8000 Serialization issue in SAMLEntityAttributesParser - no void constructor in superclass. SAST · Issue #40034 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Serialization issue in SAMLEntityAttributesParser - no void constructor in superclass. SAST #40034
New issue
New issue
Closed
#40149
Closed
Serialization issue in SAMLEntityAttributesParser - no void constructor in superclass. SAST#40034
#40149
Labels
kind/enhancementCategorizes a PR related to an enhancementpriority/normalrelease/26.3.0team/core-clients
@Anchels

Description

@Anchels
Anchels
opened on May 28, 2025

Description

A serializable class that is a subclass of a non-serializable class cannot be deserialized if its superclass does not declare a no-argument constructor. The Java serialization framework uses the no-argument constructor when it initializes the object instance that is created during deserialization. Deserialization fails with an InvalidClassException if its superclass does not declare a no-argument constructor.

The Java Development Kit API documentation states:

To allow subtypes of non-serializable classes to be serialized, the subtype may assume responsibility for saving and restoring the state of the supertype’s public, protected, and (if accessible) package fields. The subtype may assume this responsibility only if the class it extends has an accessible no-arg constructor to initialize the class’s state. It is an error to declare a class Serializable if this is not the case. The error will be detected at runtime.

Discussion

No response

Motivation

No response

Details

SAMLEntityAttributesParser is Serializable but its superclass doesn't define an accessible void constructor

keycloak/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/mdattr/SAMLEntityAttributesParser.java

Lines 16 to 46 in bacba00

public class SAMLEntityAttributesParser extends AbstractStaxSamlMetadataParser<EntityAttributes> implements Serializable {
private static final SAMLEntityAttributesParser INSTANCE = new SAMLEntityAttributesParser();
private SAMLEntityAttributesParser() {
super(SAMLMetadataQNames.ENTITY_ATTRIBUTES);
}
public static SAMLEntityAttributesParser getInstance() {
return INSTANCE;
}
@Override
protected EntityAttributes instantiateElement(XMLEventReader xmlEventReader, StartElement element) throws ParsingException {
return new EntityAttributes();
}
@Override
protected void processSubElement(XMLEventReader xmlEventReader, EntityAttributes target, SAMLMetadataQNames element,
StartElement elementDetail) throws ParsingException {
switch (element) {
case ATTRIBUTE:
target.addAttribute(SAMLAttributeParser.getInstance().parse(xmlEventReader));
break;
case ASSERTION:
target.addAssertion(SAMLAssertionParser.getInstance().parse(xmlEventReader));
break;
default:
throw LOGGER.parserUnknownTag(StaxParserUtil.getElementName(elementDetail), elementDetail.getLocation());
}
}
}

Found by Linux Verification Center with SVACE

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/enhancementCategorizes a PR related to an enhancementpriority/normalrelease/26.3.0team/core-clients

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0