Non-transient request field in FlashScope sometimes prevents serialization for session persistence


As we know, Stripes' FlashScope objects are stored in a Map in the HttpSession. The session attribute that stores them is Serializable, and the FlashScope itself implements Serializable, but it has a private field that holds an HttpServletRequest, which in practice is an instance of StripesRequestWrapper, which is not Serializable, so when you're using persistent sessions and your session manager uses serialization, it's possible that you'll end up getting a NotSerializableException when attempting to serialize the FlashScope.

The exact behavior probably varies from servlet engine to servlet engine, but here's what I've seen with Resin: if the request makes it to the end of StripesFilter.doFilter() before trying to save the session, it'll be ok because FlashScope.completeRequest() will have been called, which among other things nulls out the request field on the FlashScope. However, if an action ends with a RedirectResolution, then before the end of doFilter() it will end up in RedirectResolution.execute(), which calls HttpResponse.sendRedirect(), which (on Resin, at least) saves the session before sending the response to the client. At that point, of course, the request field on the FlashScope is still non-null, so the serialization fails.

From the testing I've done so far, it appears that marking the FlashScope.request field as transient will take care of the problem.


Resin 3.1.9, Java 1.6.0_13, Ubuntu 8.10




Mark Adams




Affects versions