diff --git a/.github/workflows/continuous-integration-workflow.yml b/.github/workflows/continuous-integration-workflow.yml index f36d30d555b..b7baf20f2b5 100644 --- a/.github/workflows/continuous-integration-workflow.yml +++ b/.github/workflows/continuous-integration-workflow.yml @@ -79,7 +79,7 @@ jobs: env: STRUCTURE101_LICENSEID: ${{ secrets.STRUCTURE101_LICENSEID }} run: | - ./gradlew check s101 -Ps101.licenseId="$STRUCTURE101_LICENSEID" --stacktrace + ./gradlew assemble && ./gradlew s101 -Ps101.licenseId="$STRUCTURE101_LICENSEID" --stacktrace deploy-artifacts: name: Deploy Artifacts needs: [ build, test, check-samples, check-tangles ] @@ -116,7 +116,7 @@ jobs: send-notification: name: Send Notification needs: [ perform-release ] - if: ${{ failure() || cancelled() }} + if: ${{ !success() }} runs-on: ubuntu-latest steps: - name: Send Notification diff --git a/build.gradle b/build.gradle index 60089e6734f..4fd368b54a9 100644 --- a/build.gradle +++ b/build.gradle @@ -110,6 +110,10 @@ nohttp { source.builtBy(project(':spring-security-config').tasks.withType(RncToXsd)) } +tasks.named('checkstyleNohttp') { + maxHeapSize = '1g' +} + tasks.register('cloneRepository', IncludeRepoTask) { repository = project.getProperties().get("repositoryName") ref = project.getProperties().get("ref") diff --git a/buildSrc/src/main/java/s101/S101Plugin.java b/buildSrc/src/main/java/s101/S101Plugin.java index 6d2e01abc0e..628b4ad52ab 100644 --- a/buildSrc/src/main/java/s101/S101Plugin.java +++ b/buildSrc/src/main/java/s101/S101Plugin.java @@ -50,7 +50,7 @@ private void configure(S101Configure configure) { private void configure(JavaExec exec) { exec.setDescription("Runs Structure101 headless analysis, installing and configuring if necessary"); - exec.dependsOn("check"); + exec.dependsOn("assemble"); Project project = exec.getProject(); S101PluginExtension extension = project.getExtensions().getByType(S101PluginExtension.class); exec diff --git a/cas/src/main/java/org/springframework/security/cas/jackson2/CasJackson2Module.java b/cas/src/main/java/org/springframework/security/cas/jackson2/CasJackson2Module.java index b6c7c6f8fad..fad74fdb7b6 100644 --- a/cas/src/main/java/org/springframework/security/cas/jackson2/CasJackson2Module.java +++ b/cas/src/main/java/org/springframework/security/cas/jackson2/CasJackson2Module.java @@ -41,6 +41,7 @@ * @since 4.2 * @see org.springframework.security.jackson2.SecurityJackson2Modules */ +@SuppressWarnings("serial") public class CasJackson2Module extends SimpleModule { public CasJackson2Module() { diff --git a/config/src/integration-test/java/org/springframework/security/config/annotation/configurers/WebAuthnWebDriverTests.java b/config/src/integration-test/java/org/springframework/security/config/annotation/configurers/WebAuthnWebDriverTests.java index 075856f3a4a..cc5d7a3501f 100644 --- a/config/src/integration-test/java/org/springframework/security/config/annotation/configurers/WebAuthnWebDriverTests.java +++ b/config/src/integration-test/java/org/springframework/security/config/annotation/configurers/WebAuthnWebDriverTests.java @@ -33,6 +33,7 @@ import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.openqa.selenium.By; +import org.openqa.selenium.WebDriverException; import org.openqa.selenium.WebElement; import org.openqa.selenium.chrome.ChromeDriverService; import org.openqa.selenium.chrome.ChromeOptions; @@ -273,12 +274,14 @@ private AbstractStringAssert assertHasAlertStartingWith(String alertType, Str /** * Await until the assertion passes. If the assertion fails, it will display the - * assertion error in stdout. + * assertion error in stdout. WebDriver-related exceptions are ignored, so that + * {@code assertion}s can interact with the page and be retried on error, e.g. + * {@code assertThat(this.driver.findElement(By.Id("some-id")).isNotNull()}. */ private void await(Supplier> assertion) { new FluentWait<>(this.driver).withTimeout(Duration.ofSeconds(2)) .pollingEvery(Duration.ofMillis(100)) - .ignoring(AssertionError.class) + .ignoring(AssertionError.class, WebDriverException.class) .until((d) -> { assertion.get(); return true; diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java index 17c3c73ca49..2aae05bbb9c 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -99,6 +99,10 @@ public final class OAuth2ClientConfigurer> private AuthorizationCodeGrantConfigurer authorizationCodeGrantConfigurer = new AuthorizationCodeGrantConfigurer(); + private ClientRegistrationRepository clientRegistrationRepository; + + private OAuth2AuthorizedClientRepository authorizedClientRepository; + /** * Sets the repository of client registrations. * @param clientRegistrationRepository the repository of client registrations @@ -108,6 +112,7 @@ public OAuth2ClientConfigurer clientRegistrationRepository( ClientRegistrationRepository clientRegistrationRepository) { Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null"); this.getBuilder().setSharedObject(ClientRegistrationRepository.class, clientRegistrationRepository); + this.clientRegistrationRepository = clientRegistrationRepository; return this; } @@ -120,6 +125,7 @@ public OAuth2ClientConfigurer authorizedClientRepository( OAuth2AuthorizedClientRepository authorizedClientRepository) { Assert.notNull(authorizedClientRepository, "authorizedClientRepository cannot be null"); this.getBuilder().setSharedObject(OAuth2AuthorizedClientRepository.class, authorizedClientRepository); + this.authorizedClientRepository = authorizedClientRepository; return this; } @@ -284,8 +290,7 @@ private OAuth2AuthorizationRequestResolver getAuthorizationRequestResolver() { if (this.authorizationRequestResolver != null) { return this.authorizationRequestResolver; } - ClientRegistrationRepository clientRegistrationRepository = OAuth2ClientConfigurerUtils - .getClientRegistrationRepository(getBuilder()); + ClientRegistrationRepository clientRegistrationRepository = getClientRegistrationRepository(getBuilder()); ResolvableType resolvableType = ResolvableType.forClass(OAuth2AuthorizationRequestResolver.class); OAuth2AuthorizationRequestResolver bean = getBeanOrNull(resolvableType); return (bean != null) ? bean : new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, @@ -295,8 +300,8 @@ private OAuth2AuthorizationRequestResolver getAuthorizationRequestResolver() { private OAuth2AuthorizationCodeGrantFilter createAuthorizationCodeGrantFilter(B builder) { AuthenticationManager authenticationManager = builder.getSharedObject(AuthenticationManager.class); OAuth2AuthorizationCodeGrantFilter authorizationCodeGrantFilter = new OAuth2AuthorizationCodeGrantFilter( - OAuth2ClientConfigurerUtils.getClientRegistrationRepository(builder), - OAuth2ClientConfigurerUtils.getAuthorizedClientRepository(builder), authenticationManager); + getClientRegistrationRepository(builder), getAuthorizedClientRepository(builder), + authenticationManager); if (this.authorizationRequestRepository != null) { authorizationCodeGrantFilter.setAuthorizationRequestRepository(this.authorizationRequestRepository); } @@ -318,6 +323,18 @@ private OAuth2AccessTokenResponseClient get return (bean != null) ? bean : new DefaultAuthorizationCodeTokenResponseClient(); } + private ClientRegistrationRepository getClientRegistrationRepository(B builder) { + return (OAuth2ClientConfigurer.this.clientRegistrationRepository != null) + ? OAuth2ClientConfigurer.this.clientRegistrationRepository + : OAuth2ClientConfigurerUtils.getClientRegistrationRepository(builder); + } + + private OAuth2AuthorizedClientRepository getAuthorizedClientRepository(B builder) { + return (OAuth2ClientConfigurer.this.authorizedClientRepository != null) + ? OAuth2ClientConfigurer.this.authorizedClientRepository + : OAuth2ClientConfigurerUtils.getAuthorizedClientRepository(builder); + } + @SuppressWarnings("unchecked") private T getBeanOrNull(ResolvableType type) { ApplicationContext context = getBuilder().getSharedObject(ApplicationContext.class); diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java index d191bb740be..16cf1c0e188 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -173,6 +173,10 @@ public final class OAuth2LoginConfigurer> private String loginProcessingUrl = OAuth2LoginAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI; + private ClientRegistrationRepository clientRegistrationRepository; + + private OAuth2AuthorizedClientRepository authorizedClientRepository; + /** * Sets the repository of client registrations. * @param clientRegistrationRepository the repository of client registrations @@ -182,6 +186,7 @@ public OAuth2LoginConfigurer clientRegistrationRepository( ClientRegistrationRepository clientRegistrationRepository) { Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null"); this.getBuilder().setSharedObject(ClientRegistrationRepository.class, clientRegistrationRepository); + this.clientRegistrationRepository = clientRegistrationRepository; return this; } @@ -195,6 +200,7 @@ public OAuth2LoginConfigurer authorizedClientRepository( OAuth2AuthorizedClientRepository authorizedClientRepository) { Assert.notNull(authorizedClientRepository, "authorizedClientRepository cannot be null"); this.getBuilder().setSharedObject(OAuth2AuthorizedClientRepository.class, authorizedClientRepository); + this.authorizedClientRepository = authorizedClientRepository; return this; } @@ -340,8 +346,7 @@ public OAuth2LoginConfigurer userInfoEndpoint(Customizer getJwtDecoderFactoryBean() { ResolvableType type = ResolvableType.forClassWithGenerics(JwtDecoderFactory.class, ClientRegistration.class); @@ -526,8 +540,7 @@ private void initDefaultLoginFilter(B http) { @SuppressWarnings("unchecked") private Map getLoginLinks() { Iterable clientRegistrations = null; - ClientRegistrationRepository clientRegistrationRepository = OAuth2ClientConfigurerUtils - .getClientRegistrationRepository(this.getBuilder()); + ClientRegistrationRepository clientRegistrationRepository = this.getClientRegistrationRepository(); ResolvableType type = ResolvableType.forInstance(clientRegistrationRepository).as(Iterable.class); if (type != ResolvableType.NONE && ClientRegistration.class.isAssignableFrom(type.resolveGenerics()[0])) { clientRegistrations = (Iterable) clientRegistrationRepository; diff --git a/config/src/main/java/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParser.java index 860ed9fc551..24566458e11 100644 --- a/config/src/main/java/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParser.java @@ -146,6 +146,7 @@ public BeanDefinition parse(Element element, ParserContext pc) { BeanMetadataElement saml2LogoutRequestSuccessHandler = BeanDefinitionBuilder .rootBeanDefinition(Saml2RelyingPartyInitiatedLogoutSuccessHandler.class) .addConstructorArgValue(logoutRequestResolver) + .addPropertyValue("logoutRequestRepository", logoutRequestRepository) .getBeanDefinition(); this.logoutFilter = BeanDefinitionBuilder.rootBeanDefinition(LogoutFilter.class) .addConstructorArgValue(saml2LogoutRequestSuccessHandler) diff --git a/config/src/main/kotlin/org/springframework/security/config/annotation/web/WebAuthnDsl.kt b/config/src/main/kotlin/org/springframework/security/config/annotation/web/WebAuthnDsl.kt index 1624817431e..f1a9600f000 100644 --- a/config/src/main/kotlin/org/springframework/security/config/annotation/web/WebAuthnDsl.kt +++ b/config/src/main/kotlin/org/springframework/security/config/annotation/web/WebAuthnDsl.kt @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -24,20 +24,24 @@ import org.springframework.security.config.annotation.web.configurers.WebAuthnCo * @property rpName the relying party name * @property rpId the relying party id * @property the allowed origins + * @property disableDefaultRegistrationPage disable default webauthn registration page * @since 6.4 * @author Rob Winch + * @author Max Batischev */ @SecurityMarker class WebAuthnDsl { var rpName: String? = null var rpId: String? = null var allowedOrigins: Set? = null + var disableDefaultRegistrationPage: Boolean? = false internal fun get(): (WebAuthnConfigurer) -> Unit { - return { webAuthn -> webAuthn - .rpId(rpId) - .rpName(rpName) - .allowedOrigins(allowedOrigins); + return { webAuthn -> + rpName?.also { webAuthn.rpName(rpName) } + rpId?.also { webAuthn.rpId(rpId) } + allowedOrigins?.also { webAuthn.allowedOrigins(allowedOrigins) } + disableDefaultRegistrationPage?.also { webAuthn.disableDefaultRegistrationPage(disableDefaultRegistrationPage!!) } } } } diff --git a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java index cff442fffe8..2982d2a005a 100644 --- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java +++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -36,14 +36,17 @@ import java.util.Date; import java.util.HashMap; import java.util.List; +import java.util.Locale; import java.util.Map; import java.util.Set; import java.util.stream.Collectors; import java.util.stream.Stream; +import jakarta.servlet.http.Cookie; import org.apereo.cas.client.validation.AssertionImpl; import org.instancio.Instancio; import org.instancio.InstancioApi; +import org.instancio.InstancioOfClassApi; import org.instancio.Select; import org.instancio.generator.Generator; import org.junit.jupiter.api.Disabled; @@ -53,26 +56,72 @@ import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider; +import org.springframework.core.ResolvableType; import org.springframework.core.type.filter.AssignableTypeFilter; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpSession; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.AuthorizationServiceException; +import org.springframework.security.access.SecurityConfig; import org.springframework.security.access.intercept.RunAsUserToken; import org.springframework.security.authentication.AbstractAuthenticationToken; +import org.springframework.security.authentication.AccountExpiredException; import org.springframework.security.authentication.AnonymousAuthenticationToken; +import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException; +import org.springframework.security.authentication.AuthenticationServiceException; +import org.springframework.security.authentication.BadCredentialsException; +import org.springframework.security.authentication.CredentialsExpiredException; +import org.springframework.security.authentication.DisabledException; +import org.springframework.security.authentication.InsufficientAuthenticationException; +import org.springframework.security.authentication.InternalAuthenticationServiceException; +import org.springframework.security.authentication.LockedException; +import org.springframework.security.authentication.ProviderNotFoundException; import org.springframework.security.authentication.RememberMeAuthenticationToken; import org.springframework.security.authentication.TestAuthentication; import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent; +import org.springframework.security.authentication.event.AuthenticationFailureCredentialsExpiredEvent; +import org.springframework.security.authentication.event.AuthenticationFailureDisabledEvent; +import org.springframework.security.authentication.event.AuthenticationFailureExpiredEvent; +import org.springframework.security.authentication.event.AuthenticationFailureLockedEvent; +import org.springframework.security.authentication.event.AuthenticationFailureProviderNotFoundEvent; +import org.springframework.security.authentication.event.AuthenticationFailureProxyUntrustedEvent; +import org.springframework.security.authentication.event.AuthenticationFailureServiceExceptionEvent; +import org.springframework.security.authentication.event.AuthenticationSuccessEvent; +import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent; +import org.springframework.security.authentication.event.LogoutSuccessEvent; import org.springframework.security.authentication.jaas.JaasAuthenticationToken; +import org.springframework.security.authentication.jaas.event.JaasAuthenticationFailedEvent; +import org.springframework.security.authentication.jaas.event.JaasAuthenticationSuccessEvent; +import org.springframework.security.authentication.ott.InvalidOneTimeTokenException; import org.springframework.security.authentication.ott.OneTimeTokenAuthenticationToken; +import org.springframework.security.authentication.password.CompromisedPasswordException; +import org.springframework.security.authorization.AuthorityAuthorizationDecision; +import org.springframework.security.authorization.AuthorizationDecision; +import org.springframework.security.authorization.AuthorizationDeniedException; import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken; import org.springframework.security.cas.authentication.CasAuthenticationToken; import org.springframework.security.cas.authentication.CasServiceTicketAuthenticationToken; +import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.SpringSecurityCoreVersion; import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.SecurityContextImpl; +import org.springframework.security.core.context.TransientSecurityContext; +import org.springframework.security.core.session.AbstractSessionEvent; import org.springframework.security.core.session.ReactiveSessionInformation; import org.springframework.security.core.session.SessionInformation; import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.core.userdetails.UsernameNotFoundException; +import org.springframework.security.ldap.ppolicy.PasswordPolicyControl; +import org.springframework.security.ldap.ppolicy.PasswordPolicyErrorStatus; +import org.springframework.security.ldap.ppolicy.PasswordPolicyException; +import org.springframework.security.ldap.ppolicy.PasswordPolicyResponseControl; import org.springframework.security.ldap.userdetails.LdapAuthority; +import org.springframework.security.oauth2.client.ClientAuthorizationException; +import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException; import org.springframework.security.oauth2.client.OAuth2AuthorizedClient; import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken; import org.springframework.security.oauth2.client.authentication.OAuth2AuthorizationCodeAuthenticationToken; @@ -88,7 +137,10 @@ import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal; import org.springframework.security.oauth2.core.OAuth2AccessToken; import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal; +import org.springframework.security.oauth2.core.OAuth2AuthenticationException; +import org.springframework.security.oauth2.core.OAuth2AuthorizationException; import org.springframework.security.oauth2.core.OAuth2DeviceCode; +import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.core.OAuth2RefreshToken; import org.springframework.security.oauth2.core.OAuth2UserCode; import org.springframework.security.oauth2.core.TestOAuth2AccessTokens; @@ -108,23 +160,86 @@ import org.springframework.security.oauth2.core.user.DefaultOAuth2User; import org.springframework.security.oauth2.core.user.OAuth2UserAuthority; import org.springframework.security.oauth2.core.user.TestOAuth2Users; +import org.springframework.security.oauth2.jwt.BadJwtException; import org.springframework.security.oauth2.jwt.Jwt; +import org.springframework.security.oauth2.jwt.JwtDecoderInitializationException; +import org.springframework.security.oauth2.jwt.JwtEncodingException; +import org.springframework.security.oauth2.jwt.JwtException; +import org.springframework.security.oauth2.jwt.JwtValidationException; import org.springframework.security.oauth2.jwt.TestJwts; import org.springframework.security.oauth2.server.resource.BearerTokenError; import org.springframework.security.oauth2.server.resource.BearerTokenErrors; +import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException; import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication; import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken; import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken; +import org.springframework.security.oauth2.server.resource.introspection.BadOpaqueTokenException; import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionAuthenticatedPrincipal; +import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException; +import org.springframework.security.saml2.Saml2Exception; +import org.springframework.security.saml2.core.Saml2Error; +import org.springframework.security.saml2.core.Saml2X509Credential; +import org.springframework.security.saml2.credentials.TestSaml2X509Credentials; import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal; import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication; +import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException; +import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken; import