Win a copy of Node.js Design Patterns: Design and implement production-grade Node.js applications using proven patterns and techniques this week in the Server-Side JavaScript and NodeJS forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

Spring boot - J2EE Bad Practices: Non-Serializable Object Stored in Session

 
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How can I resolve the `Non-Serializable Object Stored in Session` error? I tried implementing `public class BanksMvcController implements Serializable` but that doesn't resolve the error.

Can someone help me fix the error?



Here is the BanksMvcController.java code:



 
Sheriff
Posts: 26796
82
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
For an object to be Serializable, all of its members must also be Serializable. So BanksService must be Serializable; and this rule applies recursively.
 
Marshal
Posts: 22461
121
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's not the BanksMvcController / BanksService that is stored, it's an AccontListWrapper. This is line 62 that's mentioned in the warning:
 
Bartender
Posts: 2119
13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Do you find this web site helpful?
It suggest people to implement Serializable interface for your class.
https://cwe.mitre.org/data/definitions/579.html
 
Saloon Keeper
Posts: 24334
167
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Paul Clapham wrote:For an object to be Serializable, all of its members must also be Serializable. So BanksService must be Serializable; and this rule applies recursively.



Note that the JEE spec requires objects stored in Session scope to be serializable. And, as Paul noted, that includes the objects that they reference. Hmai's link "suggests" to make session objects serializable, but it's common these days for webapp servers to require serializable objects, as John discovered.

There are several reasons for this. One is that if you use clustering, you'll need to be able to pass the entire session from one JVM to another and that's done by serial transfer.

Another is to survive reboots of the JEE container. Tomcat, for example, writes sessions out to a work file with a ".ser" extension so that it can load them back in when it restarts.

You may think that these restrictions are silly/useless in the context of Spring Boot, but Spring Boot gets its web functions from an embedded copy of Tomcat or jetty and Tomcat, at least, actively enforces this constraint.

You might also notice that JDBC Connection is an Interface and that it is not Serializable. Before Tomcat started enforcing the serialization mandate, people were prone to stash Connections in their sessions. That was not only a good way to make a webapp unreliable, it also tied up precious resources. Connections in webapps should be pulled from a Connection pool, used, then returned to the pool (closed) as quickly as possible. And ALWAYS within the same request/response cycle.
 
Self destruct mode activated. Instructions for deactivation encoded in this tiny ad.
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
reply
    Bookmark Topic Watch Topic
  • New Topic