Removing csrf guard generates error for distributed session #143
Description
Step to reproduce
Deploy a clustered env with distributed session and csrf guard enabled (any jahia cloud default env)
Observed
500 error when accessing the edit UI
[10.200.2.152]:7861 [distributed-sessions] [3.12.13] java.io.IOException: java.lang.ClassNotFoundException: Unable to deserialize session, due to class not found: org.jahia.modules.jahiacsrfguard.token.SerializableToken. Make sure to deploy missing module that should provide this class, OR restart distributed sessions module to purge sessions that would contains stale objects
com.hazelcast.nio.serialization.HazelcastSerializationException: java.io.IOException: java.lang.ClassNotFoundException: Unable to deserialize session, due to class not found: org.jahia.modules.jahiacsrfguard.token.SerializableToken. Make sure to deploy missing module that should provide this class, OR restart distributed sessions module to purge sessions that would contains stale objects
at com.hazelcast.internal.serialization.impl.SerializationUtil.handleException(SerializationUtil.java:70) ~[?:?]
at com.hazelcast.internal.serialization.impl.AbstractSerializationService.toObject(AbstractSerializationService.java:193) ~[?:?]
at com.hazelcast.query.impl.CachedQueryEntry.getValue(CachedQueryEntry.java:75) ~[?:?]
...
at com.hazelcast.map.impl.operation.EntryOperator.process(EntryOperator.java:337) ~[!/:3.12.13]
at com.hazelcast.map.impl.operation.EntryOperator.operateOnKeyValueInternal(EntryOperator.java:185) ~[!/:3.12.13]
at com.hazelcast.map.impl.operation.EntryOperator.operateOnKey(EntryOperator.java:169) ~[!/:3.12.13]
at com.hazelcast.map.impl.operation.EntryOperation.call(EntryOperation.java:184) ~[!/:3.12.13]
at com.hazelcast.spi.impl.operationservice.impl.OperationRunnerImpl.call(OperationRunnerImpl.java:210) [!/:3.12.13]
at com.hazelcast.spi.impl.operationservice.impl.OperationRunnerImpl.run(OperationRunnerImpl.java:199) [!/:3.12.13]
at com.hazelcast.spi.impl.operationexecutor.impl.OperationThread.process(OperationThread.java:147) [!/:3.12.13]
at com.hazelcast.spi.impl.operationexecutor.impl.OperationThread.process(OperationThread.java:125) [!/:3.12.13]
at com.hazelcast.spi.impl.operationexecutor.impl.OperationThread.run(OperationThread.java:110) [!/:3.12.13]
Caused by: java.io.IOException: java.lang.ClassNotFoundException: Unable to deserialize session, due to class not found: org.jahia.modules.jahiacsrfguard.token.SerializableToken. Make sure to deploy missing module that should provide this class, OR restart distributed sessions module to purge sessions that would contains stale objects
at org.jahia.modules.session.hazelcast.ClassLoaderAwareSerializer.read(ClassLoaderAwareSerializer.java:26) ~[!/:4.2.0]
at com.hazelcast.internal.serialization.impl.StreamSerializerAdapter.read(StreamSerializerAdapter.java:48) ~[?:?]
at com.hazelcast.internal.serialization.impl.AbstractSerializationService.toObject(AbstractSerializationService.java:187) ~[?:?]
... 11 more
Caused by: java.lang.ClassNotFoundException: Unable to deserialize session, due to class not found: org.jahia.modules.jahiacsrfguard.token.SerializableToken. Make sure to deploy missing module that should provide this class, OR restart distributed sessions module to purge sessions that would contains stale objects
at org.jahia.modules.session.hazelcast.ClassLoaderAwareObjectInputStream.resolveClass(ClassLoaderAwareObjectInputStream.java:30) ~[!/:4.2.0]
at java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:2045) ~[?:?]
at java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1909) ~[?:?]
at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2235) ~[?:?]
at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1744) ~[?:?]
at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:514) ~[?:?]
at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:472) ~[?:?]
at java.base/java.util.HashMap.readObject(HashMap.java:1552) ~[?:?]
... suppressed 2 lines
at java.base/java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]
at java.base/java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1104) ~[?:?]
at java.base/java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2434) ~[?:?]
at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2268) ~[?:?]
at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1744) ~[?:?]
at java.base/java.io.ObjectInputStream$FieldValues.<init>(ObjectInputStream.java:2617) ~[?:?]
at java.base/java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2468) ~[?:?]
at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2268) ~[?:?]
at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1744) ~[?:?]
at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:514) ~[?:?]
at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:472) ~[?:?]
at org.jahia.modules.session.hazelcast.ClassLoaderAwareSerializer.read(ClassLoaderAwareSerializer.java:24) ~[!/:4.2.0]
at com.hazelcast.internal.serialization.impl.StreamSerializerAdapter.read(StreamSerializerAdapter.java:48) ~[?:?]
at com.hazelcast.internal.serialization.impl.AbstractSerializationService.toObject(AbstractSerializationService.java:187) ~[?:?]
... 11 more
Caused by: java.lang.ClassNotFoundException: Unable to find class 'org.jahia.modules.jahiacsrfguard.token.SerializableToken' in the class loaders of modules
at org.jahia.osgi.BundleUtils.loadModuleClass(BundleUtils.java:383) ~[jahia-impl-8.2.2.0.jar:8.2.2.0]
at org.jahia.utils.ClassLoaderUtils$CoreAndModulesClassLoader.loadClass(ClassLoaderUtils.java:96) ~[jahia-impl-8.2.2.0.jar:8.2.2.0]
at org.jahia.modules.session.hazelcast.ClassLoaderUtil.tryLoadClass(ClassLoaderUtil.java:121) ~[!/:4.2.0]
at org.jahia.modules.session.hazelcast.ClassLoaderUtil.loadClass(ClassLoaderUtil.java:90) ~[!/:4.2.0]
at org.jahia.modules.session.hazelcast.ClassLoaderAwareObjectInputStream.resolveClass(ClassLoaderAwareObjectInputStream.java:28) ~[!/:4.2.0]
at java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:2045) ~[?:?]
at java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1909) ~[?:?]
at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2235) ~[?:?]
at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1744) ~[?:?]
at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:514) ~[?:?]
at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:472) ~[?:?]
at java.base/java.util.HashMap.readObject(HashMap.java:1552) ~[?:?]
... suppressed 2 lines
at java.base/java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]
at java.base/java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1104) ~[?:?]
at java.base/java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2434) ~[?:?]
at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2268) ~[?:?]
at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1744) ~[?:?]
at java.base/java.io.ObjectInputStream$FieldValues.<init>(ObjectInputStream.java:2617) ~[?:?]
at java.base/java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2468) ~[?:?]
at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2268) ~[?:?]
at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1744) ~[?:?]
at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:514) ~[?:?]
at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:472) ~[?:?]
at org.jahia.modules.session.hazelcast.ClassLoaderAwareSerializer.read(ClassLoaderAwareSerializer.java:24) ~[!/:4.2.0]
at com.hazelcast.internal.serialization.impl.StreamSerializerAdapter.read(StreamSerializerAdapter.java:48) ~[?:?]
at com.hazelcast.internal.serialization.impl.AbstractSerializationService.toObject(AbstractSerializationService.java:187) ~[?:?]
... 11 more
Expected
I should be logged out and there shouldn't be any error