Stepping on the pit scene:
The company has recently renovated the technical architecture and upgraded the original SpringBoot 1.5.6 version to 2.0.6, and gradually converted the internal service call dubbo protocol into SpringCloud's Feign call. In the early stage, the SpringBoot version was mainly upgraded.
by
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Automatically maintain SpringBoot reference version dependent loading. We used a database to record tokens. The original SpringSecurityOauth reference version is also the same, 2.0.14.RELEASE
but the tokens generated by the original lower version have compatibility issues during deserialization.
java.lang.IllegalArgumentException:
java.io.InvalidClassException: org.springframework.security.core.authority.SimpleGrantedAuthority;
local class incompatible: stream classdesc serialVersionUID = 420, local class serialVersionUID = 500
It can be found SimpleGrantedAuthority
that serialVersionUID
401 is now 500 and there is a serialization compatibility problem.
Troubleshooting process:
By checking the spring-security-oauth2
jar package dependency, when the SpringBoot is version 1.5.6, the dependent spring-security-core
sum spring-security-config
is version 4.2.3. When upgrading to version 2.0.6, the dependent version is version 5.0.9.
Version 5.0.9 of the SimpleGrantedAuthority
source code serialVersionUID=500
, when version 4.2.3 serialVersionUID=420
results in deserialization of the object null
.
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.0.14.RELEASE</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
solution:
In order to be compatible with the low version of the token problem, the security version is downgraded.
Exclude spring-security-oauth2
automatic dependencies, custom loading dependencies4.2.3.RELEASE
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.0.14.RELEASE</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>