We use play-pac4j in CiviForm, an open-source, public interest project. Our user profiles are represented by the CiviFormProfileData subclass of o.p.c.p.CommonProfile.
In our logs, we have noted warnings like this:
[warn] o.p.c.u.s.JavaSerializer - cannot Java deserialize object
java.io.InvalidClassException: auth.CiviFormProfileData; local class incompatible: stream classdesc serialVersionUID = 3142603030317816700, local class serialVersionUID = 6503846375980947185
This surprises us, because we expected profile serialization to be stable. Note that we did not have serialVersionUID set for this subclass, which was an oversight (and is addressed by this PR). That being said, though the class has had some small changes recently, the structure of the class did not change.
serialVersionUID to the current value sufficient to guard against this problem in the future?GitHub issue: Errors deserializing pac4j profiles
Profile serialization should be stable.
We have faced issues using the JavaSerializer so this has been changed in the pac4j core project to use the JsonSerializer.
This is not the case with play-pac4j and the PlayCookieSessionStore. I guess we should change that.
What play-pac4j version do you use?