9 Replies Latest reply on Apr 10, 2011 10:40 AM by anil.saldhana

Problems with SamlPrincipal, requests and ExternalAuthenticator not being Serializable

jonananas Sep 28, 2010 2:50 PM

I'm having trouble with some PicketLink classes not being serializable:

org.picketlink.identity.seam.federation.SamlPrincipal
org.picketlink.identity.seam.federation.requests
org.picketlink.identity.seam.federation.ExternalAuthenticator

To be honest, I have not investigated in great length why ExternalAuthenticator need to be serializable in my app. But for SamlPincipal and requests I get SerializableException when swapping the session to disk, causing identity to get serialized, and also SamlPrincipal.

My questions regarding this is:

Since Identity is serializable it seems to me SamlPrincipal should be?
Is there a reason other than cleanliness for not making a class serializable?
If not, would you please consider serialize these three classes in the next version of PicketLink (i'm using my own overriding versions at the moment, but it's a bit unclean and might make future upgrades a hassle).

-- Jonas

1. Re: Problems with SamlPrincipal, requests and ExternalAuthenticator not being Serializable

marcelkolsteren Sep 28, 2010 6:18 PM (in response to jonananas)

Thanks for pointing this out. I agree, the classes you mentioned must be serializable.

The reason I had for not making the session-bound objects Serializable, was that it would only be needed in clustered environments, or when sessions need to be preserved during application server restarts. What is the reason that the sessions are swapped to disk in your case (I'm just curious)?

Making SeamSamlPrincipal Serializable is not straightforward, because it contains instances of NameIDType, AttributeType and AssertionType, all of which are JAXB-generated classes. I hope that JAXB can be configured to create Serializable variants of those classes. How did you fix that problem in your own overriding versions?

Regarding the ExternalAuthenticator, I was first a bit surprised that your app was trying to serialize an instance of that class. But now I realize that you may be using client-side state saving. Is that the case?

I created a JIRA issue for this bug:

https://jira.jboss.org/browse/PLFED-106
Actions

2. Re: Problems with SamlPrincipal, requests and ExternalAuthenticator not being Serializable

jonananas Sep 29, 2010 4:47 AM (in response to marcelkolsteren)

The reason we swap sessions to disk is to preserve memory, we have a lot of low-cpu high-memory long running sessions, where users ask for data and then take some time reading through it before performing the next search. We use org.apache.catalina.session.PersistentManager to swap sessions to disk.

I made ExternalAuthenticator serializable successfully, but SamlPrincipal and Request are still a problem for me.

The way we've made JAXB-generated classes serializable in the past is putting a bindings.jxb in the same directory as the xsd or wsdl:

{code:xml}
<?xml version="1.0" encoding="UTF-8"?>
<jaxb:bindings version="1.0" xmlns:jaxb="http://java.sun.com/xml/ns/jaxb" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xjc="http://java.sun.com/xml/ns/jaxb/xjc" jaxb:extensionBindingPrefixes="xjc"
schemaLocation="model.xsd" node="/xsd:schema">
  <jaxb:globalBindings
   choiceContentProperty="true"
   generateIsSetMethod="true">
        <xjc:simple/>
    <xjc:serializable uid="4"/>

  </jaxb:globalBindings>
</jaxb:bindings>
{code}

From our pom:

{code:xml}
<plugin>
        <groupId>org.jvnet.jaxb2.maven2</groupId>
        <artifactId>maven-jaxb2-plugin</artifactId>
     <version>0.7.1</version>
        <executions>
          <execution>
            <goals>
              <goal>generate</goal>
            </goals>
          </execution>
        </executions>
        <configuration>
          <schemaDirectory>${basedir}/xsd</schemaDirectory>
          <includeSchemas>
            <includeSchema>model.xsd</includeSchema>
          </includeSchemas>
          <strict>true</strict>
          <verbose>true</verbose>
          <extension>true</extension>
        </configuration>
     </plugin>
{code}

