked as transient to prevent this.  out.writeDefaultObject should still be called for JVM security reasons, but SimpleSession's custom field-based serialization is more efficient so it should be retained.  The solution is to mark all custom-serialized fields as transient.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira