Cacheable key collision with DefaultKeyGenerator [SPR-10237]

[spring-projects-issues]

Morten Haraldsen opened SPR-10237 and commented

The default is to use the hashcode of each parameter and create another (32-bit) hash code. Obviously this can easily generate collisions. This should be clearly documented as it feels like a pretty serious issue, if not a bug. We have come to expect that Spring defaults are "safe" :-)

---

Affects: 3.2 GA

Reference URL: http://blog.ethlo.com/2013/01/30/spring-defaultkeygenerator-gotcha

Issue Links:

• Spring cache defaults to hashcode based cache key for multiple arguments [SPR-10688] #15316 Spring cache defaults to hashcode based cache key for multiple arguments ("is duplicated by")
• Improve DefaultKeyGenerator [SPR-9036] #13675 Improve DefaultKeyGenerator ("is duplicated by")
• org.springframework.cache.interceptor.DefaultKeyGenerator has too weak hashing functionality [SPR-9377] #14013 org.springframework.cache.interceptor.DefaultKeyGenerator has too weak hashing functionality ("is duplicated by")
• Improve DefaultKeyGenerator [SPR-9036] #13675 Improve DefaultKeyGenerator
• org.springframework.cache.interceptor.DefaultKeyGenerator has too weak hashing functionality [SPR-9377] #14013 org.springframework.cache.interceptor.DefaultKeyGenerator has too weak hashing functionality

Referenced from: commits f1a18d2

3 votes, 8 watchers

[spring-projects-issues]

Tomasz Nurkiewicz commented

Looks like a duplicate of #13675 and #14013.

[spring-projects-issues]

Phil Webb commented

Spring 4.0 will now use the SimpleKeyGenerator class to generate cache keys if no specific KeyGenerator is configured. The DefaultKeyGenerator remains available for applications that do not wish to migrate.

I have stopped sort of including the target object or method name inside the key (as suggested in #13675). The primary reason for this is that the same key needs to be generated for @Cacheable, @CachePut and @CacheEvict annotated method, which will most likely be on different methods and potentially different beans.

For any method with a single non-null parameter, the result of SimpleKeyGenerator is identical to DefaultKeyGenerator. In other cases it is possible that the SimpleKey type might not be compatible with all Cache implementations. Given the number of times that this bug has been raised I think this restriction is acceptable, however, since this is a potentially breaking change I do not intend to back-port to 3.2.x