We use play-pac4j in CiviForm, an open-source, public interest project. Our user profiles are represented by the CiviFormProfileData subclass of o.p.c.p.CommonProfile.
In our logs, we have noted warnings like this:
[warn] o.p.c.u.s.JavaSerializer - cannot Java deserialize object
java.io.InvalidClassException: auth.CiviFormProfileData; local class incompatible: stream classdesc serialVersionUID = 3142603030317816700, local class serialVersionUID = 6503846375980947185
This surprises us, because we expected profile serialization to be stable. Note that we did not have serialVersionUID set for this subclass, which was an oversight (and is addressed by this PR). That being said, though the class has had some small changes recently, the structure of the class did not change.
- Is this behavior expected?
- If so, is setting
serialVersionUIDto the current value sufficient to guard against this problem in the future?
GitHub issue: Errors deserializing pac4j profiles
Profile serialization should be stable.
We have faced issues using the
JavaSerializerso this has been changed in thepac4jcore project to use theJsonSerializer.This is not the case with
play-pac4jand thePlayCookieSessionStore. I guess we should change that.What play-pac4j version do you use?