org.springframework.security.saml2.provider.service.authentication.Saml2PostAuthenticationRequest; import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest; +import org.springframework.security.saml2.provider.service.authentication.TestSaml2AuthenticationTokens; import org.springframework.security.saml2.provider.service.authentication.TestSaml2Authentications; import org.springframework.security.saml2.provider.service.authentication.TestSaml2PostAuthenticationRequests; import org.springframework.security.saml2.provider.service.authentication.TestSaml2RedirectAuthenticationRequests; +import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration; +import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.AssertingPartyDetails; +import org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations; +import org.springframework.security.web.PortResolverImpl; import org.springframework.security.web.authentication.WebAuthenticationDetails; import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; +import org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException; +import org.springframework.security.web.authentication.rememberme.CookieTheftException; +import org.springframework.security.web.authentication.rememberme.InvalidCookieException; +import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationException; +import org.springframework.security.web.authentication.session.SessionAuthenticationException; +import org.springframework.security.web.authentication.session.SessionFixationProtectionEvent; +import org.springframework.security.web.authentication.switchuser.AuthenticationSwitchUserEvent; +import org.springframework.security.web.authentication.www.NonceExpiredException; +import org.springframework.security.web.csrf.CsrfException; +import org.springframework.security.web.csrf.DefaultCsrfToken; +import org.springframework.security.web.csrf.InvalidCsrfTokenException; +import org.springframework.security.web.csrf.MissingCsrfTokenException; +import org.springframework.security.web.firewall.RequestRejectedException; +import org.springframework.security.web.savedrequest.DefaultSavedRequest; +import org.springframework.security.web.savedrequest.SimpleSavedRequest; +import org.springframework.security.web.server.firewall.ServerExchangeRejectedException; +import org.springframework.security.web.session.HttpSessionCreatedEvent; +import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientInputs; +import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientOutputs; +import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse; +import org.springframework.security.web.webauthn.api.AuthenticatorAttachment; +import org.springframework.security.web.webauthn.api.AuthenticatorTransport; +import org.springframework.security.web.webauthn.api.Bytes; +import org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput; +import org.springframework.security.web.webauthn.api.CredentialPropertiesOutput; +import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput; +import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs; +import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs; +import org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity; +import org.springframework.security.web.webauthn.api.PublicKeyCredential; +import org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor; +import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions; +import org.springframework.security.web.webauthn.api.PublicKeyCredentialType; +import org.springframework.security.web.webauthn.api.PublicKeyCredentialUserEntity; +import org.springframework.security.web.webauthn.api.TestAuthenticationAssertionResponses; +import org.springframework.security.web.webauthn.api.TestBytes; +import org.springframework.security.web.webauthn.api.TestPublicKeyCredential; +import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialRequestOptions; +import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialUserEntity; +import org.springframework.security.web.webauthn.api.UserVerificationRequirement; +import org.springframework.security.web.webauthn.authentication.WebAuthnAuthentication; +import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken; +import org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest; +import org.springframework.util.ReflectionUtils; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.fail; @@ -155,6 +270,8 @@ class SpringSecurityCoreVersionSerializableTests { static { UserDetails user = TestAuthentication.user(); + Authentication authentication = TestAuthentication.authenticated(user); + SecurityContext securityContext = new SecurityContextImpl(authentication); // oauth2-core generatorByClassName.put(DefaultOAuth2User.class, (r) -> TestOAuth2Users.create()); @@ -180,6 +297,12 @@ class SpringSecurityCoreVersionSerializableTests { generatorByClassName.put(OidcUserAuthority.class, (r) -> new OidcUserAuthority(TestOidcIdTokens.idToken().build(), new OidcUserInfo(Map.of("claim", "value")), "claim")); + generatorByClassName.put(OAuth2AuthenticationException.class, + (r) -> new OAuth2AuthenticationException(new OAuth2Error("error", "description", "uri"), "message", + new RuntimeException())); + generatorByClassName.put(OAuth2AuthorizationException.class, + (r) -> new OAuth2AuthorizationException(new OAuth2Error("error", "description", "uri"), "message", + new RuntimeException())); // oauth2-client ClientRegistration.Builder clientRegistrationBuilder = TestClientRegistrations.clientRegistration(); @@ -218,6 +341,21 @@ class SpringSecurityCoreVersionSerializableTests { return new DefaultOAuth2AuthenticatedPrincipal(principal.getName(), principal.getAttributes(), (Collection) principal.getAuthorities()); }); + generatorByClassName.put(ClientAuthorizationException.class, + (r) -> new ClientAuthorizationException(new OAuth2Error("error", "description", "uri"), "id", "message", + new RuntimeException())); + generatorByClassName.put(ClientAuthorizationRequiredException.class, + (r) -> new ClientAuthorizationRequiredException("id")); + + // oauth2-jose + generatorByClassName.put(BadJwtException.class, (r) -> new BadJwtException("token", new RuntimeException())); + generatorByClassName.put(JwtDecoderInitializationException.class, + (r) -> new JwtDecoderInitializationException("message", new RuntimeException())); + generatorByClassName.put(JwtEncodingException.class, + (r) -> new JwtEncodingException("message", new RuntimeException())); + generatorByClassName.put(JwtException.class, (r) -> new JwtException("message", new RuntimeException())); + generatorByClassName.put(JwtValidationException.class, + (r) -> new JwtValidationException("message", List.of(new OAuth2Error("error", "description", "uri")))); // oauth2-jwt generatorByClassName.put(Jwt.class, (r) -> TestJwts.user()); @@ -249,6 +387,12 @@ class SpringSecurityCoreVersionSerializableTests { generatorByClassName.put(BearerTokenError.class, (r) -> BearerTokenErrors.invalidToken("invalid token")); generatorByClassName.put(OAuth2IntrospectionAuthenticatedPrincipal.class, (r) -> TestOAuth2AuthenticatedPrincipals.active()); + generatorByClassName.put(InvalidBearerTokenException.class, + (r) -> new InvalidBearerTokenException("description", new RuntimeException())); + generatorByClassName.put(BadOpaqueTokenException.class, + (r) -> new BadOpaqueTokenException("message", new RuntimeException())); + generatorByClassName.put(OAuth2IntrospectionException.class, + (r) -> new OAuth2IntrospectionException("message", new RuntimeException())); // core generatorByClassName.put(RunAsUserToken.class, (r) -> { @@ -274,9 +418,73 @@ class SpringSecurityCoreVersionSerializableTests { }); generatorByClassName.put(OneTimeTokenAuthenticationToken.class, (r) -> applyDetails(new OneTimeTokenAuthenticationToken("username", "token"))); - + generatorByClassName.put(AccessDeniedException.class, + (r) -> new AccessDeniedException("access denied", new RuntimeException())); + generatorByClassName.put(AuthorizationServiceException.class, + (r) -> new AuthorizationServiceException("access denied", new RuntimeException())); + generatorByClassName.put(AccountExpiredException.class, + (r) -> new AccountExpiredException("error", new RuntimeException())); + generatorByClassName.put(AuthenticationCredentialsNotFoundException.class, + (r) -> new AuthenticationCredentialsNotFoundException("error", new RuntimeException())); + generatorByClassName.put(AuthenticationServiceException.class, + (r) -> new AuthenticationServiceException("error", new RuntimeException())); + generatorByClassName.put(BadCredentialsException.class, + (r) -> new BadCredentialsException("error", new RuntimeException())); + generatorByClassName.put(CredentialsExpiredException.class, + (r) -> new CredentialsExpiredException("error", new RuntimeException())); + generatorByClassName.put(DisabledException.class, + (r) -> new DisabledException("error", new RuntimeException())); + generatorByClassName.put(InsufficientAuthenticationException.class, + (r) -> new InsufficientAuthenticationException("error", new RuntimeException())); + generatorByClassName.put(InternalAuthenticationServiceException.class, + (r) -> new InternalAuthenticationServiceException("error", new RuntimeException())); + generatorByClassName.put(LockedException.class, (r) -> new LockedException("error", new RuntimeException())); + generatorByClassName.put(ProviderNotFoundException.class, (r) -> new ProviderNotFoundException("error")); + generatorByClassName.put(InvalidOneTimeTokenException.class, (r) -> new InvalidOneTimeTokenException("error")); + generatorByClassName.put(CompromisedPasswordException.class, + (r) -> new CompromisedPasswordException("error", new RuntimeException())); + generatorByClassName.put(UsernameNotFoundException.class, + (r) -> new UsernameNotFoundException("error", new RuntimeException())); generatorByClassName.put(TestingAuthenticationToken.class, (r) -> applyDetails(new TestingAuthenticationToken("username", "password"))); + generatorByClassName.put(AuthenticationFailureBadCredentialsEvent.class, + (r) -> new AuthenticationFailureBadCredentialsEvent(authentication, + new BadCredentialsException("message"))); + generatorByClassName.put(AuthenticationFailureCredentialsExpiredEvent.class, + (r) -> new AuthenticationFailureCredentialsExpiredEvent(authentication, + new CredentialsExpiredException("message"))); + generatorByClassName.put(AuthenticationFailureDisabledEvent.class, + (r) -> new AuthenticationFailureDisabledEvent(authentication, new DisabledException("message"))); + generatorByClassName.put(AuthenticationFailureExpiredEvent.class, + (r) -> new AuthenticationFailureExpiredEvent(authentication, new AccountExpiredException("message"))); + generatorByClassName.put(AuthenticationFailureLockedEvent.class, + (r) -> new AuthenticationFailureLockedEvent(authentication, new LockedException("message"))); + generatorByClassName.put(AuthenticationFailureProviderNotFoundEvent.class, + (r) -> new AuthenticationFailureProviderNotFoundEvent(authentication, + new ProviderNotFoundException("message"))); + generatorByClassName.put(AuthenticationFailureProxyUntrustedEvent.class, + (r) -> new AuthenticationFailureProxyUntrustedEvent(authentication, + new AuthenticationServiceException("message"))); + generatorByClassName.put(AuthenticationFailureServiceExceptionEvent.class, + (r) -> new AuthenticationFailureServiceExceptionEvent(authentication, + new AuthenticationServiceException("message"))); + generatorByClassName.put(AuthenticationSuccessEvent.class, + (r) -> new AuthenticationSuccessEvent(authentication)); + generatorByClassName.put(InteractiveAuthenticationSuccessEvent.class, + (r) -> new InteractiveAuthenticationSuccessEvent(authentication, Authentication.class)); + generatorByClassName.put(LogoutSuccessEvent.class, (r) -> new LogoutSuccessEvent(authentication)); + generatorByClassName.put(JaasAuthenticationFailedEvent.class, + (r) -> new JaasAuthenticationFailedEvent(authentication, new RuntimeException("message"))); + generatorByClassName.put(JaasAuthenticationSuccessEvent.class, + (r) -> new JaasAuthenticationSuccessEvent(authentication)); + generatorByClassName.put(AbstractSessionEvent.class, (r) -> new AbstractSessionEvent(securityContext)); + generatorByClassName.put(SecurityConfig.class, (r) -> new SecurityConfig("value")); + generatorByClassName.put(TransientSecurityContext.class, (r) -> new TransientSecurityContext(authentication)); + generatorByClassName.put(AuthorizationDeniedException.class, + (r) -> new AuthorizationDeniedException("message", new AuthorizationDecision(false))); + generatorByClassName.put(AuthorizationDecision.class, (r) -> new AuthorizationDecision(true)); + generatorByClassName.put(AuthorityAuthorizationDecision.class, + (r) -> new AuthorityAuthorizationDecision(true, AuthorityUtils.createAuthorityList("ROLE_USER"))); // cas generatorByClassName.put(CasServiceTicketAuthenticationToken.class, (r) -> { @@ -299,8 +507,19 @@ class SpringSecurityCoreVersionSerializableTests { // ldap generatorByClassName.put(LdapAuthority.class, (r) -> new LdapAuthority("USER", "username", Map.of("attribute", List.of("value1", "value2")))); + generatorByClassName.put(PasswordPolicyException.class, + (r) -> new PasswordPolicyException(PasswordPolicyErrorStatus.INSUFFICIENT_PASSWORD_QUALITY)); + generatorByClassName.put(PasswordPolicyControl.class, (r) -> new PasswordPolicyControl(true)); + generatorByClassName.put(PasswordPolicyResponseControl.class, (r) -> { + byte[] encodedResponse = { 0x30, 0x05, (byte) 0xA0, 0x03, (byte) 0xA0, 0x1, 0x21 }; + return new PasswordPolicyResponseControl(encodedResponse); + }); // saml2-service-provider + generatorByClassName.put(Saml2AuthenticationException.class, + (r) -> new Saml2AuthenticationException(new Saml2Error("code", "descirption"), "message", + new IOException("fail"))); + generatorByClassName.put(Saml2Exception.class, (r) -> new Saml2Exception("message", new IOException("fail"))); generatorByClassName.put(DefaultSaml2AuthenticatedPrincipal.class, (r) -> TestSaml2Authentications.authentication().getPrincipal()); generatorByClassName.put(Saml2Authentication.class, @@ -309,6 +528,16 @@ class SpringSecurityCoreVersionSerializableTests { (r) -> TestSaml2PostAuthenticationRequests.create()); generatorByClassName.put(Saml2RedirectAuthenticationRequest.class, (r) -> TestSaml2RedirectAuthenticationRequests.create()); + generatorByClassName.put(Saml2X509Credential.class, + (r) -> TestSaml2X509Credentials.relyingPartyVerifyingCredential()); + generatorByClassName.put(AssertingPartyDetails.class, + (r) -> TestRelyingPartyRegistrations.full().build().getAssertingPartyMetadata()); + generatorByClassName.put(RelyingPartyRegistration.class, (r) -> TestRelyingPartyRegistrations.full().build()); + generatorByClassName.put(Saml2AuthenticationToken.class, (r) -> { + Saml2AuthenticationToken token = TestSaml2AuthenticationTokens.tokenRequested(); + token.setDetails(details); + return token; + }); // web generatorByClassName.put(AnonymousAuthenticationToken.class, (r) -> { @@ -321,6 +550,119 @@ class SpringSecurityCoreVersionSerializableTests { token.setDetails(details); return token; }); + generatorByClassName.put(PreAuthenticatedCredentialsNotFoundException.class, + (r) -> new PreAuthenticatedCredentialsNotFoundException("message", new IOException("fail"))); + generatorByClassName.put(CookieTheftException.class, (r) -> new CookieTheftException("message")); + generatorByClassName.put(InvalidCookieException.class, (r) -> new InvalidCookieException("message")); + generatorByClassName.put(RememberMeAuthenticationException.class, + (r) -> new RememberMeAuthenticationException("message", new IOException("fail"))); + generatorByClassName.put(SessionAuthenticationException.class, + (r) -> new SessionAuthenticationException("message")); + generatorByClassName.put(NonceExpiredException.class, + (r) -> new NonceExpiredException("message", new IOException("fail"))); + generatorByClassName.put(CsrfException.class, (r) -> new CsrfException("message")); + generatorByClassName.put(org.springframework.security.web.server.csrf.CsrfException.class, + (r) -> new org.springframework.security.web.server.csrf.CsrfException("message")); + generatorByClassName.put(InvalidCsrfTokenException.class, + (r) -> new InvalidCsrfTokenException(new DefaultCsrfToken("header", "parameter", "token"), "token")); + generatorByClassName.put(MissingCsrfTokenException.class, (r) -> new MissingCsrfTokenException("token")); + generatorByClassName.put(DefaultCsrfToken.class, (r) -> new DefaultCsrfToken("header", "parameter", "token")); + generatorByClassName.put(org.springframework.security.web.server.csrf.DefaultCsrfToken.class, + (r) -> new org.springframework.security.web.server.csrf.DefaultCsrfToken("header", "parameter", + "token")); + generatorByClassName.put(RequestRejectedException.class, (r) -> new RequestRejectedException("message")); + generatorByClassName.put(ServerExchangeRejectedException.class, + (r) -> new ServerExchangeRejectedException("message")); + generatorByClassName.put(SessionFixationProtectionEvent.class, + (r) -> new SessionFixationProtectionEvent(authentication, "old", "new")); + generatorByClassName.put(AuthenticationSwitchUserEvent.class, + (r) -> new AuthenticationSwitchUserEvent(authentication, user)); + generatorByClassName.put(HttpSessionCreatedEvent.class, + (r) -> new HttpSessionCreatedEvent(new MockHttpSession())); + generatorByClassName.put(SimpleSavedRequest.class, (r) -> { + MockHttpServletRequest request = new MockHttpServletRequest("GET", "/uri"); + request.setQueryString("query=string"); + request.setScheme("https"); + request.setServerName("localhost"); + request.setServerPort(80); + request.setRequestURI("/uri"); + request.setCookies(new Cookie("name", "value")); + request.addHeader("header", "value"); + request.addParameter("parameter", "value"); + request.setPathInfo("/path"); + request.addPreferredLocale(Locale.ENGLISH); + return new SimpleSavedRequest(new DefaultSavedRequest(request, new PortResolverImpl(), "continue")); + }); + + // webauthn + generatorByClassName.put(Bytes.class, (r) -> TestBytes.get()); + generatorByClassName.put(ImmutablePublicKeyCredentialUserEntity.class, + (r) -> TestPublicKeyCredentialUserEntity.userEntity().id(TestBytes.get()).build()); + generatorByClassName.put(WebAuthnAuthentication.class, (r) -> { + PublicKeyCredentialUserEntity userEntity = TestPublicKeyCredentialUserEntity.userEntity() + .id(TestBytes.get()) + .build(); + List authorities = AuthorityUtils.createAuthorityList("ROLE_USER"); + WebAuthnAuthentication webAuthnAuthentication = new WebAuthnAuthentication(userEntity, authorities); + webAuthnAuthentication.setDetails(details); + return webAuthnAuthentication; + }); + + // webauthn + CredProtectAuthenticationExtensionsClientInput.CredProtect credProtect = new CredProtectAuthenticationExtensionsClientInput.CredProtect( + CredProtectAuthenticationExtensionsClientInput.CredProtect.ProtectionPolicy.USER_VERIFICATION_OPTIONAL, + true); + Bytes id = TestBytes.get(); + AuthenticationExtensionsClientInputs inputs = new ImmutableAuthenticationExtensionsClientInputs( + ImmutableAuthenticationExtensionsClientInput.credProps); + // @formatter:off + PublicKeyCredentialDescriptor descriptor = PublicKeyCredentialDescriptor.builder() + .id(id) + .type(PublicKeyCredentialType.PUBLIC_KEY) + .transports(Set.of(AuthenticatorTransport.USB)) + .build(); + // @formatter:on + generatorByClassName.put(AuthenticatorTransport.class, (a) -> AuthenticatorTransport.USB); + generatorByClassName.put(PublicKeyCredentialType.class, (k) -> PublicKeyCredentialType.PUBLIC_KEY); + generatorByClassName.put(UserVerificationRequirement.class, (r) -> UserVerificationRequirement.REQUIRED); + generatorByClassName.put(CredProtectAuthenticationExtensionsClientInput.CredProtect.class, (c) -> credProtect); + generatorByClassName.put(CredProtectAuthenticationExtensionsClientInput.class, + (c) -> new CredProtectAuthenticationExtensionsClientInput(credProtect)); + generatorByClassName.put(ImmutableAuthenticationExtensionsClientInputs.class, (i) -> inputs); + Field credPropsField = ReflectionUtils.findField(ImmutableAuthenticationExtensionsClientInput.class, + "credProps"); + generatorByClassName.put(credPropsField.getType(), + (i) -> ImmutableAuthenticationExtensionsClientInput.credProps); + generatorByClassName.put(Bytes.class, (b) -> id); + generatorByClassName.put(PublicKeyCredentialDescriptor.class, (d) -> descriptor); + // @formatter:off + generatorByClassName.put(PublicKeyCredentialRequestOptions.class, (o) -> TestPublicKeyCredentialRequestOptions.create() + .extensions(inputs) + .allowCredentials(List.of(descriptor)) + .build() + ); + + CredentialPropertiesOutput