Add serialVersionUID tolerant java deserializer

Workaround for spring-projects#3737

Author: onobc

spring-integration-core/src/main/java/org/springframework/integration/support/serializer/VersionTolerantJavaDeserializer.java

@@ -0,0 +1,107 @@
+/*
+ * Copyright 2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.integration.support.serializer;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.io.Serializable;
+
+import org.springframework.core.NestedIOException;
+import org.springframework.core.serializer.Deserializer;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+
+/**
+ * A {@link Deserializer} implementation that reads an input stream using Java serialization in a manner that
+ * allows {@link Serializable} classes to be deserialized with more than one {@code serialVersionUID}.
+ *
+ * <pre>
+ * <code>
+ * 	VersionTolerantJavaDeserializer deser = new VersionTolerantJavaDeserializer();
+ * 	deser.allowSerialVersionUID(MessageHistory.class, 1426799817181873282L);
+ * 	deser.allowSerialVersionUID(MessageHistory.class, -2340400235574314134L);
+ *
+ * 	JdbcMessageStore messageStore = ...
+ * 	messageStore.setDeserializer(deser);
+ * 	Message{@literal <}Foo{@literal >} oldFoo = messageStore.getMessage(oldFooMsgUid);
+ * </code>
+ * </pre>
+ *
+ * @author  Chris Bono
+ */
+public class VersionTolerantJavaDeserializer implements Deserializer<Object> {
+
+	private final MultiValueMap<Class<?>, Long> alternativeSerialVersionUIDs = new LinkedMultiValueMap<>();
+
+	/**
+	 * Allows an alternative {@code serialVersionUID} to be used when deserializing a class.
+	 * @param clazz the class
+	 * @param serialVersionUID the alternate uid to allow
+	 */
+	public void allowSerialVersionUID(Class<?> clazz, long serialVersionUID) {
+		this.alternativeSerialVersionUIDs.add(clazz, serialVersionUID);
+	}
+
+	@Override
+	public Object deserialize(InputStream inputStream) throws IOException {
+		VersionTolerantObjectInputStream objectInputStream = new VersionTolerantObjectInputStream(inputStream);
+		try {
+			return objectInputStream.readObject();
+		}
+		catch (ClassNotFoundException ex) {
+			throw new NestedIOException("Failed to deserialize object type", ex);
+		}
+	}
+
+	private class VersionTolerantObjectInputStream extends ObjectInputStream {
+
+		private VersionTolerantObjectInputStream(InputStream in) throws IOException {
+			super(in);
+		}
+
+		@Override
+		protected ObjectStreamClass readClassDescriptor() throws IOException, ClassNotFoundException {
+			ObjectStreamClass resultClassDescriptor = super.readClassDescriptor();
+
+			String className = resultClassDescriptor.getName();
+			Class<?> localClass = Class.forName(className);
+			if (!alternativeSerialVersionUIDs().containsKey(localClass)) {
+				return resultClassDescriptor;
+			}
+
+			ObjectStreamClass localClassDescriptor = ObjectStreamClass.lookup(localClass);
+			if (localClassDescriptor == null) {
+				return resultClassDescriptor;
+			}
+
+			final long localSerialVersionUID = localClassDescriptor.getSerialVersionUID();
+			final long streamSerialVersionUID = resultClassDescriptor.getSerialVersionUID();
+			if (streamSerialVersionUID != localSerialVersionUID && alternativeSerialVersionUIDs().get(localClass)
+					.contains(streamSerialVersionUID)) {
+				return localClassDescriptor;
+			}
+
+			return resultClassDescriptor;
+		}
+
+		private MultiValueMap<Class<?>, Long> alternativeSerialVersionUIDs() {
+			return VersionTolerantJavaDeserializer.this.alternativeSerialVersionUIDs;
+		}
+	}
+}

spring-integration-core/src/test/java/org/springframework/integration/support/serializer/VersionTolerantJavaDeserializerTests.java

