The HttpCacheEntrySerializationException message is unused in one of the class constructors. This looks like an easily corrected coding mistake.
DefaultHttpCacheEntrySerializer has a code section looking like this:
The constructor used looks like this:
This means the useful error message created using string format will actually never be displayed in an error stack trace.
When trying to upgrade from 4.5.8 to 4.5.10 one of my applications stopped working.
I have a custom implementation of persistent disk cache storage. It makes use of the DefaultHttpCacheEntrySerializer.
The stack trace did not tell me what was wrong (because the informative string is not passed along in the constructor)
I had to use a debugger to figure out that the message was:
"Class [C is not allowed for deserialization"
Apparently this security patch forbids char arrays? (https://reverseengineering.stackexchange.com/questions/17429/b-symbol-in-java-bytecode)
On a side note maybe the whitelist could be expanded to allow all kinds of primitives and arrays of primitives?