Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-767

org.apache.shiro.util.ClassUtil cannot load the array of Primitive DataType when use undertown as web container

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 1.5.2
    • 1.7.0, 2.0.0-alpha
    • RememberMe
    • None

    Description

      I used Spring boot to build an web project, when i replaced the web container with undertow, i found that the remeberMe cookie cannot  be deserialized successful.

      But when i used tomcat , the cookie can be deserialized.

      I found that when using tomcat, the function -- ClassUtil.forName(String fqcn) can load the class [C (Primitive DataType) , but undertow cannot.

      When using tomcat,the THREAD_CL_ACCESSOR is TomcatEmbeddedWebappClassLoader which can load Primitive DataType.   

      When using undertow,the THREAD_CL_ACCESSOR is AppClassLoader which cannot  load Primitive DataType.

      Beacase classLoder(AppClassLoader).loadClass() cannot load Primitive DataType, i think that it would be better to use the function – Class.forName()  to load class.

      such as :  clazz = Class.forName(fqcn,false,cl); 

      /**
 * @since 1.0
 */
private static abstract class ExceptionIgnoringAccessor implements ClassLoaderAccessor {
    public Class loadClass(String fqcn) {
        Class clazz = null;
        ClassLoader cl = getClassLoader();
        if (cl != null) {
            try {
                // replace cl.loadClass(fqcn)
                clazz = Class.forName(fqcn,false,cl);
            } catch (ClassNotFoundException e) {
                if (log.isTraceEnabled()) {
                    log.trace("Unable to load clazz named [" + fqcn + "] from class loader [" + cl + "]");
                }
            }
        }
        return clazz;
    }
    //...
}

       

       

      This is a demo to reproduce the error:https://github.com/ddddyyyy/shiro-demo

       

      the exception stack when the cookie deserialized failed  on undertow

      2020-05-06 12:45:45.332  WARN 23162 --- [  XNIO-1 task-5] o.a.shiro.mgt.DefaultSecurityManager     : Delegate RememberMeManager instance of type [org.apache.shiro.web.mgt.CookieRememberMeManager] threw an exception during getRememberedPrincipals().
org.apache.shiro.io.SerializationException: Unable to deserialize argument byte array.
  at org.apache.shiro.io.DefaultSerializer.deserialize(DefaultSerializer.java:82) ~[shiro-core-1.5.2.jar:1.5.2]
  at org.apache.shiro.mgt.AbstractRememberMeManager.deserialize(AbstractRememberMeManager.java:507) ~[shiro-core-1.5.2.jar:1.5.2]
  at org.apache.shiro.mgt.AbstractRememberMeManager.convertBytesToPrincipals(AbstractRememberMeManager.java:421) ~[shiro-core-1.5.2.jar:1.5.2]
  at org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:386) ~[shiro-core-1.5.2.jar:1.5.2]
  at org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:613) [shiro-core-1.5.2.jar:1.5.2]
  at org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:501) [shiro-core-1.5.2.jar:1.5.2]
  at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:347) [shiro-core-1.5.2.jar:1.5.2]
  at org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:845) [shiro-core-1.5.2.jar:1.5.2]
  at org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148) [shiro-web-1.5.2.jar:1.5.2]
  at org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:292) [shiro-web-1.5.2.jar:1.5.2]
  at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:359) [shiro-web-1.5.2.jar:1.5.2]
  at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [shiro-web-1.5.2.jar:1.5.2]
  at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
  at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
  at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:94) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
  at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
  at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.server.Connectors.executeRootHandler(Connectors.java:376) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
  at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_231]
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_231]
  at java.lang.Thread.run(Thread.java:748) [na:1.8.0_231]Caused by: java.io.StreamCorruptedException: invalid type code: 00
  at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1601) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1950) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1567) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.readObject(ObjectInputStream.java:431) ~[na:1.8.0_231]
  at java.util.HashSet.readObject(HashSet.java:341) ~[na:1.8.0_231]
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_231]
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_231]
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_231]
  at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_231]
  at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1170) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2178) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2069) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1573) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.readObject(ObjectInputStream.java:431) ~[na:1.8.0_231]
  at java.util.HashMap.readObject(HashMap.java:1412) ~[na:1.8.0_231]
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_231]
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_231]
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_231]
  at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_231]
  at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1170) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2178) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2069) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1573) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2287) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:561) ~[na:1.8.0_231]
  at org.apache.shiro.subject.SimplePrincipalCollection.readObject(SimplePrincipalCollection.java:295) ~[shiro-core-1.5.2.jar:1.5.2]
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_231]
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_231]
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_231]
  at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_231]
  at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1170) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2178) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2069) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1573) ~[na:1.8.0_231]
  at java.io.ObjectInputStream.readObject(ObjectInputStream.java:431) ~[na:1.8.0_231]
  at org.apache.shiro.io.DefaultSerializer.deserialize(DefaultSerializer.java:77) ~[shiro-core-1.5.2.jar:1.5.2]
  ... 58 common frames omitted

       

       
      classLoder 详细X
        没有英汉互译结果
        请尝试网页搜索

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #248

          Activity

            People

              bmarwell Benjamin Marwell
              madongyu madongyu
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 50m
                  50m