credentialOutput = new CredentialPropertiesOutput(false); + AuthenticationExtensionsClientOutputs outputs = new ImmutableAuthenticationExtensionsClientOutputs(credentialOutput); + AuthenticatorAssertionResponse response = TestAuthenticationAssertionResponses.createAuthenticatorAssertionResponse() + .build(); + PublicKeyCredential credential = TestPublicKeyCredential.createPublicKeyCredential( + response, outputs) + .build(); + RelyingPartyAuthenticationRequest authRequest = new RelyingPartyAuthenticationRequest( + TestPublicKeyCredentialRequestOptions.create().build(), + credential + ); + WebAuthnAuthenticationRequestToken requestToken = new WebAuthnAuthenticationRequestToken(authRequest); + requestToken.setDetails(details); + generatorByClassName.put(CredentialPropertiesOutput.class, (o) -> credentialOutput); + generatorByClassName.put(ImmutableAuthenticationExtensionsClientOutputs.class, (o) -> outputs); + generatorByClassName.put(AuthenticatorAssertionResponse.class, (r) -> response); + generatorByClassName.put(RelyingPartyAuthenticationRequest.class, (r) -> authRequest); + generatorByClassName.put(PublicKeyCredential.class, (r) -> credential); + generatorByClassName.put(WebAuthnAuthenticationRequestToken.class, (r) -> requestToken); + generatorByClassName.put(AuthenticatorAttachment.class, (r) -> AuthenticatorAttachment.PLATFORM); + // @formatter:on } @ParameterizedTest @@ -430,7 +772,11 @@ static Stream> getClassesToSerialize() throws Exception { } private static InstancioApi instancioWithDefaults(Class clazz) { - InstancioApi instancio = Instancio.of(clazz); + InstancioOfClassApi instancio = Instancio.of(clazz); + ResolvableType[] generics = ResolvableType.forClass(clazz).getGenerics(); + for (ResolvableType type : generics) { + instancio.withTypeParameters(type.resolve()); + } if (generatorByClassName.containsKey(clazz)) { instancio.supply(Select.all(clazz), generatorByClassName.get(clazz)); } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java index 0074139f7d3..42d6ab71032 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -75,6 +75,7 @@ import static org.mockito.BDDMockito.given; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.verifyNoInteractions; import static org.springframework.security.config.Customizer.withDefaults; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user; @@ -301,6 +302,49 @@ public void configureWhenCustomAuthorizationRequestResolverBeanPresentThenAuthor verify(authorizationRequestResolver).resolve(any()); } + @Test + public void configureWhenOAuth2LoginBeansConfiguredThenNotShared() throws Exception { + this.spring.register(OAuth2ClientConfigWithOAuth2Login.class).autowire(); + // Setup the Authorization Request in the session + Map attributes = new HashMap<>(); + attributes.put(OAuth2ParameterNames.REGISTRATION_ID, this.registration1.getRegistrationId()); + // @formatter:off + OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.authorizationCode() + .authorizationUri(this.registration1.getProviderDetails().getAuthorizationUri()) + .clientId(this.registration1.getClientId()) + .redirectUri("http://localhost/client-1") + .state("state") + .attributes(attributes) + .build(); + // @formatter:on + AuthorizationRequestRepository authorizationRequestRepository = new HttpSessionOAuth2AuthorizationRequestRepository(); + MockHttpServletRequest request = new MockHttpServletRequest("GET", ""); + MockHttpServletResponse response = new MockHttpServletResponse(); + authorizationRequestRepository.saveAuthorizationRequest(authorizationRequest, request, response); + MockHttpSession session = (MockHttpSession) request.getSession(); + String principalName = "user1"; + TestingAuthenticationToken authentication = new TestingAuthenticationToken(principalName, "password"); + // @formatter:off + MockHttpServletRequestBuilder clientRequest = get("/client-1") + .param(OAuth2ParameterNames.CODE, "code") + .param(OAuth2ParameterNames.STATE, "state") + .with(authentication(authentication)) + .session(session); + this.mockMvc.perform(clientRequest) + .andExpect(status().is3xxRedirection()) + .andExpect(redirectedUrl("http://localhost/client-1")); + // @formatter:on + OAuth2AuthorizedClient authorizedClient = authorizedClientRepository + .loadAuthorizedClient(this.registration1.getRegistrationId(), authentication, request); + assertThat(authorizedClient).isNotNull(); + // Ensure shared objects set for OAuth2 Client are not used + ClientRegistrationRepository clientRegistrationRepository = this.spring.getContext() + .getBean(ClientRegistrationRepository.class); + OAuth2AuthorizedClientRepository authorizedClientRepository = this.spring.getContext() + .getBean(OAuth2AuthorizedClientRepository.class); + verifyNoInteractions(clientRegistrationRepository, authorizedClientRepository); + } + @EnableWebSecurity @Configuration @EnableWebMvc @@ -388,4 +432,51 @@ OAuth2AuthorizationRequestResolver authorizationRequestResolver() { } + @Configuration + @EnableWebSecurity + @EnableWebMvc + static class OAuth2ClientConfigWithOAuth2Login { + + private final ClientRegistrationRepository clientRegistrationRepository = mock( + ClientRegistrationRepository.class); + + private final OAuth2AuthorizedClientRepository authorizedClientRepository = mock( + OAuth2AuthorizedClientRepository.class); + + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + // @formatter:off + http + .authorizeHttpRequests((authorize) -> authorize + .anyRequest().authenticated() + ) + .oauth2Client((oauth2Client) -> oauth2Client + .clientRegistrationRepository(OAuth2ClientConfigurerTests.clientRegistrationRepository) + .authorizedClientService(OAuth2ClientConfigurerTests.authorizedClientService) + .authorizationCodeGrant((authorizationCode) -> authorizationCode + .authorizationRequestResolver(authorizationRequestResolver) + .authorizationRedirectStrategy(authorizationRedirectStrategy) + .accessTokenResponseClient(accessTokenResponseClient) + ) + ) + .oauth2Login((oauth2Login) -> oauth2Login + .clientRegistrationRepository(this.clientRegistrationRepository) + .authorizedClientRepository(this.authorizedClientRepository) + ); + // @formatter:on + return http.build(); + } + + @Bean + ClientRegistrationRepository clientRegistrationRepository() { + return this.clientRegistrationRepository; + } + + @Bean + OAuth2AuthorizedClientRepository authorizedClientRepository() { + return this.authorizedClientRepository; + } + + } + } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java index b56d047a5f7..dfe6fea28fd 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -73,7 +73,9 @@ import org.springframework.security.oauth2.client.userinfo.OAuth2UserService; import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository; import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizationRequestRepository; +import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository; import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver; +import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository; import org.springframework.security.oauth2.core.OAuth2AccessToken; import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; @@ -115,6 +117,7 @@ import static org.mockito.Mockito.atLeastOnce; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.verifyNoInteractions; import static org.springframework.security.config.annotation.SecurityContextChangedListenerArgumentMatchers.setAuthentication; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf; @@ -669,6 +672,30 @@ public void oauth2LoginWhenDefaultsThenNoOidcSessionRegistry() { .collect(Collectors.toList())).isEmpty(); } + @Test + public void oidcLoginWhenOAuth2ClientBeansConfiguredThenNotShared() throws Exception { + this.spring.register(OAuth2LoginConfigWithOAuth2Client.class, JwtDecoderFactoryConfig.class).autowire(); + OAuth2AuthorizationRequest authorizationRequest = createOAuth2AuthorizationRequest("openid"); + this.authorizationRequestRepository.saveAuthorizationRequest(authorizationRequest, this.request, this.response); + this.request.setParameter("code", "code123"); + this.request.setParameter("state", authorizationRequest.getState()); + this.springSecurityFilterChain.doFilter(this.request, this.response, this.filterChain); + Authentication authentication = this.securityContextRepository + .loadContext(new HttpRequestResponseHolder(this.request, this.response)) + .getAuthentication(); + assertThat(authentication.getAuthorities()).hasSize(1); + assertThat(authentication.getAuthorities()).first() + .isInstanceOf(OidcUserAuthority.class) + .hasToString("OIDC_USER"); + + // Ensure shared objects set for OAuth2 Client are not used + ClientRegistrationRepository clientRegistrationRepository = this.spring.getContext() + .getBean(ClientRegistrationRepository.class); + OAuth2AuthorizedClientRepository authorizedClientRepository = this.spring.getContext() + .getBean(OAuth2AuthorizedClientRepository.class); + verifyNoInteractions(clientRegistrationRepository, authorizedClientRepository); + } + private void loadConfig(Class... configs) { AnnotationConfigWebApplicationContext applicationContext = new AnnotationConfigWebApplicationContext(); applicationContext.register(configs); @@ -1192,6 +1219,45 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception { } + @Configuration + @EnableWebSecurity + static class OAuth2LoginConfigWithOAuth2Client extends CommonLambdaSecurityFilterChainConfig { + + private final ClientRegistrationRepository clientRegistrationRepository = mock( + ClientRegistrationRepository.class); + + private final OAuth2AuthorizedClientRepository authorizedClientRepository = mock( + OAuth2AuthorizedClientRepository.class); + + @Bean + SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + // @formatter:off + http + .oauth2Login((oauth2Login) -> oauth2Login + .clientRegistrationRepository( + new InMemoryClientRegistrationRepository(GOOGLE_CLIENT_REGISTRATION)) + .authorizedClientRepository(new HttpSessionOAuth2AuthorizedClientRepository()) + ) + .oauth2Client((oauth2Client) -> oauth2Client + .clientRegistrationRepository(this.clientRegistrationRepository) + .authorizedClientRepository(this.authorizedClientRepository) + ); + // @formatter:on + return super.configureFilterChain(http); + } + + @Bean + ClientRegistrationRepository clientRegistrationRepository() { + return this.clientRegistrationRepository; + } + + @Bean + OAuth2AuthorizedClientRepository authorizedClientRepository() { + return this.authorizedClientRepository; + } + + } + private abstract static class CommonSecurityFilterChainConfig { SecurityFilterChain configureFilterChain(HttpSecurity http) throws Exception { diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurerTests.java index f89a37ae40f..72474ee8258 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurerTests.java @@ -72,7 +72,7 @@ void oneTimeTokenWhenCorrectTokenThenCanAuthenticate() throws Exception { this.mvc.perform(post("/ott/generate").param("username", "user").with(csrf())) .andExpectAll(status().isFound(), redirectedUrl("/login/ott")); - String token = TestOneTimeTokenGenerationSuccessHandler.lastToken.getTokenValue(); + String token = getLastToken().getTokenValue(); this.mvc.perform(post("/login/ott").param("token", token).with(csrf())) .andExpectAll(status().isFound(), redirectedUrl("/"), authenticated()); @@ -84,7 +84,7 @@ void oneTimeTokenWhenDifferentAuthenticationUrlsThenCanAuthenticate() throws Exc this.mvc.perform(post("/generateurl").param("username", "user").with(csrf())) .andExpectAll(status().isFound(), redirectedUrl("/redirected")); - String token = TestOneTimeTokenGenerationSuccessHandler.lastToken.getTokenValue(); + String token = getLastToken().getTokenValue(); this.mvc.perform(post("/loginprocessingurl").param("token", token).with(csrf())) .andExpectAll(status().isFound(), redirectedUrl("/authenticated"), authenticated()); @@ -96,7 +96,7 @@ void oneTimeTokenWhenCorrectTokenUsedTwiceThenSecondTimeFails() throws Exception this.mvc.perform(post("/ott/generate").param("username", "user").with(csrf())) .andExpectAll(status().isFound(), redirectedUrl("/login/ott")); - String token = TestOneTimeTokenGenerationSuccessHandler.lastToken.getTokenValue(); + String token = getLastToken().getTokenValue(); this.mvc.perform(post("/login/ott").param("token", token).with(csrf())) .andExpectAll(status().isFound(), redirectedUrl("/"), authenticated()); @@ -194,25 +194,37 @@ Please provide it as a bean or pass it to the oneTimeTokenLogin() DSL. """); } + private OneTimeToken getLastToken() { + OneTimeToken lastToken = this.spring.getContext() + .getBean(TestOneTimeTokenGenerationSuccessHandler.class).lastToken; + return lastToken; + } + @Configuration(proxyBeanMethods = false) @EnableWebSecurity @Import(UserDetailsServiceConfig.class) static class OneTimeTokenDefaultConfig { @Bean - SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + SecurityFilterChain securityFilterChain(HttpSecurity http, + OneTimeTokenGenerationSuccessHandler ottSuccessHandler) throws Exception { // @formatter:off http .authorizeHttpRequests((authz) -> authz .anyRequest().authenticated() ) .oneTimeTokenLogin((ott) -> ott - .tokenGenerationSuccessHandler(new TestOneTimeTokenGenerationSuccessHandler()) + .tokenGenerationSuccessHandler(ottSuccessHandler) ); // @formatter:on return http.build(); } + @Bean + TestOneTimeTokenGenerationSuccessHandler ottSuccessHandler() { + return new TestOneTimeTokenGenerationSuccessHandler(); + } + } @Configuration(proxyBeanMethods = false) @@ -221,7 +233,8 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { static class OneTimeTokenDifferentUrlsConfig { @Bean - SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + SecurityFilterChain securityFilterChain(HttpSecurity http, + OneTimeTokenGenerationSuccessHandler ottSuccessHandler) throws Exception { // @formatter:off http .authorizeHttpRequests((authz) -> authz @@ -229,7 +242,7 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { ) .oneTimeTokenLogin((ott) -> ott .tokenGeneratingUrl("/generateurl") - .tokenGenerationSuccessHandler(new TestOneTimeTokenGenerationSuccessHandler("/redirected")) + .tokenGenerationSuccessHandler(ottSuccessHandler) .loginProcessingUrl("/loginprocessingurl") .authenticationSuccessHandler(new SimpleUrlAuthenticationSuccessHandler("/authenticated")) ); @@ -237,6 +250,11 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { return http.build(); } + @Bean + TestOneTimeTokenGenerationSuccessHandler ottSuccessHandler() { + return new TestOneTimeTokenGenerationSuccessHandler("/redirected"); + } + } @Configuration(proxyBeanMethods = false) @@ -245,7 +263,8 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { static class OneTimeTokenFormLoginConfig { @Bean - SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + SecurityFilterChain securityFilterChain(HttpSecurity http, + OneTimeTokenGenerationSuccessHandler ottSuccessHandler) throws Exception { // @formatter:off http .authorizeHttpRequests((authz) -> authz @@ -253,12 +272,17 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { ) .formLogin(Customizer.withDefaults()) .oneTimeTokenLogin((ott) -> ott - .tokenGenerationSuccessHandler(new TestOneTimeTokenGenerationSuccessHandler()) + .tokenGenerationSuccessHandler(ottSuccessHandler) ); // @formatter:on return http.build(); } + @Bean + TestOneTimeTokenGenerationSuccessHandler ottSuccessHandler() { + return new TestOneTimeTokenGenerationSuccessHandler(); + } + } @Configuration(proxyBeanMethods = false) @@ -282,7 +306,7 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { static class TestOneTimeTokenGenerationSuccessHandler implements OneTimeTokenGenerationSuccessHandler { - private static OneTimeToken lastToken; + private OneTimeToken lastToken; private final OneTimeTokenGenerationSuccessHandler delegate; @@ -297,7 +321,7 @@ static class TestOneTimeTokenGenerationSuccessHandler implements OneTimeTokenGen @Override public void handle(HttpServletRequest request, HttpServletResponse response, OneTimeToken oneTimeToken) throws IOException, ServletException { - lastToken = oneTimeToken; + this.lastToken = oneTimeToken; this.delegate.handle(request, response, oneTimeToken); } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurerTests.java index 3957d416dae..e13bddf7073 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurerTests.java @@ -484,6 +484,7 @@ public void saml2LogoutResponseWhenCustomLogoutResponseHandlerThenUses() throws verify(getBean(Saml2LogoutResponseValidator.class)).validate(any()); } + // gh-11363 @Test public void saml2LogoutWhenCustomLogoutRequestRepositoryThenUses() throws Exception { this.spring.register(Saml2LogoutComponentsConfig.class).autowire(); diff --git a/config/src/test/java/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParserTests.java index 152525d4a20..d51349440a5 100644 --- a/config/src/test/java/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParserTests.java @@ -63,6 +63,7 @@ import static org.assertj.core.api.Assertions.assertThat; import static org.hamcrest.Matchers.containsString; import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.eq; import static org.mockito.BDDMockito.given; import static org.mockito.Mockito.atLeastOnce; import static org.mockito.Mockito.verify; @@ -380,6 +381,22 @@ public void saml2LogoutResponseWhenCustomLogoutResponseHandlerThenUses() throws verify(getBean(Saml2LogoutResponseValidator.class)).validate(any()); } + // gh-11363 + @Test + public void saml2LogoutWhenCustomLogoutRequestRepositoryThenUses() throws Exception { + this.spring.configLocations(this.xml("CustomComponents")).autowire(); + RelyingPartyRegistration registration = this.repository.findByRegistrationId("get"); + Saml2LogoutRequest logoutRequest = Saml2LogoutRequest.withRelyingPartyRegistration(registration) + .samlRequest(this.rpLogoutRequest) + .id(this.rpLogoutRequestId) + .relayState(this.rpLogoutRequestRelayState) + .parameters((params) -> params.put("Signature", this.rpLogoutRequestSignature)) + .build(); + given(getBean(Saml2LogoutRequestResolver.class).resolve(any(), any())).willReturn(logoutRequest); + this.mvc.perform(post("/logout").with(authentication(this.saml2User)).with(csrf())); + verify(getBean(Saml2LogoutRequestRepository.class)).saveLogoutRequest(eq(logoutRequest), any(), any()); + } + private T getBean(Class clazz) { return this.spring.getContext().getBean(clazz); } diff --git a/config/src/test/kotlin/org/springframework/security/config/annotation/web/OneTimeTokenLoginDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/annotation/web/OneTimeTokenLoginDslTests.kt index 07833e283f9..3df274b513f 100644 --- a/config/src/test/kotlin/org/springframework/security/config/annotation/web/OneTimeTokenLoginDslTests.kt +++ b/config/src/test/kotlin/org/springframework/security/config/annotation/web/OneTimeTokenLoginDslTests.kt @@ -69,7 +69,7 @@ class OneTimeTokenLoginDslTests { .redirectedUrl("/login/ott") ) - val token = TestOneTimeTokenGenerationSuccessHandler.lastToken?.tokenValue + val token = getLastToken().tokenValue this.mockMvc.perform( MockMvcRequestBuilders.post("/login/ott").param("token", token) @@ -91,7 +91,7 @@ class OneTimeTokenLoginDslTests { ) .andExpectAll(MockMvcResultMatchers.status().isFound(), MockMvcResultMatchers.redirectedUrl("/redirected")) - val token = TestOneTimeTokenGenerationSuccessHandler.lastToken?.tokenValue + val token = getLastToken().tokenValue this.mockMvc.perform( MockMvcRequestBuilders.post("/loginprocessingurl").param("token", token) @@ -104,25 +104,36 @@ class OneTimeTokenLoginDslTests { ) } + private fun getLastToken(): OneTimeToken { + val lastToken: OneTimeToken = spring.context + .getBean(TestOneTimeTokenGenerationSuccessHandler::class.java).lastToken!! + return lastToken + } + @Configuration @EnableWebSecurity @Import(UserDetailsServiceConfig::class) open class OneTimeTokenConfig { @Bean - open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { + open fun securityFilterChain(http: HttpSecurity, ottSuccessHandler: OneTimeTokenGenerationSuccessHandler): SecurityFilterChain { // @formatter:off http { authorizeHttpRequests { authorize(anyRequest, authenticated) } oneTimeTokenLogin { - oneTimeTokenGenerationSuccessHandler = TestOneTimeTokenGenerationSuccessHandler() + oneTimeTokenGenerationSuccessHandler = ottSuccessHandler } } // @formatter:on return http.build() } + + @Bean + open fun ottSuccessHandler(): TestOneTimeTokenGenerationSuccessHandler { + return TestOneTimeTokenGenerationSuccessHandler() + } } @EnableWebSecurity @@ -130,7 +141,7 @@ class OneTimeTokenLoginDslTests { @Import(UserDetailsServiceConfig::class) open class OneTimeTokenDifferentUrlsConfig { @Bean - open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { + open fun securityFilterChain(http: HttpSecurity, ottSuccessHandler: OneTimeTokenGenerationSuccessHandler): SecurityFilterChain { // @formatter:off http { authorizeHttpRequests { @@ -138,7 +149,7 @@ class OneTimeTokenLoginDslTests { } oneTimeTokenLogin { tokenGeneratingUrl = "/generateurl" - oneTimeTokenGenerationSuccessHandler = TestOneTimeTokenGenerationSuccessHandler("/redirected") + oneTimeTokenGenerationSuccessHandler = ottSuccessHandler loginProcessingUrl = "/loginprocessingurl" authenticationSuccessHandler = SimpleUrlAuthenticationSuccessHandler("/authenticated") } @@ -146,6 +157,11 @@ class OneTimeTokenLoginDslTests { // @formatter:on return http.build() } + + @Bean + open fun ottSuccessHandler(): TestOneTimeTokenGenerationSuccessHandler { + return TestOneTimeTokenGenerationSuccessHandler("/redirected") + } } @Configuration(proxyBeanMethods = false) @@ -156,9 +172,10 @@ class OneTimeTokenLoginDslTests { InMemoryUserDetailsManager(PasswordEncodedUser.user(), PasswordEncodedUser.admin()) } - private class TestOneTimeTokenGenerationSuccessHandler : + class TestOneTimeTokenGenerationSuccessHandler : OneTimeTokenGenerationSuccessHandler { private val delegate: OneTimeTokenGenerationSuccessHandler + var lastToken: OneTimeToken? = null constructor() { this.delegate = @@ -175,12 +192,8 @@ class OneTimeTokenLoginDslTests { } override fun handle(request: HttpServletRequest, response: HttpServletResponse, oneTimeToken: OneTimeToken) { - lastToken = oneTimeToken + this.lastToken = oneTimeToken delegate.handle(request, response, oneTimeToken) } - - companion object { - var lastToken: OneTimeToken? = null - } } } diff --git a/config/src/test/kotlin/org/springframework/security/config/annotation/web/WebAuthnDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/annotation/web/WebAuthnDslTests.kt index c0705e50bc2..8bdee169f8a 100644 --- a/config/src/test/kotlin/org/springframework/security/config/annotation/web/WebAuthnDslTests.kt +++ b/config/src/test/kotlin/org/springframework/security/config/annotation/web/WebAuthnDslTests.kt @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ package org.springframework.security.config.annotation.web +import org.hamcrest.Matchers import org.junit.jupiter.api.Test import org.junit.jupiter.api.extension.ExtendWith import org.springframework.beans.factory.annotation.Autowired @@ -30,7 +31,9 @@ import org.springframework.security.core.userdetails.UserDetailsService import org.springframework.security.provisioning.InMemoryUserDetailsManager import org.springframework.security.web.SecurityFilterChain import org.springframework.test.web.servlet.MockMvc +import org.springframework.test.web.servlet.get import org.springframework.test.web.servlet.post +import org.springframework.test.web.servlet.result.MockMvcResultMatchers /** * Tests for [WebAuthnDsl] @@ -55,6 +58,76 @@ class WebAuthnDslTests { } } + @Test + fun `webauthn and formLogin configured with default registration page`() { + spring.register(DefaultWebauthnConfig::class.java).autowire() + + this.mockMvc.get("/login/webauthn.js") + .andExpect { + MockMvcResultMatchers.status().isOk + header { + string("content-type", "text/javascript;charset=UTF-8") + } + content { + string(Matchers.containsString("async function authenticate(")) + } + } + } + + @Test + fun `webauthn and formLogin configured with disabled default registration page`() { + spring.register(FormLoginAndNoDefaultRegistrationPageConfiguration::class.java).autowire() + + this.mockMvc.get("/login/webauthn.js") + .andExpect { + MockMvcResultMatchers.status().isOk + header { + string("content-type", "text/javascript;charset=UTF-8") + } + content { + string(Matchers.containsString("async function authenticate(")) + } + } + } + + @Configuration + @EnableWebSecurity + open class FormLoginAndNoDefaultRegistrationPageConfiguration { + @Bean + open fun userDetailsService(): UserDetailsService = + InMemoryUserDetailsManager() + + + @Bean + open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { + http{ + formLogin { } + webAuthn { + disableDefaultRegistrationPage = true + } + } + return http.build() + } + } + + @Configuration + @EnableWebSecurity + open class DefaultWebauthnConfig { + @Bean + open fun userDetailsService(): UserDetailsService = + InMemoryUserDetailsManager() + + + @Bean + open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { + http{ + formLogin { } + webAuthn { } + } + return http.build() + } + } + @Configuration @EnableWebSecurity open class WebauthnConfig { diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.AccessDeniedException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.AccessDeniedException.serialized new file mode 100644 index 00000000000..61dae86206e Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.AccessDeniedException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.AuthorizationServiceException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.AuthorizationServiceException.serialized new file mode 100644 index 00000000000..222e625eb63 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.AuthorizationServiceException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.SecurityConfig.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.SecurityConfig.serialized new file mode 100644 index 00000000000..ae659612d73 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.SecurityConfig.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.AccountExpiredException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.AccountExpiredException.serialized new file mode 100644 index 00000000000..004b8f22ea7 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.AccountExpiredException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.AuthenticationCredentialsNotFoundException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.AuthenticationCredentialsNotFoundException.serialized new file mode 100644 index 00000000000..4e99aa03653 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.AuthenticationCredentialsNotFoundException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.AuthenticationServiceException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.AuthenticationServiceException.serialized new file mode 100644 index 00000000000..c12cd3a7c52 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.AuthenticationServiceException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.BadCredentialsException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.BadCredentialsException.serialized new file mode 100644 index 00000000000..36c9802e720 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.BadCredentialsException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.CredentialsExpiredException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.CredentialsExpiredException.serialized new file mode 100644 index 00000000000..0ec7355f62c Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.CredentialsExpiredException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.DisabledException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.DisabledException.serialized new file mode 100644 index 00000000000..71d58fa87c7 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.DisabledException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.InsufficientAuthenticationException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.InsufficientAuthenticationException.serialized new file mode 100644 index 00000000000..24e5a933fa9 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.InsufficientAuthenticationException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.InternalAuthenticationServiceException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.InternalAuthenticationServiceException.serialized new file mode 100644 index 00000000000..3ce3a576f5a Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.InternalAuthenticationServiceException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.LockedException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.LockedException.serialized new file mode 100644 index 00000000000..30e52eafc8c Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.LockedException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.ProviderNotFoundException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.ProviderNotFoundException.serialized new file mode 100644 index 00000000000..1a7ade4e8d1 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.ProviderNotFoundException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent.serialized new file mode 100644 index 00000000000..979b2e937ad Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureCredentialsExpiredEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureCredentialsExpiredEvent.serialized new file mode 100644 index 00000000000..e4afece24aa Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureCredentialsExpiredEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureDisabledEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureDisabledEvent.serialized new file mode 100644 index 00000000000..c067d46e436 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureDisabledEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureExpiredEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureExpiredEvent.serialized new file mode 100644 index 00000000000..927df004815 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureExpiredEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureLockedEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureLockedEvent.serialized new file mode 100644 index 00000000000..46609358d9b Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureLockedEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureProviderNotFoundEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureProviderNotFoundEvent.serialized new file mode 100644 index 00000000000..18de70b6051 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureProviderNotFoundEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureProxyUntrustedEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureProxyUntrustedEvent.serialized new file mode 100644 index 00000000000..f348e60c844 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureProxyUntrustedEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureServiceExceptionEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureServiceExceptionEvent.serialized new file mode 100644 index 00000000000..15790690a40 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureServiceExceptionEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationSuccessEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationSuccessEvent.serialized new file mode 100644 index 00000000000..d04eb51778b Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationSuccessEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent.serialized new file mode 100644 index 00000000000..49143cf8188 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.LogoutSuccessEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.LogoutSuccessEvent.serialized new file mode 100644 index 00000000000..646896dde48 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.LogoutSuccessEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.jaas.event.JaasAuthenticationFailedEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.jaas.event.JaasAuthenticationFailedEvent.serialized new file mode 100644 index 00000000000..d371ae6ae4b Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.jaas.event.JaasAuthenticationFailedEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.jaas.event.JaasAuthenticationSuccessEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.jaas.event.JaasAuthenticationSuccessEvent.serialized new file mode 100644 index 00000000000..6532dac81f9 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.jaas.event.JaasAuthenticationSuccessEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.ott.InvalidOneTimeTokenException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.ott.InvalidOneTimeTokenException.serialized new file mode 100644 index 00000000000..72c49585259 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.ott.InvalidOneTimeTokenException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.password.CompromisedPasswordException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.password.CompromisedPasswordException.serialized new file mode 100644 index 00000000000..112bcf688ce Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.password.CompromisedPasswordException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorityAuthorizationDecision.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorityAuthorizationDecision.serialized new file mode 100644 index 00000000000..ad5c632ccff Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorityAuthorizationDecision.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorizationDecision.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorizationDecision.serialized new file mode 100644 index 00000000000..3992b0122aa Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorizationDecision.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorizationDeniedException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorizationDeniedException.serialized new file mode 100644 index 00000000000..5ef935c3680 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorizationDeniedException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.core.context.TransientSecurityContext.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.core.context.TransientSecurityContext.serialized new file mode 100644 index 00000000000..5a4ccd07b4d Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.core.context.TransientSecurityContext.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.core.session.AbstractSessionEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.core.session.AbstractSessionEvent.serialized new file mode 100644 index 00000000000..a22f7a0f9b3 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.core.session.AbstractSessionEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.core.userdetails.UsernameNotFoundException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.core.userdetails.UsernameNotFoundException.serialized new file mode 100644 index 00000000000..0272398b25f Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.core.userdetails.UsernameNotFoundException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyControl.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyControl.serialized new file mode 100644 index 00000000000..51e783d58cf Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyControl.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyException.serialized new file mode 100644 index 00000000000..148433692c0 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyResponseControl.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyResponseControl.serialized new file mode 100644 index 00000000000..911742c9818 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyResponseControl.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.client.ClientAuthorizationException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.client.ClientAuthorizationException.serialized new file mode 100644 index 00000000000..7566a0979b5 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.client.ClientAuthorizationException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.client.ClientAuthorizationRequiredException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.client.ClientAuthorizationRequiredException.serialized new file mode 100644 index 00000000000..836566955ab Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.client.ClientAuthorizationRequiredException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.core.OAuth2AuthenticationException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.core.OAuth2AuthenticationException.serialized new file mode 100644 index 00000000000..de67c73ec22 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.core.OAuth2AuthenticationException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.core.OAuth2AuthorizationException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.core.OAuth2AuthorizationException.serialized new file mode 100644 index 00000000000..b082c12d282 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.core.OAuth2AuthorizationException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.jwt.BadJwtException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.jwt.BadJwtException.serialized new file mode 100644 index 00000000000..275216a9f2d Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.jwt.BadJwtException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.jwt.JwtDecoderInitializationException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.jwt.JwtDecoderInitializationException.serialized new file mode 100644 index 00000000000..39a7ada3a10 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.jwt.JwtDecoderInitializationException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.jwt.JwtEncodingException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.jwt.JwtEncodingException.serialized new file mode 100644 index 00000000000..e0026470c33 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.jwt.JwtEncodingException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.jwt.JwtException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.jwt.JwtException.serialized new file mode 100644 index 00000000000..ac27bf9f67a Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.jwt.JwtException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.jwt.JwtValidationException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.jwt.JwtValidationException.serialized new file mode 100644 index 00000000000..539b3ea50e3 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.jwt.JwtValidationException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.server.resource.InvalidBearerTokenException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.server.resource.InvalidBearerTokenException.serialized new file mode 100644 index 00000000000..e2cd7fbb997 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.server.resource.InvalidBearerTokenException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.server.resource.introspection.BadOpaqueTokenException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.server.resource.introspection.BadOpaqueTokenException.serialized new file mode 100644 index 00000000000..098c85e9bd6 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.server.resource.introspection.BadOpaqueTokenException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException.serialized new file mode 100644 index 00000000000..4c8b96b31ed Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.Saml2Exception.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.Saml2Exception.serialized new file mode 100644 index 00000000000..4fd752b76ff Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.Saml2Exception.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.core.Saml2X509Credential.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.core.Saml2X509Credential.serialized new file mode 100644 index 00000000000..736cb69fc13 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.core.Saml2X509Credential.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException.serialized new file mode 100644 index 00000000000..f771882b3de Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken.serialized new file mode 100644 index 00000000000..cdc6b6b2592 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration$AssertingPartyDetails.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration$AssertingPartyDetails.serialized new file mode 100644 index 00000000000..55aff67094f Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration$AssertingPartyDetails.