the User class contains a reference (via its superclass Entity) that eventually leads to the singleton UserManager, and from there to the various osuser providers. because not all of these classes implement java.io.Serializable, you eventually get NotSerializableExceptions when you try to serialize a User instance.
this happens (writing a User instance) in at least one place that I'm aware of: the "default authenticator" used by JIRA.
there are obvious performance and resource usage implications here.
one possible short-term fix would be to not try to write the User instance to the session, but write some sort of identifier instead. the long term fix will have to invlolve osuser.