Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.0.0
-
None
-
Linux 2.6.34 x86_64
java version "1.5.0_12"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_12-b04)
Java HotSpot(TM) 64-Bit Server VM (build 1.5.0_12-b04, mixed mode)
Description
org.apache.shiro.session.mgt.SimpleSession fails deserialization with the following error:
at java.io.ObjectInputStream$BlockDataInputStream.readByte(ObjectInputStream.java:2666)
at java.io.ObjectInputStream$BlockDataInputStream.readUTFChar(ObjectInputStream.java:3058)
at java.io.ObjectInputStream$BlockDataInputStream.readUTFBody(ObjectInputStream.java:2955)
at java.io.ObjectInputStream$BlockDataInputStream.readUTF(ObjectInputStream.java:2764)
at java.io.ObjectInputStream.readUTF(ObjectInputStream.java:1032)
at org.apache.shiro.session.mgt.SimpleSession.readObject(SimpleSession.java:481)
There is a problem with the way the 'expired' flag is managed. In writeObject the 'expired' flag is written if it's set:
if (expired) {
out.writeBoolean(expired);
}
But, in getAlteredFieldsBitMask, the bit in the bit mask is only set when the 'exprired' flag is not set:
bitMask = !expired ? bitMask | EXPIRED_BIT_MASK : bitMask;
A short test:
SimpleSession session = new SimpleSession("localhost");
// This doesn't work either
// session.setExpired(true);
ByteArrayOutputStream serialized = new ByteArrayOutputStream();
ObjectOutputStream serializer = new ObjectOutputStream(serialized);
serializer.writeObject(session);
serializer.close();
new ObjectInputStream(new ByteArrayInputStream(serialized.toByteArray())).readObject();