Serialization issues with Vaadin on Tomcat

Question

I deployed my Vaadin application on Tomcat and it is from time to time throwing the following exception:

28-Mar-2023 21:33:32.448 WARNING [http-nio-8080-exec-48] org.apache.catalina.session.StandardSession.doWriteObject Cannot serialize session attribute [com.vaadin.flow.server.VaadinSession.springServlet] for session [E0E11430F24C7B870DF2E047CD4D76BC] java.io.NotSerializableException: org.garik.encyclopedia.util.ApiBookUtils at java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1192) ...

It happens for various classes

28-Mar-2023 19:00:46.492 WARNING [http-nio-8080-exec-32] org.apache.catalina.session.StandardSession.doWriteObject Cannot serialize session attribute [com.vaadin.flow.server.VaadinSession.springServlet] for session [F0F93879699D54297B7657D9CEC0974D] java.io.NotSerializableException: org.garik.encyclopedia.model.Tag

and after that Tomcat undeploys my application. I can't figure it out. When I was debugging my application as a JAR file it never happened. Can someone please tell me what I can do to avoid it?

Answer 1

Tomcat uses Java serialization for both clustering and session-storage during restarts, depending upon your configuration.

If there are objects in the session which cannot be serialized (or deserialized, because the process isn't always 100% symmetric), then you will get errors such as these.

Are you manually-adding either of those two classes (ApiBookUtils and Tag) to the session? Generally speaking, anything put into an HttpSession should be Serializable.

If you are not using Tomcat's clustering, then serialization should not occur at all for that purpose.

If you are using Tomcat's StandardManager (the default session manager), then the default configuration is to store sessions in a file during restarts. If you do not want that capability, then you can simply disable it by setting pathname="" in your <Manager> configuration (an application-specific context.xml file).

If you do want to use session-persistence across restarts, you have a few options:

1. Use sessionAttributeNameFilter on your <Manager> to specify all those attribute names which you do want to be serialized. Simple leave-our those that cause errors.
2. Use sessionAttributeValueClassNameFilter to limit the types of classes that will be serialized. Simply leave-out those that cause errors.
3. Modify the classes being used to implement java.io.Serializable.
4. Stop putting those objects into the session.