https://bz.apache.org/bugzilla/show_bug.cgi?id=66680
Bug ID: 66680
Summary: [StandardSession] Misleading warning "Cannot serialize
Principal object for session"
Product: Tomcat 10
Version: 10.1.0
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: tsvetyorda...@gmail.com
Target Milestone: ------
We have recently started using session persistence capability with
persistAuthentication="true".
When a user is logged-out of the system and redirected to the login page, they
are given a session whose principle object is null.
If in that period the tomcat server is restarted, the doWriteObject from
org.apache.catalina.session.StandardSession is called where on line 1489 it
tries to check if the sessionPrincipal is serializable, but does not check if
it is null before that -
(https://github.com/apache/tomcat/blob/10.1.x/java/org/apache/catalina/session/StandardSession.java#L1489
).
If the principal is null (like in the above-described scenario) - then the
manager logs a warning message saying it cannot serialize the principal for the
session.
This is somewhat misleading as there is simply no principal to serialize.
My suggestion here would be to either add a null-check before logging the
warning message, or add a configuration option where this particular case (one
of a null principal) can be toggled, perhaps something like
'warnNullPrincipalSerialize'.
Without such an ability we would get a lot of these warning messages in our
production and we would not know which ones came from a session that is simply
unauthenticated (i.e. principal is null), and which ones came from an actual
issue with serializing the principal of an authenticated user.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
