Spring-security-oauth2權限框架使用RedisTokenStore的坑和跨坑

RedisTokenStore tokenStore = new RedisTokenStore(redisConnectionFactory);

在spring-security-oauth2鑑權框架中，使用redis存儲令牌時，涉及序列化和反序列化，

RedisTokenStore內置JdkSerializationStrategy，通過ALLOWED_CLASSES只有限制了支持反序列化的類型，然後就是拋一堆異常如下：

org.springframework.core.serializer.support.SerializationFailedException: Failed to deserialize payload; nested exception is java.io.NotSerializableException: Not allowed to deserialize xx.xx.xx.xx.data.JsonSupportObject
   at org.springframework.security.oauth2.provider.token.store.redis.JdkSerializationStrategy.deserializeInternal(JdkSerializationStrategy.java:66)
   at org.springframework.security.oauth2.provider.token.store.redis.BaseRedisTokenStoreSerializationStrategy.deserialize(BaseRedisTokenStoreSerializationStrategy.java:21)
   at org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore.deserializeAuthentication(RedisTokenStore.java:92)
   at org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore.readAuthentication(RedisTokenStore.java:146)
   at org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore.readAuthentication(RedisTokenStore.java:134)
   at xx.xx.xx.xx.xx.xx.service.impl.SyncDefaultTokenServices.loadAuthentication(SyncDefaultTokenServices.java:231)
   at xx.xx.xx.xx.xx.xx.service.impl.SyncDefaultTokenServices$$FastClassBySpringCGLIB$$e5d5e38e.invoke(<generated>)
   at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
   at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:750)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
   at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88)
   at xx.xx.xx.xx.xx.xx.springboot.aop.aspect.LogWebStackAspect.arroundLogicMethod(LogWebStackAspect.java:67)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:498)
   at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:644)
   at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:633)
   at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:70)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
   at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:93)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
   at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:689)
   at xx.xx.xx.xx.xx.SyncDefaultTokenServices$$EnhancerBySpringCGLIB$$400aeeb1.loadAuthentication(<generated>)
   at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager.authenticate(OAuth2AuthenticationManager.java:83)
   at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:150)
   at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
   at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
   at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
   at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:74)
   at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
   at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
   at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
   at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
   at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
   at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
   at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
   at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
   at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
   at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
   at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
   at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
   at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
   at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
   at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
   at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:94)
   at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
   at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
   at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
   at xx.xx.xx.xx.xx.filter.CacheMemoryRequestFilter.doFilter(CacheMemoryRequestFilter.java:40)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
   at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
   at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
   at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861)
   at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1579)
   at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
   at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
   at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.NotSerializableException: Not allowed to deserialize xx.xxx.xx.common.data.JsonSupportObject
   at org.springframework.security.oauth2.provider.token.store.redis.SaferObjectInputStream.resolveClass(SaferObjectInputStream.java:59)
   at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1613)
   at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1518)
   at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1623)
   at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1518)
   at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1774)
   at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
   at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2000)
   at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1924)
   at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
   at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
   at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2000)
   at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1924)
   at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
   at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
   at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371)
   at org.springframework.security.oauth2.provider.token.store.redis.JdkSerializationStrategy.deserializeInternal(JdkSerializationStrategy.java:64)
   ... 77 common frames omitted

接下來觸發spring框架異常處理

Caused by: java.lang.IllegalStateException: getInputStream() has already been called for this request

問題原因：

系統中擴展了

DefaultExpiringOAuth2RefreshToken

DefaultOAuth2AccessToken，但是RedisTokenStore的序列化類JdkSerializationStrategy只支持如下幾種持久化對象

static {
        List<String> classes = new ArrayList<String>();
        classes.add("java.lang.");
        classes.add("java.util.");
        classes.add("org.springframework.security.");
        ALLOWED_CLASSES = Collections.unmodifiableList(classes);
    }

解決方法：

將JdkSerializationStrategy和SaferObjectInputStream的源碼複製出來放在同一個包自己玩。
            RedisTokenStore tokenStore = new RedisTokenStore(redisConnectionFactory);
            tokenStore.setSerializationStrategy(new JdkSerializationStrategy());
            return tokenStore;

個人認爲這種方式粗暴且快。o(^▽^)o

Spring-security-oauth2權限框架使用RedisTokenStore的坑和跨坑

10分鐘搞定Mysql主從部署配置

如何使用 JS 判斷用戶是否處於活躍狀態

「Pygors跨平臺GUI」2：安裝MinGW-w64、MSYS2還是WSL2

[轉帖]

python列出centos7內存使用前50的進程信息

「Pygors跨平臺GUI」1：Pygors跨平臺GUI應用研究

一鍵自動化博客發佈工具,用過的人都說好(掘金篇)

lightdb數據庫超時相關控制參數

lightdb秒級增加列和刪除列（not null帶默認值）

Java ThreadPoolShutdown

Centos7.6 Docker私服搭建-harbor

Centos7.6 kubernets1.15.4集羣搭建（親測可用）

容器相關彙總

GIT操作圖譜

自動化持續構建環境——maven部署到nexus倉庫

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結