@@ -0,0 +1,121 @@
+/*
+ * Copyright 2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.integration.support.serializer;
+
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.Serializable;
+
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+/**
+ * Unit tests for {@link VersionTolerantJavaDeserializer}.
+ */
+public class VersionTolerantJavaDeserializerTests {
+
+	@Test
+	void failsWhenNoAlternateUIDsConfigured() throws Exception {
+		assertThat(Foo.serialVersionUID).isEqualTo(3L);
+		String fileName = "./src/test/resources/deser/foo2";
+		VersionTolerantJavaDeserializer deser = new VersionTolerantJavaDeserializer();
+		try (FileInputStream fis = new FileInputStream(fileName)) {
+			assertThatThrownBy(() -> deser.deserialize(fis))
+					.isInstanceOf(InvalidClassException.class);
+		}
+	}
+
+	@Test
+	void passesWhenAlternateUIDsConfigured() throws Exception {
+		assertThat(Foo.serialVersionUID).isEqualTo(3L);
+
+		VersionTolerantJavaDeserializer deser = new VersionTolerantJavaDeserializer();
+		deser.allowSerialVersionUID(VersionTolerantJavaDeserializerTests.Foo.class, 1L);
+		deser.allowSerialVersionUID(VersionTolerantJavaDeserializerTests.Foo.class, 2L);
+
+		String fileName = "./src/test/resources/deser/foo1";
+		try (FileInputStream fis = new FileInputStream(fileName)) {
+			VersionTolerantJavaDeserializerTests.Foo oldFoo = (VersionTolerantJavaDeserializerTests.Foo) deser.deserialize(fis);
+			assertThat(oldFoo.toString()).isEqualTo("Foo (name=uno, serialVersionUID=3)");
+		}
+
+		fileName = "./src/test/resources/deser/foo2";
+		try (FileInputStream fis = new FileInputStream(fileName)) {
+			VersionTolerantJavaDeserializerTests.Foo oldFoo = (VersionTolerantJavaDeserializerTests.Foo) deser.deserialize(fis);
+			assertThat(oldFoo.toString()).isEqualTo("Foo (name=dos, serialVersionUID=3)");
+		}
+	}
+
+	@Disabled
+	@Nested
+	class GenerateSerializedFiles {
+
+		@Test
+		void generateOldFoo1SerializedFile() throws Exception {
+			// Only run this once to generate the Foo1 serialized file - make sure Foo.serialVersionUID = 1L before running
+			assertThat(Foo.serialVersionUID).isEqualTo(1L);
+			String filename = "./src/test/resources/deser/foo1";
+			doGenerateOldFooSerializedFile(filename, new Foo("uno"));
+		}
+
+		@Test
+		void generateOldFoo2SerializedFile() throws Exception {
+			// Only run this once to generate the Foo2 serialized file - make sure Foo.serialVersionUID = 2L before running
+			assertThat(Foo.serialVersionUID).isEqualTo(2L);
+			String filename = "./src/test/resources/deser/foo2";
+			doGenerateOldFooSerializedFile(filename, new Foo("dos"));
+		}
+
+		private void doGenerateOldFooSerializedFile(String filename, Foo foo) throws Exception {
+			FileOutputStream fos = new FileOutputStream(filename);
+			ObjectOutputStream oos = new ObjectOutputStream(fos);
+			oos.writeObject(foo);
+			fos.close();
+			FileInputStream fis = new FileInputStream(filename);
+			ObjectInputStream ois = new ObjectInputStream(fis);
+			Foo fooDeser = (Foo) ois.readObject();
+			assertThat(fooDeser.getName()).isEqualTo(foo.getName());
+			fis.close();
+		}
+	}
+
+	static class Foo implements Serializable {
+
+		private static final long serialVersionUID = 3L;
+
+		private String name;
+
+		public Foo(String name) {
+			this.name = name;
+		}
+
+		public String getName() {
+			return this.name;
+		}
+
+		public String toString() {
+			return String.format("Foo (name=%s, serialVersionUID=%d)", this.name, serialVersionUID);
+		}
+	}
+}