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.serialized new file mode 100644 index 00000000000..5640654bba1 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException.serialized new file mode 100644 index 00000000000..6d7a94c2950 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.rememberme.CookieTheftException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.rememberme.CookieTheftException.serialized new file mode 100644 index 00000000000..e983ebc0136 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.rememberme.CookieTheftException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.rememberme.InvalidCookieException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.rememberme.InvalidCookieException.serialized new file mode 100644 index 00000000000..b4f3a5f6acc Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.rememberme.InvalidCookieException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationException.serialized new file mode 100644 index 00000000000..fe88d36cd4b Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.session.SessionAuthenticationException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.session.SessionAuthenticationException.serialized new file mode 100644 index 00000000000..5b627fb9c7a Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.session.SessionAuthenticationException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.session.SessionFixationProtectionEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.session.SessionFixationProtectionEvent.serialized new file mode 100644 index 00000000000..4fc1f92cb28 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.session.SessionFixationProtectionEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.switchuser.AuthenticationSwitchUserEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.switchuser.AuthenticationSwitchUserEvent.serialized new file mode 100644 index 00000000000..17b756520d3 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.switchuser.AuthenticationSwitchUserEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.www.NonceExpiredException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.www.NonceExpiredException.serialized new file mode 100644 index 00000000000..2d1621125f3 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.www.NonceExpiredException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.csrf.CsrfException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.csrf.CsrfException.serialized new file mode 100644 index 00000000000..55eddf9e9f0 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.csrf.CsrfException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.csrf.DefaultCsrfToken.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.csrf.DefaultCsrfToken.serialized new file mode 100644 index 00000000000..693e898c313 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.csrf.DefaultCsrfToken.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.csrf.InvalidCsrfTokenException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.csrf.InvalidCsrfTokenException.serialized new file mode 100644 index 00000000000..18f8a50a348 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.csrf.InvalidCsrfTokenException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.csrf.MissingCsrfTokenException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.csrf.MissingCsrfTokenException.serialized new file mode 100644 index 00000000000..dd210a46128 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.csrf.MissingCsrfTokenException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.firewall.RequestRejectedException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.firewall.RequestRejectedException.serialized new file mode 100644 index 00000000000..52e1faf545b Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.firewall.RequestRejectedException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.savedrequest.SimpleSavedRequest.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.savedrequest.SimpleSavedRequest.serialized new file mode 100644 index 00000000000..58449b0e225 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.savedrequest.SimpleSavedRequest.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.server.csrf.CsrfException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.server.csrf.CsrfException.serialized new file mode 100644 index 00000000000..6556a08dde7 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.server.csrf.CsrfException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.server.csrf.DefaultCsrfToken.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.server.csrf.DefaultCsrfToken.serialized new file mode 100644 index 00000000000..9cff958c490 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.server.csrf.DefaultCsrfToken.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.server.firewall.ServerExchangeRejectedException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.server.firewall.ServerExchangeRejectedException.serialized new file mode 100644 index 00000000000..33fb178f627 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.server.firewall.ServerExchangeRejectedException.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.session.HttpSessionCreatedEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.session.HttpSessionCreatedEvent.serialized new file mode 100644 index 00000000000..95888e6e1cc Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.session.HttpSessionCreatedEvent.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse.serialized new file mode 100644 index 00000000000..64a8173e8e3 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAttachment.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAttachment.serialized new file mode 100644 index 00000000000..449d5b9a981 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAttachment.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorTransport.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorTransport.serialized new file mode 100644 index 00000000000..183124aa4e6 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorTransport.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.Bytes.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.Bytes.serialized new file mode 100644 index 00000000000..483bef50163 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.Bytes.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput$CredProtect.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput$CredProtect.serialized new file mode 100644 index 00000000000..0222d302d6c Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput$CredProtect.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput.serialized new file mode 100644 index 00000000000..0b0b44e588b Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredentialPropertiesOutput.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredentialPropertiesOutput.serialized new file mode 100644 index 00000000000..78ddecc0425 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredentialPropertiesOutput.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput.serialized new file mode 100644 index 00000000000..604e609fcaa Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs.serialized new file mode 100644 index 00000000000..d5b3e16ebfd Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs.serialized new file mode 100644 index 00000000000..e35a639ccaa Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity.serialized new file mode 100644 index 00000000000..eb662f4843a Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredential.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredential.serialized new file mode 100644 index 00000000000..2edec67206b Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredential.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor.serialized new file mode 100644 index 00000000000..70911ad2c17 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions.serialized new file mode 100644 index 00000000000..40415ad5dfe Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialType.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialType.serialized new file mode 100644 index 00000000000..efc9d8e3ee6 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialType.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.UserVerificationRequirement.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.UserVerificationRequirement.serialized new file mode 100644 index 00000000000..7fde55c0e17 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.UserVerificationRequirement.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.authentication.WebAuthnAuthentication.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.authentication.WebAuthnAuthentication.serialized new file mode 100644 index 00000000000..a5baa210e66 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.authentication.WebAuthnAuthentication.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken.serialized new file mode 100644 index 00000000000..b7eda5a62d7 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest.serialized new file mode 100644 index 00000000000..ea313db1071 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest.serialized differ diff --git a/core/src/main/java/org/springframework/security/access/AccessDeniedException.java b/core/src/main/java/org/springframework/security/access/AccessDeniedException.java index 3bf6ceac5a0..49efd9f689d 100644 --- a/core/src/main/java/org/springframework/security/access/AccessDeniedException.java +++ b/core/src/main/java/org/springframework/security/access/AccessDeniedException.java @@ -16,6 +16,8 @@ package org.springframework.security.access; +import java.io.Serial; + /** * Thrown if an {@link org.springframework.security.core.Authentication Authentication} * object does not hold a required authority. @@ -24,6 +26,9 @@ */ public class AccessDeniedException extends RuntimeException { + @Serial + private static final long serialVersionUID = 6395817500121599533L; + /** * Constructs an AccessDeniedException with the specified message. * @param msg the detail message diff --git a/core/src/main/java/org/springframework/security/access/AuthorizationServiceException.java b/core/src/main/java/org/springframework/security/access/AuthorizationServiceException.java index 6952be563a6..4320b0075ff 100644 --- a/core/src/main/java/org/springframework/security/access/AuthorizationServiceException.java +++ b/core/src/main/java/org/springframework/security/access/AuthorizationServiceException.java @@ -16,6 +16,8 @@ package org.springframework.security.access; +import java.io.Serial; + /** * Thrown if an authorization request could not be processed due to a system problem. *

@@ -26,6 +28,9 @@ */ public class AuthorizationServiceException extends AccessDeniedException { + @Serial + private static final long serialVersionUID = 4817857292041606900L; + /** * Constructs an AuthorizationServiceException with the specified * message. diff --git a/core/src/main/java/org/springframework/security/access/SecurityConfig.java b/core/src/main/java/org/springframework/security/access/SecurityConfig.java index 3079174e529..2cbc640b3ad 100644 --- a/core/src/main/java/org/springframework/security/access/SecurityConfig.java +++ b/core/src/main/java/org/springframework/security/access/SecurityConfig.java @@ -16,6 +16,7 @@ package org.springframework.security.access; +import java.io.Serial; import java.util.ArrayList; import java.util.List; @@ -29,6 +30,9 @@ */ public class SecurityConfig implements ConfigAttribute { + @Serial + private static final long serialVersionUID = -7138084564199804304L; + private final String attrib; public SecurityConfig(String config) { diff --git a/core/src/main/java/org/springframework/security/access/annotation/Jsr250SecurityConfig.java b/core/src/main/java/org/springframework/security/access/annotation/Jsr250SecurityConfig.java index 3a3ccdf91e7..f129fdbe176 100644 --- a/core/src/main/java/org/springframework/security/access/annotation/Jsr250SecurityConfig.java +++ b/core/src/main/java/org/springframework/security/access/annotation/Jsr250SecurityConfig.java @@ -30,6 +30,7 @@ * @deprecated Use {@link AuthorizationManagerBeforeMethodInterceptor#jsr250()} instead */ @Deprecated +@SuppressWarnings("serial") public class Jsr250SecurityConfig extends SecurityConfig { public static final Jsr250SecurityConfig PERMIT_ALL_ATTRIBUTE = new Jsr250SecurityConfig(PermitAll.class.getName()); diff --git a/core/src/main/java/org/springframework/security/access/event/AuthenticationCredentialsNotFoundEvent.java b/core/src/main/java/org/springframework/security/access/event/AuthenticationCredentialsNotFoundEvent.java index daae07eec98..8d7107ed5bb 100644 --- a/core/src/main/java/org/springframework/security/access/event/AuthenticationCredentialsNotFoundEvent.java +++ b/core/src/main/java/org/springframework/security/access/event/AuthenticationCredentialsNotFoundEvent.java @@ -32,6 +32,7 @@ * instead. */ @Deprecated +@SuppressWarnings("serial") public class AuthenticationCredentialsNotFoundEvent extends AbstractAuthorizationEvent { private final AuthenticationCredentialsNotFoundException credentialsNotFoundException; diff --git a/core/src/main/java/org/springframework/security/access/event/AuthorizationFailureEvent.java b/core/src/main/java/org/springframework/security/access/event/AuthorizationFailureEvent.java index eac534ba6dd..fba28adf0bb 100644 --- a/core/src/main/java/org/springframework/security/access/event/AuthorizationFailureEvent.java +++ b/core/src/main/java/org/springframework/security/access/event/AuthorizationFailureEvent.java @@ -39,6 +39,7 @@ * instead */ @Deprecated +@SuppressWarnings("serial") public class AuthorizationFailureEvent extends AbstractAuthorizationEvent { private final AccessDeniedException accessDeniedException; diff --git a/core/src/main/java/org/springframework/security/access/event/AuthorizedEvent.java b/core/src/main/java/org/springframework/security/access/event/AuthorizedEvent.java index 7697dea90df..3ec29ce6a2c 100644 --- a/core/src/main/java/org/springframework/security/access/event/AuthorizedEvent.java +++ b/core/src/main/java/org/springframework/security/access/event/AuthorizedEvent.java @@ -34,6 +34,7 @@ * instead */ @Deprecated +@SuppressWarnings("serial") public class AuthorizedEvent extends AbstractAuthorizationEvent { private final Authentication authentication; diff --git a/core/src/main/java/org/springframework/security/access/event/PublicInvocationEvent.java b/core/src/main/java/org/springframework/security/access/event/PublicInvocationEvent.java index 2aab5dba91e..7289d8a1edd 100644 --- a/core/src/main/java/org/springframework/security/access/event/PublicInvocationEvent.java +++ b/core/src/main/java/org/springframework/security/access/event/PublicInvocationEvent.java @@ -34,6 +34,7 @@ * {@link AuthorizationGrantedEvent#getSource()} to deduce public invocations. */ @Deprecated +@SuppressWarnings("serial") public class PublicInvocationEvent extends AbstractAuthorizationEvent { /** diff --git a/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java b/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java index 3dc86cc5a11..8642484a418 100644 --- a/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java @@ -28,6 +28,7 @@ * instead */ @Deprecated +@SuppressWarnings("serial") class PostInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute implements PostInvocationAttribute { diff --git a/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java b/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java index 26af51a6f1e..41ec280bc77 100644 --- a/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java @@ -28,6 +28,7 @@ * instead */ @Deprecated +@SuppressWarnings("serial") class PreInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute implements PreInvocationAttribute { diff --git a/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java b/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java index 4bc3d19b5bf..58174d9d1ae 100644 --- a/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java +++ b/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java @@ -54,6 +54,7 @@ * @deprecated Use {@link EnableMethodSecurity} or publish interceptors directly */ @Deprecated +@SuppressWarnings("serial") public class MethodSecurityMetadataSourceAdvisor extends AbstractPointcutAdvisor implements BeanFactoryAware { private transient MethodSecurityMetadataSource attributeSource; diff --git a/core/src/main/java/org/springframework/security/authentication/AccountExpiredException.java b/core/src/main/java/org/springframework/security/authentication/AccountExpiredException.java index e8ef659882e..1193bf52364 100644 --- a/core/src/main/java/org/springframework/security/authentication/AccountExpiredException.java +++ b/core/src/main/java/org/springframework/security/authentication/AccountExpiredException.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication; +import java.io.Serial; + /** * Thrown if an authentication request is rejected because the account has expired. Makes * no assertion as to whether or not the credentials were valid. @@ -24,6 +26,9 @@ */ public class AccountExpiredException extends AccountStatusException { + @Serial + private static final long serialVersionUID = 3732869526329993353L; + /** * Constructs a AccountExpiredException with the specified message. * @param msg the detail message diff --git a/core/src/main/java/org/springframework/security/authentication/AuthenticationCredentialsNotFoundException.java b/core/src/main/java/org/springframework/security/authentication/AuthenticationCredentialsNotFoundException.java index 91b5d616d88..0ed92018e69 100644 --- a/core/src/main/java/org/springframework/security/authentication/AuthenticationCredentialsNotFoundException.java +++ b/core/src/main/java/org/springframework/security/authentication/AuthenticationCredentialsNotFoundException.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication; +import java.io.Serial; + import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; @@ -28,6 +30,9 @@ */ public class AuthenticationCredentialsNotFoundException extends AuthenticationException { + @Serial + private static final long serialVersionUID = 4153580041526791384L; + /** * Constructs an AuthenticationCredentialsNotFoundException with the * specified message. diff --git a/core/src/main/java/org/springframework/security/authentication/AuthenticationServiceException.java b/core/src/main/java/org/springframework/security/authentication/AuthenticationServiceException.java index 69d7233bdf9..3bd076dfd86 100644 --- a/core/src/main/java/org/springframework/security/authentication/AuthenticationServiceException.java +++ b/core/src/main/java/org/springframework/security/authentication/AuthenticationServiceException.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication; +import java.io.Serial; + import org.springframework.security.core.AuthenticationException; /** @@ -29,6 +31,9 @@ */ public class AuthenticationServiceException extends AuthenticationException { + @Serial + private static final long serialVersionUID = -1591626195291329340L; + /** * Constructs an AuthenticationServiceException with the specified * message. diff --git a/core/src/main/java/org/springframework/security/authentication/BadCredentialsException.java b/core/src/main/java/org/springframework/security/authentication/BadCredentialsException.java index e202ef7b5a1..bc759f5f7a3 100644 --- a/core/src/main/java/org/springframework/security/authentication/BadCredentialsException.java +++ b/core/src/main/java/org/springframework/security/authentication/BadCredentialsException.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication; +import java.io.Serial; + import org.springframework.security.core.AuthenticationException; /** @@ -26,6 +28,9 @@ */ public class BadCredentialsException extends AuthenticationException { + @Serial + private static final long serialVersionUID = 2742216069043066973L; + /** * Constructs a BadCredentialsException with the specified message. * @param msg the detail message diff --git a/core/src/main/java/org/springframework/security/authentication/CredentialsExpiredException.java b/core/src/main/java/org/springframework/security/authentication/CredentialsExpiredException.java index 8e532169aed..04194177633 100644 --- a/core/src/main/java/org/springframework/security/authentication/CredentialsExpiredException.java +++ b/core/src/main/java/org/springframework/security/authentication/CredentialsExpiredException.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication; +import java.io.Serial; + /** * Thrown if an authentication request is rejected because the account's credentials have * expired. Makes no assertion as to whether or not the credentials were valid. @@ -24,6 +26,9 @@ */ public class CredentialsExpiredException extends AccountStatusException { + @Serial + private static final long serialVersionUID = -3306615738048904753L; + /** * Constructs a CredentialsExpiredException with the specified message. * @param msg the detail message diff --git a/core/src/main/java/org/springframework/security/authentication/DisabledException.java b/core/src/main/java/org/springframework/security/authentication/DisabledException.java index 31a75ce0cc8..fba17185901 100644 --- a/core/src/main/java/org/springframework/security/authentication/DisabledException.java +++ b/core/src/main/java/org/springframework/security/authentication/DisabledException.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication; +import java.io.Serial; + /** * Thrown if an authentication request is rejected because the account is disabled. Makes * no assertion as to whether or not the credentials were valid. @@ -24,6 +26,9 @@ */ public class DisabledException extends AccountStatusException { + @Serial + private static final long serialVersionUID = 2295984593872502361L; + /** * Constructs a DisabledException with the specified message. * @param msg the detail message diff --git a/core/src/main/java/org/springframework/security/authentication/InsufficientAuthenticationException.java b/core/src/main/java/org/springframework/security/authentication/InsufficientAuthenticationException.java index 0e072b527a1..f4759349277 100644 --- a/core/src/main/java/org/springframework/security/authentication/InsufficientAuthenticationException.java +++ b/core/src/main/java/org/springframework/security/authentication/InsufficientAuthenticationException.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication; +import java.io.Serial; + import org.springframework.security.core.AuthenticationException; /** @@ -33,6 +35,9 @@ */ public class InsufficientAuthenticationException extends AuthenticationException { + @Serial + private static final long serialVersionUID = -5514084346181236128L; + /** * Constructs an InsufficientAuthenticationException with the specified * message. diff --git a/core/src/main/java/org/springframework/security/authentication/InternalAuthenticationServiceException.java b/core/src/main/java/org/springframework/security/authentication/InternalAuthenticationServiceException.java index 3037ebaaf08..de59b2d5efa 100644 --- a/core/src/main/java/org/springframework/security/authentication/InternalAuthenticationServiceException.java +++ b/core/src/main/java/org/springframework/security/authentication/InternalAuthenticationServiceException.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication; +import java.io.Serial; + /** *

