From ec70ea55963ceb518593c62e0099264ff9dd00a4 Mon Sep 17 00:00:00 2001
From: Andreas Svanberg <andreass@dsv.su.se>
Date: Mon, 3 Mar 2025 07:32:25 +0100
Subject: [PATCH] Make session serializable (#121)

When re-deploying the application, or restarting Tomcat, it will attempt to serialize the active sessions to prevent users from getting logged out and losing in-progess work. This requires that all attributes that are stored in the session implement `java.io.Serializable`. Spring stores the entire security context in the session which includes a reference to the principal, and that principal may be of type "WicketControlledPrincipal" and it must therefore be serializable.

## How to test
1. Be on the `develop` branch
2. Make sure session preservation is turned on (in IntelliJ check "Preserve sessions across restarts and redeploys", or read https://tomcat.apache.org/tomcat-10.0-doc/config/manager.html#Persistence_Across_Restarts)
3. Log in as the default admin `dev@localhost`
4. Switch to "Sture Student" under "Admin / Users / Switch user"
5. Restart Tomcat
6. Refresh page and you'll be prompted to log in again
7. Switch to this branch and repeat step 1-6

Reviewed-on: https://gitea.dsv.su.se/DMC/scipro/pulls/121
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
---
 .../se/su/dsv/scipro/war/CurrentUserFromSpringSecurity.java    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/war/src/main/java/se/su/dsv/scipro/war/CurrentUserFromSpringSecurity.java b/war/src/main/java/se/su/dsv/scipro/war/CurrentUserFromSpringSecurity.java
index 6f209f38aa..3d71fd12a3 100644
--- a/war/src/main/java/se/su/dsv/scipro/war/CurrentUserFromSpringSecurity.java
+++ b/war/src/main/java/se/su/dsv/scipro/war/CurrentUserFromSpringSecurity.java
@@ -4,6 +4,7 @@ import jakarta.inject.Inject;
 import jakarta.inject.Provider;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import java.io.Serializable;
 import java.security.Principal;
 import java.util.Collections;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -81,7 +82,7 @@ public class CurrentUserFromSpringSecurity implements AuthenticationContext {
         return authentication.getName();
     }
 
-    private static final class WicketControlledPrincipal implements Principal {
+    private static final class WicketControlledPrincipal implements Principal, Serializable {
 
         private final String username;