In the early versions of Spring Security, a deliberate decision was made to avoid providing any guarantee of compatibility for serialized classes (via JDK serialization) between different versions of the project. This decision primarily took into account the context of RMI, with the recommendation being that both the server and client should use the same version of Spring Security.
As more apps depend on persistent sessions and technologies like Spring Session, the problem with inconsistent serialization becomes a bigger deal. Persistent sessions mean saving user sessions by turning them into…