* Thrown if an authentication request could not be processed due to a system problem that @@ -37,6 +39,9 @@ */ public class InternalAuthenticationServiceException extends AuthenticationServiceException { + @Serial + private static final long serialVersionUID = -6029644854192497840L; + public InternalAuthenticationServiceException(String message, Throwable cause) { super(message, cause); } diff --git a/core/src/main/java/org/springframework/security/authentication/LockedException.java b/core/src/main/java/org/springframework/security/authentication/LockedException.java index 9b2272b08fd..5262fdb52e4 100644 --- a/core/src/main/java/org/springframework/security/authentication/LockedException.java +++ b/core/src/main/java/org/springframework/security/authentication/LockedException.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication; +import java.io.Serial; + /** * Thrown if an authentication request is rejected because the account is locked. Makes no * assertion as to whether or not the credentials were valid. @@ -24,6 +26,9 @@ */ public class LockedException extends AccountStatusException { + @Serial + private static final long serialVersionUID = 548864198455046567L; + /** * Constructs a LockedException with the specified message. * @param msg the detail message. diff --git a/core/src/main/java/org/springframework/security/authentication/ProviderNotFoundException.java b/core/src/main/java/org/springframework/security/authentication/ProviderNotFoundException.java index 629a28e8c8c..870a6ea1f83 100644 --- a/core/src/main/java/org/springframework/security/authentication/ProviderNotFoundException.java +++ b/core/src/main/java/org/springframework/security/authentication/ProviderNotFoundException.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication; +import java.io.Serial; + import org.springframework.security.core.AuthenticationException; /** @@ -27,6 +29,9 @@ */ public class ProviderNotFoundException extends AuthenticationException { + @Serial + private static final long serialVersionUID = 8107665253214447614L; + /** * Constructs a ProviderNotFoundException with the specified message. * @param msg the detail message diff --git a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureBadCredentialsEvent.java b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureBadCredentialsEvent.java index 796690b0e61..6c80a3e883b 100644 --- a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureBadCredentialsEvent.java +++ b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureBadCredentialsEvent.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication.event; +import java.io.Serial; + import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; @@ -27,6 +29,9 @@ */ public class AuthenticationFailureBadCredentialsEvent extends AbstractAuthenticationFailureEvent { + @Serial + private static final long serialVersionUID = -5245144711561130379L; + public AuthenticationFailureBadCredentialsEvent(Authentication authentication, AuthenticationException exception) { super(authentication, exception); } diff --git a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureCredentialsExpiredEvent.java b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureCredentialsExpiredEvent.java index 57f218a239e..2849ba03714 100644 --- a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureCredentialsExpiredEvent.java +++ b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureCredentialsExpiredEvent.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication.event; +import java.io.Serial; + import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; @@ -27,6 +29,9 @@ */ public class AuthenticationFailureCredentialsExpiredEvent extends AbstractAuthenticationFailureEvent { + @Serial + private static final long serialVersionUID = -7595086332769705203L; + public AuthenticationFailureCredentialsExpiredEvent(Authentication authentication, AuthenticationException exception) { super(authentication, exception); diff --git a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureDisabledEvent.java b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureDisabledEvent.java index 3a4604354f4..79c0fd479fc 100644 --- a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureDisabledEvent.java +++ b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureDisabledEvent.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication.event; +import java.io.Serial; + import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; @@ -27,6 +29,9 @@ */ public class AuthenticationFailureDisabledEvent extends AbstractAuthenticationFailureEvent { + @Serial + private static final long serialVersionUID = 8037552364666766279L; + public AuthenticationFailureDisabledEvent(Authentication authentication, AuthenticationException exception) { super(authentication, exception); } diff --git a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureExpiredEvent.java b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureExpiredEvent.java index 086e16cb378..a1f680dc5d9 100644 --- a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureExpiredEvent.java +++ b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureExpiredEvent.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication.event; +import java.io.Serial; + import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; @@ -27,6 +29,9 @@ */ public class AuthenticationFailureExpiredEvent extends AbstractAuthenticationFailureEvent { + @Serial + private static final long serialVersionUID = -8437264795214121718L; + public AuthenticationFailureExpiredEvent(Authentication authentication, AuthenticationException exception) { super(authentication, exception); } diff --git a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureLockedEvent.java b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureLockedEvent.java index 544964cdec4..5cc0702909a 100644 --- a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureLockedEvent.java +++ b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureLockedEvent.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication.event; +import java.io.Serial; + import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; @@ -27,6 +29,9 @@ */ public class AuthenticationFailureLockedEvent extends AbstractAuthenticationFailureEvent { + @Serial + private static final long serialVersionUID = -5126110096093568463L; + public AuthenticationFailureLockedEvent(Authentication authentication, AuthenticationException exception) { super(authentication, exception); } diff --git a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureProviderNotFoundEvent.java b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureProviderNotFoundEvent.java index 1a1cf7c87ee..ee4f5538e26 100644 --- a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureProviderNotFoundEvent.java +++ b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureProviderNotFoundEvent.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication.event; +import java.io.Serial; + import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; @@ -27,6 +29,9 @@ */ public class AuthenticationFailureProviderNotFoundEvent extends AbstractAuthenticationFailureEvent { + @Serial + private static final long serialVersionUID = 9122219669183263487L; + public AuthenticationFailureProviderNotFoundEvent(Authentication authentication, AuthenticationException exception) { super(authentication, exception); diff --git a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureProxyUntrustedEvent.java b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureProxyUntrustedEvent.java index 772774d3f18..31617e6caa0 100644 --- a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureProxyUntrustedEvent.java +++ b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureProxyUntrustedEvent.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication.event; +import java.io.Serial; + import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; @@ -27,6 +29,9 @@ */ public class AuthenticationFailureProxyUntrustedEvent extends AbstractAuthenticationFailureEvent { + @Serial + private static final long serialVersionUID = 1801476426012753252L; + public AuthenticationFailureProxyUntrustedEvent(Authentication authentication, AuthenticationException exception) { super(authentication, exception); } diff --git a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureServiceExceptionEvent.java b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureServiceExceptionEvent.java index 167d5fae3b3..d84f38625e3 100644 --- a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureServiceExceptionEvent.java +++ b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationFailureServiceExceptionEvent.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication.event; +import java.io.Serial; + import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; @@ -27,6 +29,9 @@ */ public class AuthenticationFailureServiceExceptionEvent extends AbstractAuthenticationFailureEvent { + @Serial + private static final long serialVersionUID = 5580062757249390756L; + public AuthenticationFailureServiceExceptionEvent(Authentication authentication, AuthenticationException exception) { super(authentication, exception); diff --git a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationSuccessEvent.java b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationSuccessEvent.java index 5b3b9bcd24b..5b18199a6c9 100644 --- a/core/src/main/java/org/springframework/security/authentication/event/AuthenticationSuccessEvent.java +++ b/core/src/main/java/org/springframework/security/authentication/event/AuthenticationSuccessEvent.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication.event; +import java.io.Serial; + import org.springframework.security.core.Authentication; /** @@ -25,6 +27,9 @@ */ public class AuthenticationSuccessEvent extends AbstractAuthenticationEvent { + @Serial + private static final long serialVersionUID = 2537206344128673963L; + public AuthenticationSuccessEvent(Authentication authentication) { super(authentication); } diff --git a/core/src/main/java/org/springframework/security/authentication/event/InteractiveAuthenticationSuccessEvent.java b/core/src/main/java/org/springframework/security/authentication/event/InteractiveAuthenticationSuccessEvent.java index c93d2a9165d..eac89b4eafd 100644 --- a/core/src/main/java/org/springframework/security/authentication/event/InteractiveAuthenticationSuccessEvent.java +++ b/core/src/main/java/org/springframework/security/authentication/event/InteractiveAuthenticationSuccessEvent.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication.event; +import java.io.Serial; + import org.springframework.security.core.Authentication; import org.springframework.util.Assert; @@ -34,6 +36,9 @@ */ public class InteractiveAuthenticationSuccessEvent extends AbstractAuthenticationEvent { + @Serial + private static final long serialVersionUID = -1990271553478571709L; + private final Class generatedBy; public InteractiveAuthenticationSuccessEvent(Authentication authentication, Class generatedBy) { diff --git a/core/src/main/java/org/springframework/security/authentication/event/LogoutSuccessEvent.java b/core/src/main/java/org/springframework/security/authentication/event/LogoutSuccessEvent.java index 094d0a332d7..1ea77c2a21d 100644 --- a/core/src/main/java/org/springframework/security/authentication/event/LogoutSuccessEvent.java +++ b/core/src/main/java/org/springframework/security/authentication/event/LogoutSuccessEvent.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.authentication.event; +import java.io.Serial; + import org.springframework.security.core.Authentication; /** @@ -26,6 +28,9 @@ */ public class LogoutSuccessEvent extends AbstractAuthenticationEvent { + @Serial + private static final long serialVersionUID = 5112491795571632311L; + public LogoutSuccessEvent(Authentication authentication) { super(authentication); } diff --git a/core/src/main/java/org/springframework/security/authentication/jaas/event/JaasAuthenticationFailedEvent.java b/core/src/main/java/org/springframework/security/authentication/jaas/event/JaasAuthenticationFailedEvent.java index 4b70d779509..c3b6d427bda 100644 --- a/core/src/main/java/org/springframework/security/authentication/jaas/event/JaasAuthenticationFailedEvent.java +++ b/core/src/main/java/org/springframework/security/authentication/jaas/event/JaasAuthenticationFailedEvent.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication.jaas.event; +import java.io.Serial; + import org.springframework.security.core.Authentication; /** @@ -26,6 +28,9 @@ */ public class JaasAuthenticationFailedEvent extends JaasAuthenticationEvent { + @Serial + private static final long serialVersionUID = -240510538971925002L; + private final Exception exception; public JaasAuthenticationFailedEvent(Authentication auth, Exception exception) { diff --git a/core/src/main/java/org/springframework/security/authentication/jaas/event/JaasAuthenticationSuccessEvent.java b/core/src/main/java/org/springframework/security/authentication/jaas/event/JaasAuthenticationSuccessEvent.java index 0afa2b882b9..ec654a2a9fc 100644 --- a/core/src/main/java/org/springframework/security/authentication/jaas/event/JaasAuthenticationSuccessEvent.java +++ b/core/src/main/java/org/springframework/security/authentication/jaas/event/JaasAuthenticationSuccessEvent.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication.jaas.event; +import java.io.Serial; + import org.springframework.security.core.Authentication; /** @@ -28,6 +30,9 @@ */ public class JaasAuthenticationSuccessEvent extends JaasAuthenticationEvent { + @Serial + private static final long serialVersionUID = 2236826715750256181L; + public JaasAuthenticationSuccessEvent(Authentication auth) { super(auth); } diff --git a/core/src/main/java/org/springframework/security/authentication/ott/InvalidOneTimeTokenException.java b/core/src/main/java/org/springframework/security/authentication/ott/InvalidOneTimeTokenException.java index 03289f12b78..8ee8199cd09 100644 --- a/core/src/main/java/org/springframework/security/authentication/ott/InvalidOneTimeTokenException.java +++ b/core/src/main/java/org/springframework/security/authentication/ott/InvalidOneTimeTokenException.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication.ott; +import java.io.Serial; + import org.springframework.security.core.AuthenticationException; /** @@ -26,6 +28,9 @@ */ public class InvalidOneTimeTokenException extends AuthenticationException { + @Serial + private static final long serialVersionUID = -3651018515682919943L; + public InvalidOneTimeTokenException(String msg) { super(msg); } diff --git a/core/src/main/java/org/springframework/security/authentication/ott/JdbcOneTimeTokenService.java b/core/src/main/java/org/springframework/security/authentication/ott/JdbcOneTimeTokenService.java index 014541373ad..4cf6753631b 100644 --- a/core/src/main/java/org/springframework/security/authentication/ott/JdbcOneTimeTokenService.java +++ b/core/src/main/java/org/springframework/security/authentication/ott/JdbcOneTimeTokenService.java @@ -190,7 +190,8 @@ private ThreadPoolTaskScheduler createTaskScheduler(String cleanupCron) { } public void cleanupExpiredTokens() { - List parameters = List.of(new SqlParameterValue(Types.TIMESTAMP, Instant.now())); + List parameters = List + .of(new SqlParameterValue(Types.TIMESTAMP, Timestamp.from(Instant.now()))); PreparedStatementSetter pss = new ArgumentPreparedStatementSetter(parameters.toArray()); int deletedCount = this.jdbcOperations.update(DELETE_ONE_TIME_TOKENS_BY_EXPIRY_TIME_QUERY, pss); if (this.logger.isDebugEnabled()) { diff --git a/core/src/main/java/org/springframework/security/authentication/password/CompromisedPasswordException.java b/core/src/main/java/org/springframework/security/authentication/password/CompromisedPasswordException.java index 672876164fb..04d042b96af 100644 --- a/core/src/main/java/org/springframework/security/authentication/password/CompromisedPasswordException.java +++ b/core/src/main/java/org/springframework/security/authentication/password/CompromisedPasswordException.java @@ -16,6 +16,8 @@ package org.springframework.security.authentication.password; +import java.io.Serial; + import org.springframework.security.core.AuthenticationException; /** @@ -26,6 +28,9 @@ */ public class CompromisedPasswordException extends AuthenticationException { + @Serial + private static final long serialVersionUID = -885858958297842864L; + public CompromisedPasswordException(String message) { super(message); } diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationDecision.java b/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationDecision.java index f9dd43a7845..629dfa4a391 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationDecision.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationDecision.java @@ -16,6 +16,7 @@ package org.springframework.security.authorization; +import java.io.Serial; import java.util.Collection; import org.springframework.security.core.GrantedAuthority; @@ -28,6 +29,9 @@ */ public class AuthorityAuthorizationDecision extends AuthorizationDecision { + @Serial + private static final long serialVersionUID = -8338309042331376592L; + private final Collection authorities; public AuthorityAuthorizationDecision(boolean granted, Collection authorities) { diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationDecision.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationDecision.java index bd873ecdb17..a428fc28d9c 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthorizationDecision.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationDecision.java @@ -16,12 +16,17 @@ package org.springframework.security.authorization; +import java.io.Serial; + /** * @author Rob Winch * @since 5.0 */ public class AuthorizationDecision implements AuthorizationResult { + @Serial + private static final long serialVersionUID = -3226018324649244416L; + private final boolean granted; public AuthorizationDecision(boolean granted) { diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationDeniedException.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationDeniedException.java index fdcb1e70aa6..63385e1cbd1 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthorizationDeniedException.