堆栈内存溢出
  简体   繁体   English

如何处理spring-security-oauth2的版本升级?

[英]How to handle version upgrades of spring-security-oauth2?

 原文  2014-12-10 11:14:39       java/ spring/ serialization/ spring-security/ spring-security-oauth2

问题描述

spring-security-oauth2 saves the Authentication object as part of the access token entry in the database as a serialized java object ( ByteArrayOutputStream.writeObject(authentication) ). spring-security-oauth2将Authentication对象作为序列化java对象( ByteArrayOutputStream.writeObject(authentication) )保存为数据库中访问令牌条目的一部分。

How do you handle version upgrades of either spring-security (which may change the SpringSecurityCoreVersion.SERIAL_VERSION_UID) and spring-security-oauth (which may change the serialVersionUID of the OAuth2Authentication )? 如何处理spring-security(可能更改SpringSecurityCoreVersion.SERIAL_VERSION_UID)和spring-security-oauth(可能会更改OAuth2Authentication的serialVersionUID)的版本升级? If the serialVersionUID changes, the persisted Authentication object cannot be deserialized anymore. 如果serialVersionUID发生更改,则无法再对反序列化持久化的Authentication对象。

We are coming to the conclusion that deleting the access tokens containing the serialized Authentication objects would be the cleanest and easiest solution when upgrading the framework version. 我们得出的结论是,在升级框架版本时,删除包含序列化身份验证对象的访问令牌将是最干净,最简单的解决方案。 Any ideas how to handle this more gracefully? 任何想法如何更优雅地处理这个?

1 个解决方案

解决方案1
 0  2019-09-09 14:07:04

I think that the best solution is to throw the tokens away. 我认为最好的解决方案是抛弃令牌。 There is a big comment next to the declaration of SpringSecurityCoreVersion.SERIAL_VERSION_UID that says this: SpringSecurityCoreVersion.SERIAL_VERSION_UID声明旁边有一条很重要的评论说: 

/**
 * Global Serialization value for Spring Security classes.
 *
 * N.B. Classes are not intended to be serializable between different versions. See
 * SEC-1709 for why we still need a serial version.
 */

Indeed, they deliberately bump SERIAL_VERSION_UID (at least) on every minor release. 实际上,他们故意在每个次要版本上碰到SERIAL_VERSION_UID (至少)。

(The issue comments for SEC-1709 explain how they came to this solution.) SEC-1709的问题评论解释了他们如何找到这个解决方案。)

What I get from the comments is that if you did attempt to handle version upgrade transparently, you may cause things to break, with unpredictable consequences. 我从评论中得到的是,如果你确实试图透明地处理版本升级,你可能会导致事情破裂,带来不可预测的后果。

On the other hand, OAuth2Authentication.serialVersionUID doesn't appear to have changed in the last 9 years. 另一方面, OAuth2Authentication.serialVersionUID在过去9年中似乎没有变化。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何测试spring-security-oauth2资源服务器安全性? - How to test spring-security-oauth2 resource server security? 如何使用 redis 使用 spring-security-oauth2 来持久化令牌 - how to use redis to persist token using spring-security-oauth2 找不到用于ResourceServerTokenServices的Bean-Spring-Security-Oauth2 - No Bean for ResourceServerTokenServices found - Spring-Security-Oauth2 了解spring-security-oauth2 @EnableAuthorizationServer - Understanding spring-security-oauth2 @EnableAuthorizationServer Spring-Security-OAuth2中的grant_type - grant_type in Spring-Security-OAuth2 使用spring-security-oauth2的SSO:永远不会读取身份验证代码 - SSO using spring-security-oauth2 : Authentication Code never read Spring-Security-Oauth2:访问此资源需要完全身份验证 - Spring-Security-Oauth2: Full authentication is required to access this resource EnableWebSecurity 注释在 spring-security-oauth2 处给出错误 - EnableWebSecurity annotation gives error at spring-security-oauth2 使用java config创建spring-security-oauth2客户端的文档 - Documentation on creating a spring-security-oauth2 client using java config Spring-Security-Oauth2:默认登录成功url - Spring-Security-Oauth2: Default login success url
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM