1

Here is the context :

I have a Spring Boot application which uses spring-security to implement OAuth2 system. It is linked to a mySQL database. I made a mysqldump export of my database on my old environment (Ubuntu 14.04, mysql 5.5, OpenJDK 6) to import it in my new environment (Ubuntu 18.10, mysl 5.7, OpenJDK 11).

My issue :

The migration has been done with a unique issue:

Spring-Security stores the tokens as Blob object in the database. The Blob is actually the serialized UserDetails object. Note that the Spring boot application is exactly the same .war file on both environment, so serialVersionUID defined in my Serializable class is the same.

On my new environment, the tokens stored in oauth_access_token and oauth_refresh_token are now unusable. Each time I try to log in with an old user (ie. from the old env with an existing access_token), the following exception is thrown:

java.lang.IllegalArgumentException: java.io.InvalidClassException: org.hibernate.collection.internal.AbstractPersistentCollection; local class incompatible: stream classdesc serialVersionUID = -8914173462748164853, local class serialVersionUID = 7094296207968006972
    at org.springframework.security.oauth2.common.util.SerializationUtils.deserialize(SerializationUtils.java:40) ~[spring-security-oauth2-2.0.8.RELEASE.jar!/:na]
    at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore.deserializeAuthentication(JdbcTokenStore.java:405) ~[spring-security-oauth2-2.0.8.RELEASE.jar!/:na]
    at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore$3.mapRow(JdbcTokenStore.java:198) ~[spring-security-oauth2-2.0.8.RELEASE.jar!/:na]
    at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore$3.mapRow(JdbcTokenStore.java:196) ~[spring-security-oauth2-2.0.8.RELEASE.jar!/:na]
    at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:93) ~[spring-jdbc-4.3.2.RELEASE.jar!/:4.3.2.RELEASE]
    at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:60) ~[spring-jdbc-4.3.2.RELEASE.jar!/:4.3.2.RELEASE]
    at org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:697) ~[spring-jdbc-4.3.2.RELEASE.jar!/:4.3.2.RELEASE]
    at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:633) ~[spring-jdbc-4.3.2.RELEASE.jar!/:4.3.2.RELEASE]
    at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:684) ~[spring-jdbc-4.3.2.RELEASE.jar!/:4.3.2.RELEASE]
    at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:716) ~[spring-jdbc-4.3.2.RELEASE.jar!/:4.3.2.RELEASE]
    at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:726) ~[spring-jdbc-4.3.2.RELEASE.jar!/:4.3.2.RELEASE]
    at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:800) ~[spring-jdbc-4.3.2.RELEASE.jar!/:4.3.2.RELEASE]
    at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore.readAuthentication(JdbcTokenStore.java:195) ~[spring-security-oauth2-2.0.8.RELEASE.jar!/:na]
    at org.springframework.security.oauth2.provider.token.store.JdbcTokenStore.getAccessToken(JdbcTokenStore.java:129) ~[spring-security-oauth2-2.0.8.RELEASE.jar!/:na]

I understand that the serialized Authentication object stored in my database cannot be deserialized in a java Authentication object because of an a different serialVersionUID.

My question is :

- Do you think upgrading from Java 6 to Java 11 can lead to a different serialVersionUID ?

- Do you identify other avenues to identify the cause of this ?

CizooDev
  • 81
  • 15
  • The result is the same if I downgrade from OpenJDK 11 to OpenJDK 8. OpenJDK 6 is no more available in apt. – CizooDev Mar 07 '19 at 14:56

0 Answers0