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationDeniedException.java @@ -16,6 +16,8 @@ package org.springframework.security.authorization; +import java.io.Serial; + import org.springframework.security.access.AccessDeniedException; import org.springframework.util.Assert; @@ -27,6 +29,9 @@ */ public class AuthorizationDeniedException extends AccessDeniedException implements AuthorizationResult { + @Serial + private static final long serialVersionUID = 3227305845919610459L; + private final AuthorizationResult result; public AuthorizationDeniedException(String msg, AuthorizationResult authorizationResult) { diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java index f3893c97433..d0de9bd647c 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java @@ -145,6 +145,7 @@ public static AuthorizationManager not(AuthorizationManager manager) { private AuthorizationManagers() { } + @SuppressWarnings("serial") private static final class CompositeAuthorizationDecision extends AuthorizationDecision { private final List results; @@ -161,6 +162,7 @@ public String toString() { } + @SuppressWarnings("serial") private static final class NotAuthorizationDecision extends AuthorizationDecision { private final AuthorizationResult result; diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationResult.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationResult.java index 11c5cd4a769..a98c61a3aa4 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthorizationResult.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationResult.java @@ -16,13 +16,15 @@ package org.springframework.security.authorization; +import java.io.Serializable; + /** * Represents an authorization result * * @author Marcus da Coregio * @since 6.3 */ -public interface AuthorizationResult { +public interface AuthorizationResult extends Serializable { /** * @return whether the access has been granted diff --git a/core/src/main/java/org/springframework/security/authorization/ExpressionAuthorizationDecision.java b/core/src/main/java/org/springframework/security/authorization/ExpressionAuthorizationDecision.java index 930b23a2ccb..54f5adbbc6f 100644 --- a/core/src/main/java/org/springframework/security/authorization/ExpressionAuthorizationDecision.java +++ b/core/src/main/java/org/springframework/security/authorization/ExpressionAuthorizationDecision.java @@ -24,6 +24,7 @@ * @author Marcus Da Coregio * @since 5.8 */ +@SuppressWarnings("serial") public class ExpressionAuthorizationDecision extends AuthorizationDecision { private final Expression expression; diff --git a/core/src/main/java/org/springframework/security/authorization/event/AuthorizationDeniedEvent.java b/core/src/main/java/org/springframework/security/authorization/event/AuthorizationDeniedEvent.java index 94e7d6a2312..05d0fcdbc5d 100644 --- a/core/src/main/java/org/springframework/security/authorization/event/AuthorizationDeniedEvent.java +++ b/core/src/main/java/org/springframework/security/authorization/event/AuthorizationDeniedEvent.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,6 +30,7 @@ * @author Josh Cummings * @since 5.7 */ +@SuppressWarnings("serial") public class AuthorizationDeniedEvent extends AuthorizationEvent { /** diff --git a/core/src/main/java/org/springframework/security/authorization/event/AuthorizationEvent.java b/core/src/main/java/org/springframework/security/authorization/event/AuthorizationEvent.java index a848dff4917..d4bce6b586d 100644 --- a/core/src/main/java/org/springframework/security/authorization/event/AuthorizationEvent.java +++ b/core/src/main/java/org/springframework/security/authorization/event/AuthorizationEvent.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ package org.springframework.security.authorization.event; +import java.io.Serial; import java.util.function.Supplier; import org.springframework.context.ApplicationEvent; @@ -31,8 +32,12 @@ * @author Josh Cummings * @since 5.8 */ +@SuppressWarnings("serial") public class AuthorizationEvent extends ApplicationEvent { + @Serial + private static final long serialVersionUID = -9053927371500241295L; + private final Supplier authentication; private final AuthorizationResult result; diff --git a/core/src/main/java/org/springframework/security/authorization/event/AuthorizationGrantedEvent.java b/core/src/main/java/org/springframework/security/authorization/event/AuthorizationGrantedEvent.java index 693bc7e4a76..9cde3519303 100644 --- a/core/src/main/java/org/springframework/security/authorization/event/AuthorizationGrantedEvent.java +++ b/core/src/main/java/org/springframework/security/authorization/event/AuthorizationGrantedEvent.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ package org.springframework.security.authorization.event; +import java.io.Serial; import java.util.function.Supplier; import org.springframework.context.ApplicationEvent; @@ -30,8 +31,12 @@ * @author Josh Cummings * @since 5.7 */ +@SuppressWarnings("serial") public class AuthorizationGrantedEvent extends AuthorizationEvent { + @Serial + private static final long serialVersionUID = -8690818228055810339L; + /** * @deprecated please use a constructor that takes an * {@link org.springframework.security.authorization.AuthorizationResult} diff --git a/core/src/main/java/org/springframework/security/core/AuthenticationException.java b/core/src/main/java/org/springframework/security/core/AuthenticationException.java index e634738b69b..9e1fb756086 100644 --- a/core/src/main/java/org/springframework/security/core/AuthenticationException.java +++ b/core/src/main/java/org/springframework/security/core/AuthenticationException.java @@ -16,6 +16,8 @@ package org.springframework.security.core; +import java.io.Serial; + /** * Abstract superclass for all exceptions related to an {@link Authentication} object * being invalid for whatever reason. @@ -24,6 +26,9 @@ */ public abstract class AuthenticationException extends RuntimeException { + @Serial + private static final long serialVersionUID = 2018827803361503060L; + /** * Constructs an {@code AuthenticationException} with the specified message and root * cause. diff --git a/core/src/main/java/org/springframework/security/core/ComparableVersion.java b/core/src/main/java/org/springframework/security/core/ComparableVersion.java index 347644734c3..a517a4473d1 100644 --- a/core/src/main/java/org/springframework/security/core/ComparableVersion.java +++ b/core/src/main/java/org/springframework/security/core/ComparableVersion.java @@ -405,6 +405,7 @@ public String toString() { * Represents a version list item. This class is used both for the global item list * and for sub-lists (which start with '-(number)' in the version specification). */ + @SuppressWarnings("serial") private static class ListItem extends ArrayList implements Item { @Override diff --git a/core/src/main/java/org/springframework/security/core/context/SecurityContextChangedEvent.java b/core/src/main/java/org/springframework/security/core/context/SecurityContextChangedEvent.java index c14125c475e..ac38804cff5 100644 --- a/core/src/main/java/org/springframework/security/core/context/SecurityContextChangedEvent.java +++ b/core/src/main/java/org/springframework/security/core/context/SecurityContextChangedEvent.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,6 +26,7 @@ * @author Josh Cummings * @since 5.6 */ +@SuppressWarnings("serial") public class SecurityContextChangedEvent extends ApplicationEvent { public static final Supplier NO_CONTEXT = () -> null; diff --git a/core/src/main/java/org/springframework/security/core/context/TransientSecurityContext.java b/core/src/main/java/org/springframework/security/core/context/TransientSecurityContext.java index 0089ae455d0..7a4b3d30fe4 100644 --- a/core/src/main/java/org/springframework/security/core/context/TransientSecurityContext.java +++ b/core/src/main/java/org/springframework/security/core/context/TransientSecurityContext.java @@ -16,6 +16,8 @@ package org.springframework.security.core.context; +import java.io.Serial; + import org.springframework.security.core.Authentication; import org.springframework.security.core.Transient; @@ -30,6 +32,9 @@ @Transient public class TransientSecurityContext extends SecurityContextImpl { + @Serial + private static final long serialVersionUID = -7925492364422193347L; + public TransientSecurityContext() { } diff --git a/core/src/main/java/org/springframework/security/core/session/AbstractSessionEvent.java b/core/src/main/java/org/springframework/security/core/session/AbstractSessionEvent.java index 4c8c20da5ce..a02ad09eb6f 100644 --- a/core/src/main/java/org/springframework/security/core/session/AbstractSessionEvent.java +++ b/core/src/main/java/org/springframework/security/core/session/AbstractSessionEvent.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.core.session; +import java.io.Serial; + import org.springframework.context.ApplicationEvent; /** @@ -26,6 +28,9 @@ */ public class AbstractSessionEvent extends ApplicationEvent { + @Serial + private static final long serialVersionUID = -6878881229287231479L; + public AbstractSessionEvent(Object source) { super(source); } diff --git a/core/src/main/java/org/springframework/security/core/userdetails/UsernameNotFoundException.java b/core/src/main/java/org/springframework/security/core/userdetails/UsernameNotFoundException.java index 22c3c1d8e5f..d1d969dc262 100644 --- a/core/src/main/java/org/springframework/security/core/userdetails/UsernameNotFoundException.java +++ b/core/src/main/java/org/springframework/security/core/userdetails/UsernameNotFoundException.java @@ -16,6 +16,8 @@ package org.springframework.security.core.userdetails; +import java.io.Serial; + import org.springframework.security.core.AuthenticationException; /** @@ -26,6 +28,9 @@ */ public class UsernameNotFoundException extends AuthenticationException { + @Serial + private static final long serialVersionUID = 1410688585992297006L; + /** * Constructs a UsernameNotFoundException with the specified message. * @param msg the detail message. diff --git a/core/src/main/java/org/springframework/security/jackson2/SecurityJackson2Modules.java b/core/src/main/java/org/springframework/security/jackson2/SecurityJackson2Modules.java index 974910bc912..5db1b2e5382 100644 --- a/core/src/main/java/org/springframework/security/jackson2/SecurityJackson2Modules.java +++ b/core/src/main/java/org/springframework/security/jackson2/SecurityJackson2Modules.java @@ -201,6 +201,7 @@ private static TypeResolverBuilder createAllowlis * * @author Rob Winch */ + @SuppressWarnings("serial") static class AllowlistTypeResolverBuilder extends ObjectMapper.DefaultTypeResolverBuilder { AllowlistTypeResolverBuilder(ObjectMapper.DefaultTyping defaultTyping) { diff --git a/core/src/test/java/org/springframework/security/access/annotation/BusinessServiceImpl.java b/core/src/test/java/org/springframework/security/access/annotation/BusinessServiceImpl.java index 0e732bf480c..587e795f5a4 100644 --- a/core/src/test/java/org/springframework/security/access/annotation/BusinessServiceImpl.java +++ b/core/src/test/java/org/springframework/security/access/annotation/BusinessServiceImpl.java @@ -16,6 +16,7 @@ package org.springframework.security.access.annotation; +import java.io.Serial; import java.util.ArrayList; import java.util.List; @@ -24,6 +25,9 @@ */ public class BusinessServiceImpl implements BusinessService { + @Serial + private static final long serialVersionUID = -4249394090237180795L; + @Override @Secured({ "ROLE_USER" }) public void someUserMethod1() { diff --git a/core/src/test/java/org/springframework/security/access/annotation/ExpressionProtectedBusinessServiceImpl.java b/core/src/test/java/org/springframework/security/access/annotation/ExpressionProtectedBusinessServiceImpl.java index 9d1b066d013..1ca226709b9 100644 --- a/core/src/test/java/org/springframework/security/access/annotation/ExpressionProtectedBusinessServiceImpl.java +++ b/core/src/test/java/org/springframework/security/access/annotation/ExpressionProtectedBusinessServiceImpl.java @@ -16,6 +16,7 @@ package org.springframework.security.access.annotation; +import java.io.Serial; import java.util.ArrayList; import java.util.List; @@ -25,6 +26,9 @@ public class ExpressionProtectedBusinessServiceImpl implements BusinessService { + @Serial + private static final long serialVersionUID = -3320014879907436606L; + @Override public void someAdminMethod() { } diff --git a/core/src/test/java/org/springframework/security/access/annotation/Jsr250BusinessServiceImpl.java b/core/src/test/java/org/springframework/security/access/annotation/Jsr250BusinessServiceImpl.java index b19b19bfcfa..6d9f34ac615 100644 --- a/core/src/test/java/org/springframework/security/access/annotation/Jsr250BusinessServiceImpl.java +++ b/core/src/test/java/org/springframework/security/access/annotation/Jsr250BusinessServiceImpl.java @@ -16,6 +16,7 @@ package org.springframework.security.access.annotation; +import java.io.Serial; import java.util.ArrayList; import java.util.List; @@ -28,6 +29,9 @@ @PermitAll public class Jsr250BusinessServiceImpl implements BusinessService { + @Serial + private static final long serialVersionUID = -7550211450382764339L; + @Override @RolesAllowed("ROLE_USER") public void someUserMethod1() { diff --git a/crypto/src/main/java/org/springframework/security/crypto/codec/Base64.java b/crypto/src/main/java/org/springframework/security/crypto/codec/Base64.java index d4afce73c18..b696c0c4bf2 100644 --- a/crypto/src/main/java/org/springframework/security/crypto/codec/Base64.java +++ b/crypto/src/main/java/org/springframework/security/crypto/codec/Base64.java @@ -617,6 +617,7 @@ else if (len < 4) { return out; } + @SuppressWarnings("serial") static class InvalidBase64CharacterException extends IllegalArgumentException { InvalidBase64CharacterException(String message) { diff --git a/gradle.properties b/gradle.properties index 463d88a1019..75d8d36713d 100644 --- a/gradle.properties +++ b/gradle.properties @@ -14,7 +14,7 @@ # limitations under the License. # springBootVersion=3.3.3 -version=6.4.2 +version=6.4.3 samplesBranch=main org.gradle.jvmargs=-Xmx3g -XX:+HeapDumpOnOutOfMemoryError org.gradle.parallel=true diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 8e8404600aa..533f39e9ace 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -1,6 +1,6 @@ [versions] com-squareup-okhttp3 = "3.14.9" -io-rsocket = "1.1.4" +io-rsocket = "1.1.5" io-spring-javaformat = "0.0.43" io-spring-nohttp = "0.0.11" jakarta-websocket = "2.2.0" @@ -14,23 +14,23 @@ org-jetbrains-kotlinx = "1.9.0" org-mockito = "5.14.2" org-opensaml = "4.3.2" org-opensaml5 = "5.1.2" -org-springframework = "6.2.1" +org-springframework = "6.2.3" [libraries] -ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.12" +ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.16" com-fasterxml-jackson-jackson-bom = "com.fasterxml.jackson:jackson-bom:2.18.2" com-google-inject-guice = "com.google.inject:guice:3.0" com-netflix-nebula-nebula-project-plugin = "com.netflix.nebula:nebula-project-plugin:8.2.0" com-nimbusds-nimbus-jose-jwt = "com.nimbusds:nimbus-jose-jwt:9.37.3" -com-nimbusds-oauth2-oidc-sdk = "com.nimbusds:oauth2-oidc-sdk:9.43.4" +com-nimbusds-oauth2-oidc-sdk = "com.nimbusds:oauth2-oidc-sdk:9.43.6" com-squareup-okhttp3-mockwebserver = { module = "com.squareup.okhttp3:mockwebserver", version.ref = "com-squareup-okhttp3" } com-squareup-okhttp3-okhttp = { module = "com.squareup.okhttp3:okhttp", version.ref = "com-squareup-okhttp3" } com-unboundid-unboundid-ldapsdk = "com.unboundid:unboundid-ldapsdk:6.0.11" com-unboundid-unboundid-ldapsdk7 = "com.unboundid:unboundid-ldapsdk:7.0.1" commons-collections = "commons-collections:commons-collections:3.2.2" -io-micrometer-micrometer-observation = "io.micrometer:micrometer-observation:1.14.2" -io-mockk = "io.mockk:mockk:1.13.13" -io-projectreactor-reactor-bom = "io.projectreactor:reactor-bom:2023.0.13" +io-micrometer-micrometer-observation = "io.micrometer:micrometer-observation:1.14.4" +io-mockk = "io.mockk:mockk:1.13.16" +io-projectreactor-reactor-bom = "io.projectreactor:reactor-bom:2023.0.15" io-rsocket-rsocket-bom = { module = "io.rsocket:rsocket-bom", version.ref = "io-rsocket" } io-spring-javaformat-spring-javaformat-checkstyle = { module = "io.spring.javaformat:spring-javaformat-checkstyle", version.ref = "io-spring-javaformat" } io-spring-javaformat-spring-javaformat-gradle-plugin = { module = "io.spring.javaformat:spring-javaformat-gradle-plugin", version.ref = "io-spring-javaformat" } @@ -70,12 +70,12 @@ org-bouncycastle-bcprov-jdk15on = { module = "org.bouncycastle:bcprov-jdk18on", org-eclipse-jetty-jetty-server = { module = "org.eclipse.jetty:jetty-server", version.ref = "org-eclipse-jetty" } org-eclipse-jetty-jetty-servlet = { module = "org.eclipse.jetty:jetty-servlet", version.ref = "org-eclipse-jetty" } org-hamcrest = "org.hamcrest:hamcrest:2.2" -org-hibernate-orm-hibernate-core = "org.hibernate.orm:hibernate-core:6.6.3.Final" +org-hibernate-orm-hibernate-core = "org.hibernate.orm:hibernate-core:6.6.8.Final" org-hsqldb = "org.hsqldb:hsqldb:2.7.4" org-jetbrains-kotlin-kotlin-bom = { module = "org.jetbrains.kotlin:kotlin-bom", version.ref = "org-jetbrains-kotlin" } org-jetbrains-kotlin-kotlin-gradle-plugin = "org.jetbrains.kotlin:kotlin-gradle-plugin:1.9.25" org-jetbrains-kotlinx-kotlinx-coroutines-bom = { module = "org.jetbrains.kotlinx:kotlinx-coroutines-bom", version.ref = "org-jetbrains-kotlinx" } -org-junit-junit-bom = "org.junit:junit-bom:5.11.3" +org-junit-junit-bom = "org.junit:junit-bom:5.11.4" org-mockito-mockito-bom = { module = "org.mockito:mockito-bom", version.ref = "org-mockito" } org-opensaml-opensaml-saml-api = { module = "org.opensaml:opensaml-saml-api", version.ref = "org-opensaml" } org-opensaml-opensaml-saml-impl = { module = "org.opensaml:opensaml-saml-impl", version.ref = "org-opensaml" } @@ -88,8 +88,8 @@ org-seleniumhq-selenium-selenium-support = "org.seleniumhq.selenium:selenium-sup org-skyscreamer-jsonassert = "org.skyscreamer:jsonassert:1.5.3" org-slf4j-log4j-over-slf4j = "org.slf4j:log4j-over-slf4j:1.7.36" org-slf4j-slf4j-api = "org.slf4j:slf4j-api:2.0.16" -org-springframework-data-spring-data-bom = "org.springframework.data:spring-data-bom:2024.1.1" -org-springframework-ldap-spring-ldap-core = "org.springframework.ldap:spring-ldap-core:3.2.10" +org-springframework-data-spring-data-bom = "org.springframework.data:spring-data-bom:2024.1.3" +org-springframework-ldap-spring-ldap-core = "org.springframework.ldap:spring-ldap-core:3.2.11" org-springframework-spring-framework-bom = { module = "org.springframework:spring-framework-bom", version.ref = "org-springframework" } org-synchronoss-cloud-nio-multipart-parser = "org.synchronoss.cloud:nio-multipart-parser:1.1.0" @@ -107,7 +107,7 @@ org-jfrog-buildinfo-build-info-extractor-gradle = "org.jfrog.buildinfo:build-inf org-sonarsource-scanner-gradle-sonarqube-gradle-plugin = "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.8.0.1969" org-instancio-instancio-junit = "org.instancio:instancio-junit:3.7.1" -webauthn4j-core = 'com.webauthn4j:webauthn4j-core:0.28.3.RELEASE' +webauthn4j-core = 'com.webauthn4j:webauthn4j-core:0.28.5.RELEASE' [plugins] diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index fb602ee2af0..d71047787f8 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,7 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionSha256Sum=31c55713e40233a8303827ceb42ca48a47267a0ad4bab9177123121e71524c26 -distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip +distributionSha256Sum=8d97a97984f6cbd2b85fe4c60a743440a347544bf18818048e611f5288d46c94 +distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/javascript/lib/webauthn-core.js b/javascript/lib/webauthn-core.js index b4c26d08f0e..e2cdc0148d9 100644 --- a/javascript/lib/webauthn-core.js +++ b/javascript/lib/webauthn-core.js @@ -41,8 +41,16 @@ async function authenticate(headers, contextPath, useConditionalMediation) { } // FIXME: Use https://www.w3.org/TR/webauthn-3/#sctn-parseRequestOptionsFromJSON + const decodedAllowCredentials = !options.allowCredentials + ? [] + : options.allowCredentials.map((cred) => ({ + ...cred, + id: base64url.decode(cred.id), + })); + const decodedOptions = { ...options, + allowCredentials: decodedAllowCredentials, challenge: base64url.decode(options.challenge), }; diff --git a/javascript/test/webauthn-core.test.js b/javascript/test/webauthn-core.test.js index 2c6413a33e3..88dae0052e1 100644 --- a/javascript/test/webauthn-core.test.js +++ b/javascript/test/webauthn-core.test.js @@ -85,7 +85,13 @@ describe("webauthn-core", () => { challenge: "nRbOrtNKTfJ1JaxfUDKs8j3B-JFqyGQw8DO4u6eV3JA", timeout: 300000, rpId: "localhost", - allowCredentials: [], + allowCredentials: [ + { + id: "nOsjw8eaaqSwVdTBBYE1FqfGdHs", + type: "public-key", + transports: [], + }, + ], userVerification: "preferred", extensions: {}, }; @@ -172,7 +178,13 @@ describe("webauthn-core", () => { challenge: base64url.decode("nRbOrtNKTfJ1JaxfUDKs8j3B-JFqyGQw8DO4u6eV3JA"), timeout: 300000, rpId: "localhost", - allowCredentials: [], + allowCredentials: [ + { + id: base64url.decode("nOsjw8eaaqSwVdTBBYE1FqfGdHs"), + type: "public-key", + transports: [], + }, + ], userVerification: "preferred", extensions: {}, }, diff --git a/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryAuthenticationException.java b/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryAuthenticationException.java index 42b0403740e..124fce51bbb 100644 --- a/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryAuthenticationException.java +++ b/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryAuthenticationException.java @@ -40,6 +40,7 @@ * * @author Rob Winch */ +@SuppressWarnings("serial") public final class ActiveDirectoryAuthenticationException extends AuthenticationException { private final String dataCode; diff --git a/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapJackson2Module.java b/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapJackson2Module.java index f84e8df6205..aaa4164da5f 100644 --- a/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapJackson2Module.java +++ b/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapJackson2Module.java @@ -46,6 +46,7 @@ * @since 5.7 * @see SecurityJackson2Modules */ +@SuppressWarnings("serial") public class LdapJackson2Module extends SimpleModule { public LdapJackson2Module() { diff --git a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControl.java b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControl.java index 84eb48cdf98..629513cc8b3 100755 --- a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControl.java +++ b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControl.java @@ -16,6 +16,8 @@ package org.springframework.security.ldap.ppolicy; +import java.io.Serial; + import javax.naming.ldap.Control; /** @@ -37,6 +39,9 @@ public class PasswordPolicyControl implements Control { */ public static final String OID = "1.3.6.1.4.1.42.2.27.8.5.1"; + @Serial + private static final long serialVersionUID = 2843242715616817932L; + private final boolean critical; /** diff --git a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyException.java b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyException.java index 73ab1420525..f01222d4a2a 100644 --- a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyException.java +++ b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyException.java @@ -16,6 +16,8 @@ package org.springframework.security.ldap.ppolicy; +import java.io.Serial; + /** * Generic exception raised by the ppolicy package. *

