66680 – [StandardSession] Misleading warning "Cannot serialize Principal object for session"

Bug 66680 - [StandardSession] Misleading warning "Cannot serialize Principal object for session"

Summary: [StandardSession] Misleading warning "Cannot serialize Principal object for s...

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 10
Classification:	Unclassified
Component:	Catalina (show other bugs)
Version:	10.1.0
Hardware:	PC All

Importance:	P2 normal (vote)
Target Milestone:	------
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-07-06 15:20 UTC by Tseko
Modified:	2023-07-24 10:23 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tseko 2023-07-06 15:20:47 UTC

We have recently started using session persistence capability with persistAuthentication="true".
When a user is logged-out of the system and redirected to the login page, they are given a session whose principle object is null.

If in that period the tomcat server is restarted, the doWriteObject from org.apache.catalina.session.StandardSession is called where on line 1489 it tries to check if the sessionPrincipal is serializable, but does not check if it is null before that - (https://github.com/apache/tomcat/blob/10.1.x/java/org/apache/catalina/session/StandardSession.java#L1489 ).

If the principal is null (like in the above-described scenario) - then the manager logs a warning message saying it cannot serialize the principal for the session. 
This is somewhat misleading as there is simply no principal to serialize.

My suggestion here would be to either add a null-check before logging the warning message, or add a configuration option where this particular case (one of a null principal) can be toggled, perhaps something like 'warnNullPrincipalSerialize'.

Without such an ability we would get a lot of these warning messages in our production and we would not know which ones came from a session that is simply unauthenticated (i.e. principal is null), and which ones came from an actual issue with serializing the principal of an authenticated user.

Comment 1 Christopher Schultz 2023-07-07 14:19:34 UTC

Seems reasonable. Would you like to prepare a patch/PR for this?

Please include an entry in the changelog if you do so.

Comment 2 Tseko 2023-07-13 10:11:32 UTC

Hi Christopher,

Thanks for the quick reply! I created the PR (#638) and referenced the bug from here.

Comment 3 Tseko 2023-07-20 09:56:57 UTC

Hi (In reply to Christopher Schultz from comment #1)
> Seems reasonable. Would you like to prepare a patch/PR for this?
> 
> Please include an entry in the changelog if you do so.

I'm not sure how to include an entry in the changelog, could you please do that or point me to a howto for doing it?

Comment 4 Christopher Schultz 2023-07-20 18:10:06 UTC

I can do the changelog if you do the PR.

Comment 5 Tseko 2023-07-21 10:14:28 UTC

(In reply to Christopher Schultz from comment #4)
> I can do the changelog if you do the PR.

Thanks! Here is the PR https://github.com/apache/tomcat/pull/638

Comment 6 Mark Thomas 2023-07-24 10:23:35 UTC

Thanks for the PR. This has been fixed in:

- 11.0.x for 11.0.0-M10 onwards
- 10.1.x for 10.1.12 onwards
- 9.0.x for 9.0.79 onwards
- 8.5.x for 8.5.92 onwards