Exemple

public void doGet(HttpServletRequest req, HttpServletResponse resp) {

HttpSession session = req.getSession(true);
session.setAttribute(ATTRIB_NAME, new NonSerializableData());
// ...
}
public class NonSerializableData {
// ...
}

private static final String ATTRIB_NAME = "badExample";

Solution
Faites implémenter java.io.Serializable par la classe de l'objet, rendez la zone transitoire (transient) ou ne stockez pas l'objet dans la session HTTP (HttpSession).

public void doGet(HttpServletRequest req, HttpServletResponse resp) {

HttpSession session = req.getSession(true);
session.setAttribute(ATTRIB_NAME, new SerializableData());
// ...
}
public class NonSerializableData implements java.io.Serializable {
static final long serialVersionUID = -817083988410801866L;
// ...
}

private static final String ATTRIB_NAME = "badExample";