Menu

#78 Servlet Filter for Session Serialization Check

open
nobody
None
5
2014-08-09
2008-10-04
Christian Schuhegger
No

Hello,

I would like to propose to add a Servlet Filter that checks for serializable sessions. The idea would be to iterate after every request over all parameters in the session and serialize / deserialize them with an equals test like here:
http://gsbase.sourceforge.net/clover/com/gargoylesoftware/base/testing/TestUtil.html

In addition the parameter in the session should be replaced with its deserialized copy (in order to check if the application can cope with transient fields).

It is vital in the development of a high availability web application to recognize serialization problems with objects that are put into the session as early as possible. This check has to be dynamic and cannot be done statically at compile time, because at compile time you do not know which objects will be put into a session. In addition you could put Collections into the session that may hold non serializable objects.

Many Thanks,
Christian Schuhegger

Discussion

  • Frank W. Zammetti

    Frank W. Zammetti - 2008-10-08

    We actually have the facility to do this already in the SessionSize class, indirectly at least... it does the sort of checks you outline, although its goal is to determine the size of session, it indirectly determines if the session is serializable or not. I'm not totally sure I see this as something that should be its own filter, especially given that it would be a simple filter that make use of the SessionSize class.

    That being said, if someone were to write such a filter I think I'd be inclined to commit it :) (hint-hint)

     

  • Christian Schuhegger

    Christian Schuhegger - 2008-10-09

    Hello,

    have a look here:
    http://www.seamframework.org/Community/CheckForSerializabilityInADistributableWebapp

    In my last comment I describe a prototype solution that roughly does what I have in mind. The prototype can be found here:
    svn co https://jclusterjobs.svn.sourceforge.net/svnroot/jclusterjobs/prototypes/p20080705/jces

    A simplistic serialization check like the size check or the gsbase check from its TestUtil class is not enough. If you put a collection in the session then you would have to iterate through that collection at runtime and verify that all its members are serializable. For a single class even, if you habe a not serializable base class and derive from it and mark it as serializable (this is a mistake) then via the serialization / deserialization and equals check it is still possible to get a positive result, because the base class is initialized via its default constructor.

    In my initial version of the servlet filter I also put a feature for replacing every element of the session with a clone that was created via serialization/deserialization in order to detect early any problems (e.g. uninitialized transient fields). That feature currently does not work in my test project using SEAM and Jboss. There is some classloader issue.

    Otherwise the current version of the filter goes already a long way in what I have in mind.

    Perhaps this could be added to your project?

     

Log in to post a comment.