3. Re: Problems with SamlPrincipal, requests and ExternalAuthenticator not being Serializable

marcelkolsteren Sep 29, 2010 3:30 PM (in response to jonananas)

Jonas, thanks for the hints. They'll be useful at the time we're fixing the problem.
Actions
4. Re: Problems with SamlPrincipal, requests and ExternalAuthenticator not being Serializable

mdesignz Mar 19, 2011 8:56 AM (in response to marcelkolsteren)

Hello, I'm attempting to run a Seam application in a cluster, and I'm running into org.picketlink.identity.seam.federation.ExternalAuthenticator not being Serializable. Is there a version that addresses this? We're currently using 1.0.3.CR2

Thanks.
Actions
5. Problems with SamlPrincipal, requests and ExternalAuthenticator not being Serializable

anil.saldhana Mar 31, 2011 10:38 AM (in response to mdesignz)

Robert, the next build of PL2 will contain the changes for you.
Actions
6. Re: Problems with SamlPrincipal, requests and ExternalAuthenticator not being Serializable

jonananas Apr 6, 2011 1:09 PM (in response to anil.saldhana)

I thought I'd follow up in this thread regarding PL2.

I've been trying to get PL2 running on a Seam 2.1.2-application running on jboss 4.3.0.

In this process I've had to make the following classes serializable:

picketlink-seam:
M       picketlink-seam\src\main\java\org\picketlink\identity\seam\federation\configuration\SamlIdentityProvider.java
M       picketlink-seam\src\main\java\org\picketlink\identity\seam\federation\configuration\SamlEndpoint.java
M       picketlink-seam\src\main\java\org\picketlink\identity\seam\federation\configuration\SamlService.java
M       picketlink-seam\src\main\java\org\picketlink\identity\seam\federation\RequestContext.java

picketlink-trunk:
M       picketlink-fed-model\src\main\java\org\picketlink\identity\federation\newmodel\saml\v2\assertion\SubjectType.java
                (STSubType needs to be serializable)
M       picketlink-fed-model\src\main\java\org\picketlink\identity\federation\newmodel\saml\v2\assertion\SubjectConfirmationDataType.java
M       picketlink-fed-model\src\main\java\org\picketlink\identity\federation\newmodel\saml\v2\assertion\AudienceRestrictionType.java
M       picketlink-fed-model\src\main\java\org\picketlink\identity\federation\newmodel\saml\v2\assertion\AuthnContextClassRefType.java
M       picketlink-fed-model\src\main\java\org\picketlink\identity\federation\newmodel\saml\v2\assertion\EncryptedElementType.java
M       picketlink-fed-model\src\main\java\org\picketlink\identity\federation\newmodel\saml\v2\assertion\AuthnContextType.java

Could you please consider making these serializable in the next PL2 release?
They were all straightforward work...

Thanks
Actions
7. Re: Problems with SamlPrincipal, requests and ExternalAuthenticator not being Serializable

anil.saldhana Apr 6, 2011 1:38 PM (in response to jonananas)

I made the changes and there is a new build today: http://community.jboss.org/message/584988

Try and tell us..
Actions
8. Re: Problems with SamlPrincipal, requests and ExternalAuthenticator not being Serializable

jonananas Apr 8, 2011 10:34 AM (in response to anil.saldhana)

I think you missed updating the picketlink-seam files? At least the files at http://anonsvn.jboss.org/repos/picketlink/picketlink-seam/trunk/ are still not serializable.

The picketlink-trunk at http://anonsvn.jboss.org/repos/picketlink/federation/trunk/ looks good though!

-- Jonas
Actions
9. Problems with SamlPrincipal, requests and ExternalAuthenticator not being Serializable

anil.saldhana Apr 10, 2011 10:40 AM (in response to jonananas)

The changes are in the build I attached. I forgot to check in the changes to the seam workspace. I have done it now.
Actions

Go to original post