This code seems to be storing a non-serializable object into an HttpSession. If this session is passivated or migrated, an error will result.