From f3eacbfda415e6ba5bc0d9c0f1026699a1a5d36a Mon Sep 17 00:00:00 2001
From: Andreas Svanberg <andreass@dsv.su.se>
Date: Thu, 27 Feb 2025 12:29:29 +0100
Subject: [PATCH] Make session serializable

When re-deploying the application, or restarting Tomcat, it will attempt to serialize the active sessions to prevent users from getting logged out and losing in-progess work. This requires that all attributes that are stored in the session implement java.io.Serializable. Spring stores the entire security context in the session which includes a reference to the principal, and that principal may be of type "WicketControlledPrincipal" and it must therefore be serializable.
---
 .../se/su/dsv/scipro/war/CurrentUserFromSpringSecurity.java    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/war/src/main/java/se/su/dsv/scipro/war/CurrentUserFromSpringSecurity.java b/war/src/main/java/se/su/dsv/scipro/war/CurrentUserFromSpringSecurity.java
index 6f209f38aa..3d71fd12a3 100644
--- a/war/src/main/java/se/su/dsv/scipro/war/CurrentUserFromSpringSecurity.java
+++ b/war/src/main/java/se/su/dsv/scipro/war/CurrentUserFromSpringSecurity.java
@@ -4,6 +4,7 @@ import jakarta.inject.Inject;
 import jakarta.inject.Provider;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import java.io.Serializable;
 import java.security.Principal;
 import java.util.Collections;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -81,7 +82,7 @@ public class CurrentUserFromSpringSecurity implements AuthenticationContext {
         return authentication.getName();
     }
 
-    private static final class WicketControlledPrincipal implements Principal {
+    private static final class WicketControlledPrincipal implements Principal, Serializable {
 
         private final String username;