Remove Java security context serialization (#2677)

Remove Java security context serialization - it is replaced by JSON security context serialization (optimized as size). Backward incompatible change.
Java security context serialization was not used in default hawkbit runtime out of the box. So, it's assumed none uses it. 
Anyway, if anyone has enabled it, he could, in order to keep backward compatibility, get the java security context serialization from the previous hawkbit releases/commits and register it again as a spring bean in his hawkbit extension.

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2025-09-18 14:46:51 +03:00
committed by GitHub
parent 4444fc92bc
commit 7980b5defb
11 changed files with 66 additions and 107 deletions

View File

@@ -32,7 +32,6 @@ import org.eclipse.hawkbit.security.SpringSecurityAuditorAware.AuditorAwarePrinc
import org.eclipse.hawkbit.tenancy.TenantAwareAuthenticationDetails;
import org.eclipse.hawkbit.tenancy.TenantAwareUser;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
@@ -49,17 +48,8 @@ public interface SecurityContextSerializer {
SecurityContextSerializer NOP = new Nop();
/**
* Serializer the uses JSON serialization.
* <p/>
* Note that on deserialization this serialization does (if configured) fallback to {@link #JAVA_SERIALIZATION}.
*/
SecurityContextSerializer JSON_SERIALIZATION = new JsonSerialization();
/**
* Serializer the uses Java serialization of {@link java.io.Serializable} objects (legacy, not recommended).
* <p/>
* Note that serialized via java serialization context might become unreadable if incompatible
* changes are made to the object classes.
*/
SecurityContextSerializer JAVA_SERIALIZATION = new JavaSerialization();
/**
* Return security context as string (could be just a reference)
@@ -82,11 +72,9 @@ public interface SecurityContextSerializer {
* It returns <code>null</code> as serialized context and throws exception if
* someone try to deserialize anything.
*/
@NoArgsConstructor(access = AccessLevel.PRIVATE)
class Nop implements SecurityContextSerializer {
private Nop() {
}
@Override
public String serialize(final SecurityContext securityContext) {
return null;
@@ -106,8 +94,6 @@ public interface SecurityContextSerializer {
class JsonSerialization implements SecurityContextSerializer {
private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
private static final boolean FALLBACK_TO_JAVA_SERIALIZATION =
!Boolean.getBoolean("hawkbit.security.contextSerializer.json.no-fallback-to-java");
@Override
public String serialize(final SecurityContext securityContext) {
@@ -124,13 +110,6 @@ public interface SecurityContextSerializer {
Objects.requireNonNull(securityContextString);
final String securityContextTrimmed = securityContextString.trim();
try {
// java serialization starts with {@link ObjectStreamConstants#STREAM_MAGIC} (0xAC, 0xED) bytes
// while trimmed json object starts with '{'
if (FALLBACK_TO_JAVA_SERIALIZATION &&
(securityContextTrimmed.isEmpty() || securityContextTrimmed.charAt(0) != '{')) {
return JAVA_SERIALIZATION.deserialize(securityContextString);
}
return OBJECT_MAPPER.readerFor(SecCtxInfo.class).<SecCtxInfo> readValue(securityContextTrimmed).toSecurityContext();
} catch (final JsonProcessingException e) {
throw new RuntimeException(e);

View File

@@ -10,7 +10,6 @@
package org.eclipse.hawkbit.security;
import static org.assertj.core.api.Assertions.assertThat;
import static org.eclipse.hawkbit.security.SecurityContextSerializer.JAVA_SERIALIZATION;
import static org.eclipse.hawkbit.security.SecurityContextSerializer.JSON_SERIALIZATION;
import java.util.List;
@@ -63,24 +62,6 @@ class SecurityContextSerializerTest {
assertThat(serialized).hasSizeLessThan(4096); // ensure that it is not too big
}
// test JSON serialization fallback to java serialization
@Test
void backwardCompatibilityOfJavaSerialization() {
final SecurityContext securityContext = SecurityContextHolder.getContext();
securityContext.setAuthentication(
new UsernamePasswordAuthenticationToken("user", null, AUTHORITIES.stream().map(SimpleGrantedAuthority::new).toList()));
final String newSerialized = JSON_SERIALIZATION.serialize(securityContext);
final String oldSerialized = JAVA_SERIALIZATION.serialize(securityContext);
assertThat(oldSerialized).isNotEqualTo(newSerialized);
final Authentication deserializedOld = JSON_SERIALIZATION.deserialize(oldSerialized).getAuthentication();
final Authentication deserializedNew = JSON_SERIALIZATION.deserialize(newSerialized).getAuthentication();
assertThat(SpringSecurityAuditorAware.resolveAuditor(deserializedOld)).hasToString(SpringSecurityAuditorAware.resolveAuditor(deserializedNew));
assertThat(deserializedOld.getAuthorities()).isEqualTo(deserializedNew.getAuthorities());
assertThat(deserializedOld.isAuthenticated()).isEqualTo(deserializedNew.isAuthenticated());
}
@Test
void testUsername() {
final SecurityContext securityContext = SecurityContextHolder.getContext();
@@ -106,4 +87,4 @@ class SecurityContextSerializerTest {
}
return sb.toString();
}
}
}