I’ve upgraded to Play 2.8 which brings along Akka 2.6. In Akka 2.6 they’ve disabled Java serialization by default: https://doc.akka.io/docs/akka/current/serialization.html#java-serialization
Akka serialization with Java serialization is disabled by default and Akka itself doesn’t use Java serialization for any of its internal messages. It is highly discouraged to enable Java serialization in production.
The log messages emitted by the disabled Java serializer in production SHOULD be treated as potential attacks which the serializer prevented, as they MAY indicate an external operator attempting to send malicious messages intending to use java serialization as attack vector. The attempts are logged with the SECURITY marker.
However in Silhouette there doesn’t seem to be another serializer defined for
JWTAuthenticator, so attempting to serialize that object fails:
[warn] a.s.Serialization(akka://application) - Using the Java serializer for class [com.mohiva.play.silhouette.impl.authenticators.JWTAuthenticator] which is not recommended because of performance implications. Use another serializer or disable this warning using the setting 'akka.actor.warn-about-java-serializer-usage' [debug] a.s.Serialization(akka://application) - Using serializer [akka.serialization.DisabledJavaSerializer] for message [com.mohiva.play.silhouette.impl.authenticators.JWTAuthenticator] [warn] a.s.DisabledJavaSerializer - Outgoing message attempted to use Java Serialization even though `akka.actor.allow-java-serialization = off` was set! Message type was: [class com.mohiva.play.silhouette.impl.authenticators.JWTAuthenticator] [error] p.a.cache.redis - Serialization failed for key '<snip>'. akka.serialization.DisabledJavaSerializer$JavaSerializationException: Attempted to serialize message using Java serialization while `akka.actor.allow-java-serialization` was disabled. Check WARNING logs for more details.
I can solve this by setting
akka.actor.allow-java-serialization = on in my config. But as the Akka docs say, this is strongly discouraged and a potential security issue. I’ve tried both play-silhouette 6.1 (which I was on with Play 2.7) and play-silhouette 7, both have the same issue. Would it be possible to implement a serializer for
JWTAuthenticator in silhouette to eliminate this problem?