Spring Security java.io.NotSerializableException: org.opensaml.saml.saml2.metadata.impl.EntityDescriptorImpl after upgrading from 6.4 to 6.5

After upgrading our project from Spring Boot 3.4.7 to 3.5.3 we get the following exception when an invalid SAML metadata is used:

org.springframework.data.redis.serializer.SerializationException: Cannot serialize
    at org.springframework.data.redis.serializer.JdkSerializationRedisSerializer.serialize(JdkSerializationRedisSerializer.java:98) ~[spring-data-redis-3.5.1.jar:3.5.1]
    at org.springframework.data.redis.core.AbstractOperations.rawHashValue(AbstractOperations.java:206) ~[spring-data-redis-3.5.1.jar:3.5.1]
    at org.springframework.data.redis.core.DefaultHashOperations.putAll(DefaultHashOperations.java:169) ~[spring-data-redis-3.5.1.jar:3.5.1]
    at org.springframework.session.data.redis.RedisSessionRepository$RedisSession.saveDelta(RedisSessionRepository.java:328) ~[spring-session-data-redis-3.5.1.jar:3.5.1]
    at org.springframework.session.data.redis.RedisSessionRepository$RedisSession.save(RedisSessionRepository.java:306) ~[spring-session-data-redis-3.5.1.jar:3.5.1]
    at org.springframework.session.data.redis.RedisSessionRepository.save(RedisSessionRepository.java:132) ~[spring-session-data-redis-3.5.1.jar:3.5.1]
    at org.springframework.session.data.redis.RedisSessionRepository.save(RedisSessionRepository.java:45) ~[spring-session-data-redis-3.5.1.jar:3.5.1]
    at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.commitSession(SessionRepositoryFilter.java:229) ~[spring-session-core-3.5.1.jar:3.5.1]
    at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:145) ~[spring-session-core-3.5.1.jar:3.5.1]
    at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:82) ~[spring-session-core-3.5.1.jar:3.5.1]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362) ~[spring-web-6.2.8.jar:6.2.8]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278) ~[spring-web-6.2.8.jar:6.2.8]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-6.2.8.jar:6.2.8]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:612) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:396) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:323) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:268) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:377) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:209) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:286) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:398) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:903) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1769) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1189) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:658) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-embed-core-10.1.42.jar:10.1.42]
    at java.base/java.lang.Thread.run(Thread.java:1583) ~[na:na]
Caused by: org.springframework.core.serializer.support.SerializationFailedException: Failed to serialize object using DefaultSerializer
    at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:64) ~[spring-core-6.2.8.jar:6.2.8]
    at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:33) ~[spring-core-6.2.8.jar:6.2.8]
    at org.springframework.data.redis.serializer.JdkSerializationRedisSerializer.serialize(JdkSerializationRedisSerializer.java:96) ~[spring-data-redis-3.5.1.jar:3.5.1]
    ... 36 common frames omitted
Caused by: java.io.NotSerializableException: org.opensaml.saml.saml2.metadata.impl.EntityDescriptorImpl
    at java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1200) ~[na:na]
    at java.base/java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1585) ~[na:na]
    at java.base/java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1542) ~[na:na]
    at java.base/java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1451) ~[na:na]
    at java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1194) ~[na:na]
    at java.base/java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1585) ~[na:na]
    at java.base/java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1542) ~[na:na]
    at java.base/java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1451) ~[na:na]
    at java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1194) ~[na:na]
    at java.base/java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1585) ~[na:na]
    at java.base/java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1542) ~[na:na]
    at java.base/java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1451) ~[na:na]
    at java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1194) ~[na:na]
    at java.base/java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1585) ~[na:na]
    at java.base/java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1542) ~[na:na]
    at java.base/java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1451) ~[na:na]
    at java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1194) ~[na:na]
    at java.base/java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:358) ~[na:na]
    at org.springframework.core.serializer.DefaultSerializer.serialize(DefaultSerializer.java:46) ~[spring-core-6.2.8.jar:6.2.8]
    at org.springframework.core.serializer.Serializer.serializeToByteArray(Serializer.java:56) ~[spring-core-6.2.8.jar:6.2.8]
    at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:60) ~[spring-core-6.2.8.jar:6.2.8]
    ... 38 common frames omitted

we are using - Spring Boot - Spring Security - org.springframework.session:spring-session-data-redis - org.springframework.security:spring-security-saml2-service-provider

When running with 3.4 versions I only get

Assertion IssueInstant was expired
Signature verification failed.

in the log

The problem is that the session that should be saved contains a session attribute sessionAttr:SPRING_SECURITY_LAST_EXCEPTION that contains a Saml2AuthenticationException which cannot be serialized

Reproducing Providing a simple repository that reproduces the problem is difficult because you need SAML Metadata that is expired - we have some configuration of that for our Google SAML webapps.

Comment From: agiannone

+1

Comment From: mehrdadbozorgmehr

Can I work on these issues