55357 – Cannot deserialize session when it contains Externalizable objects (using PersistentManager)

Bug 55357 - Cannot deserialize session when it contains Externalizable objects (using PersistentManager)

Summary: Cannot deserialize session when it contains Externalizable objects (using Per...

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 7
Classification:	Unclassified
Component:	Catalina (show other bugs)
Version:	7.0.42
Hardware:	PC All

Importance:	P2 major (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-08-05 15:15 UTC by Maxime Falaize
Modified:	2013-08-15 19:47 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Maxime Falaize 2013-08-05 15:15:18 UTC

I'm using PersistentManager with JDBCStore to store sessions in my database. But in my webapplication, there is an object in my session which is an instance of org.apache.el.MethodExpressionImpl. This class implements the Externalizable interface but in this readExternal method it uses org.apache.el.util.ReflectionUtil.forName(String) which use Thread.currentThread().getContextClassLoader() as its ClassLoader.

It seems to be incorrect because this method return a StandardClassLoader which cannot find my classes in WEB-INF/lib directory of my webapp.

Is it the problem of the MethodExpressionImpl class which use this method or the JDBCStore which does not set the thread contextClassLoader as the WebappClassLoader ?

Here is the stacktrace :

SEVERE: Error processing request
java.lang.IllegalStateException: Erreur lors de la désérialisation de la session 1634C328D27A31CB9FC4D52392FDB05F: {1}
	at org.apache.catalina.session.PersistentManagerBase.swapIn(PersistentManagerBase.java:713)
	at org.apache.catalina.session.PersistentManagerBase.findSession(PersistentManagerBase.java:503)
	at org.apache.catalina.connector.Request.isRequestedSessionIdValid(Request.java:2391)
	at org.apache.catalina.connector.CoyoteAdapter.parseSessionCookiesId(CoyoteAdapter.java:954)
	at org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:688)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:402)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:722)
Caused by: java.lang.ClassNotFoundException: javax.faces.event.ActionEvent
	at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
	at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Class.java:266)
	at org.apache.el.util.ReflectionUtil.forName(ReflectionUtil.java:62)
	at org.apache.el.util.ReflectionUtil.toTypeArray(ReflectionUtil.java:88)
	at org.apache.el.MethodExpressionImpl.readExternal(MethodExpressionImpl.java:290)
	at java.io.ObjectInputStream.readExternalData(ObjectInputStream.java:1835)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1794)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)
	at com.sun.facelets.el.TagMethodExpression.readExternal(TagMethodExpression.java:101)
	at java.io.ObjectInputStream.readExternalData(ObjectInputStream.java:1835)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1794)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
	at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1989)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1913)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1796)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)
	at java.util.ArrayList.readObject(ArrayList.java:733)
	at sun.reflect.GeneratedMethodAccessor90.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:601)
	at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1004)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1891)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1796)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
	at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1989)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1913)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1796)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)
	at java.util.HashMap.readObject(HashMap.java:1155)
	at sun.reflect.GeneratedMethodAccessor89.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:601)
	at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1004)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1891)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1796)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)
	at java.util.HashMap.readObject(HashMap.java:1155)
	at sun.reflect.GeneratedMethodAccessor89.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:601)
	at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1004)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1891)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1796)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
	at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1989)
	at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:499)
	at org.ajax4jsf.application.AjaxStateHolder.readObject(AjaxStateHolder.java:204)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:601)
	at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1004)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1891)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1796)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)
	at org.apache.catalina.session.StandardSession.readObject(StandardSession.java:1595)
	at org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:1060)
	at org.apache.catalina.session.JDBCStore.load(JDBCStore.java:657)
	at org.apache.catalina.session.PersistentManagerBase.swapIn(PersistentManagerBase.java:707)
	... 11 more

Comment 1 Maxime Falaize 2013-08-07 12:02:45 UTC

My workaround to make it working is to add Thread.currentThread().setContextClassLoader(classLoader) in the JDBCStore (between line 644 and 645 in method load(String):Session) :

if (classLoader != null)
   Thread.currentThread().setContextClassLoader(classLoader);
   ois = new CustomObjectInputStream(bis, classLoader);
} else {
   ois = new ObjectInputStream(bis);
}

Maybe add a try catch to catch the SecurityException thrown by the setContextClassLoader method.

Comment 2 Violeta Georgieva 2013-08-15 19:47:30 UTC

Thanks for the report.
Fixed in trunk and 7.0.x and will be included in 7.0.43 onwards.