Spring boot - J2EE Bad Practices: Non-Serializable Object Stored in Session

How can I resolve the `Non-Serializable Object Stored in Session` error? I tried implementing `public class BanksMvcController implements Serializable` but that doesn't resolve the error.

Can someone help me fix the error?

    "J2EE Bad Practices: Non-Serializable Object Stored in Session" => 1 Issues         demo-web/src/main/java/com/webDemo/controller/BanksMvcController.java:62 (Structural)

Here is the BanksMvcController.java code:

   package com.webDemo.controller;        import com.apiDemo.controller.BanksController;    import com.apiDemo.model.Account;    import com.apiDemo.model.AccountListWrapper;    import com.apiDemo.service.BanksService;    import org.springframework.beans.factory.annotation.Autowired;    import org.springframework.stereotype.Controller;    import org.springframework.ui.ModelMap;    import org.springframework.web.bind.annotation.RequestMapping;    import org.springframework.web.bind.annotation.RequestMethod;    import org.springframework.web.bind.annotation.RequestParam;        import javax.servlet.http.HttpSession;        import java.io.Serializable;    import java.util.List;        /**     * Created by p.bell on 25.01.2016.     */    @Controller    public class BanksMvcController  {            @Autowired        private BanksService banksService;            public static final String ACCOUNT_LIST_WRAPPER="accountListWrapper";        private static final String INIT_IBAN="initIban";        private static final String INIT_BUSINESS_IDENTIFER_CODE="initBusinessIdentifierCode";        private static final String SESSION="session";        private static final String DATABASE="database";            @RequestMapping(value = "/", method = RequestMethod.GET)        public String getAccountListWrapper(HttpSession session,ModelMap model, @RequestParam(value="storageType",required = false) String storageType) {            AccountListWrapper accountListWrapper=null;            if(storageType==null || SESSION.equals(storageType)) {                accountListWrapper = sessionSelected(session, storageType);            }else if(DATABASE.equals(storageType)){                accountListWrapper = databaseSelected(session, storageType);            }            model.addAttribute(ACCOUNT_LIST_WRAPPER, accountListWrapper);            return "index";        }            private AccountListWrapper databaseSelected(HttpSession session, String storageType) {            List<Account> accountList = banksService.getBySessionId(session.getId());            if(accountList.size()==0){                banksService.create(INIT_IBAN,INIT_BUSINESS_IDENTIFER_CODE,session.getId());                accountList = banksService.getBySessionId(session.getId());            }            return new AccountListWrapper(accountList,DATABASE);        }            private AccountListWrapper sessionSelected(HttpSession session, String storageType)  {            AccountListWrapper accountListWrapper = (AccountListWrapper) session.getAttribute(ACCOUNT_LIST_WRAPPER);            if(accountListWrapper==null){                accountListWrapper=  new AccountListWrapper();                accountListWrapper.add(new Account(INIT_IBAN, INIT_BUSINESS_IDENTIFER_CODE));            }            accountListWrapper.setStorageType(SESSION);            session.setAttribute(ACCOUNT_LIST_WRAPPER, accountListWrapper);            return accountListWrapper;        }    }

For an object to be Serializable, all of its members must also be Serializable. So BanksService must be Serializable; and this rule applies recursively.

It's not the BanksMvcController / BanksService that is stored, it's an AccontListWrapper. This is line 62 that's mentioned in the warning:
session.setAttribute(ACCOUNT_LIST_WRAPPER, accountListWrapper);

Do you find this web site helpful?
It suggest people to implement Serializable interface for your class.
https://cwe.mitre.org/data/definitions/579.html

Paul Clapham wrote:For an object to be Serializable, all of its members must also be Serializable. So BanksService must be Serializable; and this rule applies recursively.

Note that the JEE spec requires objects stored in Session scope to be serializable. And, as Paul noted, that includes the objects that they reference. Hmai's link "suggests" to make session objects serializable, but it's common these days for webapp servers to require serializable objects, as John discovered.

There are several reasons for this. One is that if you use clustering, you'll need to be able to pass the entire session from one JVM to another and that's done by serial transfer.

Another is to survive reboots of the JEE container. Tomcat, for example, writes sessions out to a work file with a ".ser" extension so that it can load them back in when it restarts.

You may think that these restrictions are silly/useless in the context of Spring Boot, but Spring Boot gets its web functions from an embedded copy of Tomcat or jetty and Tomcat, at least, actively enforces this constraint.

You might also notice that JDBC Connection is an Interface and that it is not Serializable. Before Tomcat started enforcing the serialization mandate, people were prone to stash Connections in their sessions. That was not only a good way to make a webapp unreliable, it also tied up precious resources. Connections in webapps should be pulled from a Connection pool, used, then returned to the pool (closed) as quickly as possible. And ALWAYS within the same request/response cycle.