0

I deployed my Vaadin application on Tomcat and it is from time to time throwing the following exception:

28-Mar-2023 21:33:32.448 WARNING [http-nio-8080-exec-48] org.apache.catalina.session.StandardSession.doWriteObject Cannot serialize session attribute [com.vaadin.flow.server.VaadinSession.springServlet] for session [E0E11430F24C7B870DF2E047CD4D76BC] java.io.NotSerializableException: org.garik.encyclopedia.util.ApiBookUtils at java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1192) ...

It happens for various classes

28-Mar-2023 19:00:46.492 WARNING [http-nio-8080-exec-32] org.apache.catalina.session.StandardSession.doWriteObject Cannot serialize session attribute [com.vaadin.flow.server.VaadinSession.springServlet] for session [F0F93879699D54297B7657D9CEC0974D] java.io.NotSerializableException: org.garik.encyclopedia.model.Tag

and after that Tomcat undeploys my application. I can't figure it out. When I was debugging my application as a JAR file it never happened. Can someone please tell me what I can do to avoid it?

Gary Greenberg
  • 468
  • 1
  • 9
  • 22

1 Answers1

0

Tomcat uses Java serialization for both clustering and session-storage during restarts, depending upon your configuration.

If there are objects in the session which cannot be serialized (or deserialized, because the process isn't always 100% symmetric), then you will get errors such as these.

Are you manually-adding either of those two classes (ApiBookUtils and Tag) to the session? Generally speaking, anything put into an HttpSession should be Serializable.

If you are not using Tomcat's clustering, then serialization should not occur at all for that purpose.

If you are using Tomcat's StandardManager (the default session manager), then the default configuration is to store sessions in a file during restarts. If you do not want that capability, then you can simply disable it by setting pathname="" in your <Manager> configuration (an application-specific context.xml file).

If you do want to use session-persistence across restarts, you have a few options:

  1. Use sessionAttributeNameFilter on your <Manager> to specify all those attribute names which you do want to be serialized. Simple leave-our those that cause errors.
  2. Use sessionAttributeValueClassNameFilter to limit the types of classes that will be serialized. Simply leave-out those that cause errors.
  3. Modify the classes being used to implement java.io.Serializable.
  4. Stop putting those objects into the session.
Christopher Schultz
  • 20,221
  • 9
  • 60
  • 77
  • 1. I do not use Tomcat clustering. 2. I do not put either one into HttpSession explicitly. Actually, ApiBookUtils class contains a set of functions that, using Spring RestTemplate, calls REST APIs to perform some CRUD operations over instances of Book class. Tag is a domain class that is associated with the Book. I.e. Book object can have a set of tags. Book object is sent/receive as JSON with API calls. – Gary Greenberg Apr 01 '23 at 18:49
  • @GaryGreenberg It sounds like the library you are using is somewhat hostile to environments where serialization may occur. Strange that it automatically registers itself with the `HttpSession` but then violates a very popular requirement that the class be properly serializable. I would contact the maintainers of the ApiBookUtils class to see what is happening, and maybe to get proper `Serializable` support added to it. – Christopher Schultz Apr 03 '23 at 17:24
  • I am the author and maintainer of both classes (and couple dozens of others). Are you suggesting to add "implements Serializable" to them? – Gary Greenberg Apr 03 '23 at 19:03
  • @GaryGreenberg Yes, you should not only add `implements Serializable` to the classes, you should also ensure that the classes follow all the other rules for Serializable classes. Read up on how to write a Serializable class. It's not always "just implement Serializable". – Christopher Schultz Apr 04 '23 at 18:59
  • I know how to write serializable class. What I do not understand is why they should be serializable in the first place. I do not add them to the HttpSession. As I said before, ApiBookUtil class is a set of functions to call REST API. Tag class is being serialized into JSON by the Jackson ObjectMapper along with other domain classes and added to the request body or extracted from the response body as Strings. – Gary Greenberg Apr 04 '23 at 23:29
  • Oh, okay. Well, that's unexpected, then, right? You'll have to figure out why the Tag class is being linked to the Servlet (which is ultimately being serialized in this case). I've never known Tags to have references from the Servlet to the Tag. – Christopher Schultz Apr 05 '23 at 20:59