FlashMap's cannot be easily serialized by means other than java serialization [SPR-12757]

[spring-projects-issues]

Jelmer Kuperus opened SPR-12757 and commented

Currently it is not easy to serialize a org.springframework.web.servlet.FlashMap using anything other than regular java serialization or frameworks that use reflective field access

The problem is that the expirationStartTime and timeToLive fields can only be set by invoking startExpirationPeriod.

So suppose that I wanted to serialize this object to a json object to store in a cookie then i would not be able to do this

Using java serialization in this context would be ill advised as this post points out

http://stackoverflow.com/questions/19054460/what-is-the-security-impact-of-deserializing-untrusted-data-in-java

---

Affects: 4.1.5

Issue Links:

• Make flash attributes use cookie to enable stateless webapp [SPR-8997] #13637 Make flash attributes use cookie to enable stateless webapp

Referenced from: commits 83ff0ad

[spring-projects-issues]

Rossen Stoyanchev commented

To provide getters and setters would compromise the design too much. Perhaps we could provide a method to return a SerializableFlashMap type with proper getters and setters and also a reverse method for creating a FlashMap from a SerializableFlashMap. Or did you have something else in mind?

[spring-projects-issues]

Rossen Stoyanchev commented

This is related to #13637.

[spring-projects-issues]

Jelmer Kuperus commented

That does immediately strike me as the most elegant solution one of the problems i think is, that for some reason it stores what is effectively an expiry date as two fields and then does calculations on every request to arrive at this date. Doing the calculation once in startExpirationPeriod and then exposing a getter for this field plus a static factory method for creating a FlashMap with this value would not compromise design that much i think

[spring-projects-issues]

Rossen Stoyanchev commented

Thanks for the suggestion, seems reasonable. Feel free to submit a PR if you're in the middle of it.

[spring-projects-issues]

Rossen Stoyanchev commented

I've switched to a single expirationTime property in FlashMap as suggested and have provided setter and getter for it.