@@ -27,6 +29,9 @@ */ public class PasswordPolicyException extends RuntimeException { + @Serial + private static final long serialVersionUID = 2586535034047453106L; + private final PasswordPolicyErrorStatus status; public PasswordPolicyException(PasswordPolicyErrorStatus status) { diff --git a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyResponseControl.java b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyResponseControl.java index 2aa2b330e06..a6ac94590dd 100755 --- a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyResponseControl.java +++ b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyResponseControl.java @@ -19,6 +19,7 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; +import java.io.Serial; import netscape.ldap.ber.stream.BERChoice; import netscape.ldap.ber.stream.BERElement; @@ -53,6 +54,9 @@ public class PasswordPolicyResponseControl extends PasswordPolicyControl { private static final Log logger = LogFactory.getLog(PasswordPolicyResponseControl.class); + @Serial + private static final long serialVersionUID = -4592657167939234499L; + private final byte[] encodedValue; private PasswordPolicyErrorStatus errorStatus; diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientAuthorizationException.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientAuthorizationException.java index 8050b74a03f..257f26f4f59 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientAuthorizationException.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientAuthorizationException.java @@ -16,6 +16,8 @@ package org.springframework.security.oauth2.client; +import java.io.Serial; + import org.springframework.security.oauth2.core.OAuth2AuthorizationException; import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.util.Assert; @@ -30,6 +32,9 @@ */ public class ClientAuthorizationException extends OAuth2AuthorizationException { + @Serial + private static final long serialVersionUID = 4710713969265443271L; + private final String clientRegistrationId; /** diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientAuthorizationRequiredException.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientAuthorizationRequiredException.java index ee4c0e47849..0bb5649ece9 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientAuthorizationRequiredException.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientAuthorizationRequiredException.java @@ -16,6 +16,8 @@ package org.springframework.security.oauth2.client; +import java.io.Serial; + import org.springframework.security.oauth2.core.OAuth2Error; /** @@ -28,6 +30,9 @@ */ public class ClientAuthorizationRequiredException extends ClientAuthorizationException { + @Serial + private static final long serialVersionUID = -5738646355203953667L; + private static final String CLIENT_AUTHORIZATION_REQUIRED_ERROR_CODE = "client_authorization_required"; /** diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2ClientJackson2Module.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2ClientJackson2Module.java index ba1eaacd2c7..30f1185c9ba 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2ClientJackson2Module.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2ClientJackson2Module.java @@ -86,6 +86,7 @@ * @see OAuth2AuthenticationExceptionMixin * @see OAuth2ErrorMixin */ +@SuppressWarnings("serial") public class OAuth2ClientJackson2Module extends SimpleModule { public OAuth2ClientJackson2Module() { diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/InvalidClientRegistrationIdException.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/InvalidClientRegistrationIdException.java index f42249284fe..e7e718949c9 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/InvalidClientRegistrationIdException.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/InvalidClientRegistrationIdException.java @@ -20,6 +20,7 @@ * @author Steve Riesenberg * @since 5.8 */ +@SuppressWarnings("serial") class InvalidClientRegistrationIdException extends IllegalArgumentException { /** diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2AuthenticationException.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2AuthenticationException.java index a868f3180de..ac760c5dc43 100644 --- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2AuthenticationException.java +++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2AuthenticationException.java @@ -16,6 +16,8 @@ package org.springframework.security.oauth2.core; +import java.io.Serial; + import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.util.Assert; @@ -41,6 +43,9 @@ */ public class OAuth2AuthenticationException extends AuthenticationException { + @Serial + private static final long serialVersionUID = -7832130893085581438L; + private final OAuth2Error error; /** diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2AuthorizationException.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2AuthorizationException.java index dbfdf98e5f0..af833d1dae4 100644 --- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2AuthorizationException.java +++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2AuthorizationException.java @@ -16,6 +16,8 @@ package org.springframework.security.oauth2.core; +import java.io.Serial; + import org.springframework.util.Assert; /** @@ -26,6 +28,9 @@ */ public class OAuth2AuthorizationException extends RuntimeException { + @Serial + private static final long serialVersionUID = -5470222190376181102L; + private final OAuth2Error error; /** diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/BadJwtException.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/BadJwtException.java index 3a30545179d..2742d0c51ec 100644 --- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/BadJwtException.java +++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/BadJwtException.java @@ -16,6 +16,8 @@ package org.springframework.security.oauth2.jwt; +import java.io.Serial; + /** * An exception similar to * {@link org.springframework.security.authentication.BadCredentialsException} that @@ -26,6 +28,9 @@ */ public class BadJwtException extends JwtException { + @Serial + private static final long serialVersionUID = 7748429527132280501L; + public BadJwtException(String message) { super(message); } diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoderInitializationException.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoderInitializationException.java index 775da4c9a92..cd1b90a14cb 100644 --- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoderInitializationException.java +++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoderInitializationException.java @@ -16,6 +16,8 @@ package org.springframework.security.oauth2.jwt; +import java.io.Serial; + /** * An exception thrown when a {@link JwtDecoder} or {@link ReactiveJwtDecoder}'s lazy * initialization fails. @@ -25,6 +27,9 @@ */ public class JwtDecoderInitializationException extends RuntimeException { + @Serial + private static final long serialVersionUID = 2786360018315628982L; + public JwtDecoderInitializationException(String message, Throwable cause) { super(message, cause); } diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtEncodingException.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtEncodingException.java index 9b48f5c4a2d..365993c5edc 100644 --- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtEncodingException.java +++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtEncodingException.java @@ -16,6 +16,8 @@ package org.springframework.security.oauth2.jwt; +import java.io.Serial; + /** * This exception is thrown when an error occurs while attempting to encode a JSON Web * Token (JWT). @@ -25,6 +27,9 @@ */ public class JwtEncodingException extends JwtException { + @Serial + private static final long serialVersionUID = 6581840872589902213L; + /** * Constructs a {@code JwtEncodingException} using the provided parameters. * @param message the detail message diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtException.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtException.java index b13f0dff265..2004727ffb7 100644 --- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtException.java +++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtException.java @@ -16,6 +16,8 @@ package org.springframework.security.oauth2.jwt; +import java.io.Serial; + /** * Base exception for all JSON Web Token (JWT) related errors. * @@ -24,6 +26,9 @@ */ public class JwtException extends RuntimeException { + @Serial + private static final long serialVersionUID = -3070197880233583797L; + /** * Constructs a {@code JwtException} using the provided parameters. * @param message the detail message diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtValidationException.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtValidationException.java index 94568d2dc6b..ab3722e5fdc 100644 --- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtValidationException.java +++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtValidationException.java @@ -16,6 +16,7 @@ package org.springframework.security.oauth2.jwt; +import java.io.Serial; import java.util.ArrayList; import java.util.Collection; @@ -31,6 +32,9 @@ */ public class JwtValidationException extends BadJwtException { + @Serial + private static final long serialVersionUID = 134652048447295615L; + private final Collection errors; /** diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/InvalidBearerTokenException.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/InvalidBearerTokenException.java index 0ba62813da7..c82b3bd5e49 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/InvalidBearerTokenException.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/InvalidBearerTokenException.java @@ -16,6 +16,8 @@ package org.springframework.security.oauth2.server.resource; +import java.io.Serial; + import org.springframework.security.oauth2.core.OAuth2AuthenticationException; /** @@ -26,6 +28,9 @@ */ public class InvalidBearerTokenException extends OAuth2AuthenticationException { + @Serial + private static final long serialVersionUID = 6904689954809100280L; + /** * Construct an instance of {@link InvalidBearerTokenException} given the provided * description. diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/BadOpaqueTokenException.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/BadOpaqueTokenException.java index 5e155c8bce2..cddd32c3b0c 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/BadOpaqueTokenException.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/BadOpaqueTokenException.java @@ -16,6 +16,8 @@ package org.springframework.security.oauth2.server.resource.introspection; +import java.io.Serial; + /** * An exception similar to * {@link org.springframework.security.authentication.BadCredentialsException} that @@ -26,6 +28,9 @@ */ public class BadOpaqueTokenException extends OAuth2IntrospectionException { + @Serial + private static final long serialVersionUID = -6937847463454551076L; + public BadOpaqueTokenException(String message) { super(message); } diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/OAuth2IntrospectionException.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/OAuth2IntrospectionException.java index e2649ba975c..6650d96e572 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/OAuth2IntrospectionException.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/OAuth2IntrospectionException.java @@ -16,6 +16,8 @@ package org.springframework.security.oauth2.server.resource.introspection; +import java.io.Serial; + /** * Base exception for all OAuth 2.0 Introspection related errors * @@ -24,6 +26,9 @@ */ public class OAuth2IntrospectionException extends RuntimeException { + @Serial + private static final long serialVersionUID = -7327790383594166793L; + public OAuth2IntrospectionException(String message) { super(message); } diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/Saml2Exception.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/Saml2Exception.java index dc4e6bb770d..3595dec00ae 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/Saml2Exception.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/Saml2Exception.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,11 +16,16 @@ package org.springframework.security.saml2; +import java.io.Serial; + /** * @since 5.2 */ public class Saml2Exception extends RuntimeException { + @Serial + private static final long serialVersionUID = 6076252564189633016L; + public Saml2Exception(String message) { super(message); } diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2X509Credential.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2X509Credential.java index a8126d26bde..18d7561348c 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2X509Credential.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2X509Credential.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ package org.springframework.security.saml2.core; +import java.io.Serializable; import java.security.PrivateKey; import java.security.cert.X509Certificate; import java.util.Arrays; @@ -35,7 +36,9 @@ * @author Josh Cummings * @since 5.4 */ -public final class Saml2X509Credential { +public final class Saml2X509Credential implements Serializable { + + private static final long serialVersionUID = -1015853414272603517L; private final PrivateKey privateKey; diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2Jackson2Module.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2Jackson2Module.java index 025ffc6b36b..3d99fc2cfa7 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2Jackson2Module.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2Jackson2Module.java @@ -39,6 +39,7 @@ * @since 5.7 * @see SecurityJackson2Modules */ +@SuppressWarnings("serial") public class Saml2Jackson2Module extends SimpleModule { public Saml2Jackson2Module() { diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationException.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationException.java index 6ee38c6d60a..36075ba0df1 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationException.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationException.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.saml2.provider.service.authentication; +import java.io.Serial; + import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.saml2.core.Saml2Error; @@ -40,6 +42,9 @@ */ public class Saml2AuthenticationException extends AuthenticationException { + @Serial + private static final long serialVersionUID = -2996886630890949105L; + private final Saml2Error error; /** diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/AssertingPartyMetadata.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/AssertingPartyMetadata.java index c75de010d4e..985e5db51f1 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/AssertingPartyMetadata.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/AssertingPartyMetadata.java @@ -16,6 +16,7 @@ package org.springframework.security.saml2.provider.service.registration; +import java.io.Serializable; import java.util.Collection; import java.util.List; import java.util.function.Consumer; @@ -28,7 +29,7 @@ * @author Josh Cummings * @since 6.4 */ -public interface AssertingPartyMetadata { +public interface AssertingPartyMetadata extends Serializable { /** * Get the asserting party's NonceExpiredException with the specified message. * @param msg the detail message diff --git a/web/src/main/java/org/springframework/security/web/csrf/CsrfException.java b/web/src/main/java/org/springframework/security/web/csrf/CsrfException.java index c53541ac545..e18dc3961b9 100644 --- a/web/src/main/java/org/springframework/security/web/csrf/CsrfException.java +++ b/web/src/main/java/org/springframework/security/web/csrf/CsrfException.java @@ -16,6 +16,8 @@ package org.springframework.security.web.csrf; +import java.io.Serial; + import org.springframework.security.access.AccessDeniedException; /** @@ -24,9 +26,11 @@ * @author Rob Winch * @since 3.2 */ -@SuppressWarnings("serial") public class CsrfException extends AccessDeniedException { + @Serial + private static final long serialVersionUID = 7802567627837252670L; + public CsrfException(String message) { super(message); } diff --git a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java index 621391651f3..a0950fa44b3 100644 --- a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java +++ b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java @@ -62,6 +62,7 @@ public void handle(HttpServletRequest request, HttpServletResponse response, request.setAttribute(csrfAttrName, csrfToken); } + @SuppressWarnings("serial") private static final class SupplierCsrfToken implements CsrfToken { private final Supplier csrfTokenSupplier; diff --git a/web/src/main/java/org/springframework/security/web/csrf/DefaultCsrfToken.java b/web/src/main/java/org/springframework/security/web/csrf/DefaultCsrfToken.java index 682be4b1dd4..122d95d1ce9 100644 --- a/web/src/main/java/org/springframework/security/web/csrf/DefaultCsrfToken.java +++ b/web/src/main/java/org/springframework/security/web/csrf/DefaultCsrfToken.java @@ -16,6 +16,8 @@ package org.springframework.security.web.csrf; +import java.io.Serial; + import org.springframework.util.Assert; /** @@ -24,9 +26,11 @@ * @author Rob Winch * @since 3.2 */ -@SuppressWarnings("serial") public final class DefaultCsrfToken implements CsrfToken { + @Serial + private static final long serialVersionUID = 6552658053267913685L; + private final String token; private final String parameterName; diff --git a/web/src/main/java/org/springframework/security/web/csrf/InvalidCsrfTokenException.java b/web/src/main/java/org/springframework/security/web/csrf/InvalidCsrfTokenException.java index 0c57e5a604d..bb4afac31d8 100644 --- a/web/src/main/java/org/springframework/security/web/csrf/InvalidCsrfTokenException.java +++ b/web/src/main/java/org/springframework/security/web/csrf/InvalidCsrfTokenException.java @@ -16,6 +16,8 @@ package org.springframework.security.web.csrf; +import java.io.Serial; + import jakarta.servlet.http.HttpServletRequest; /** @@ -25,9 +27,11 @@ * @author Rob Winch * @since 3.2 */ -@SuppressWarnings("serial") public class InvalidCsrfTokenException extends CsrfException { + @Serial + private static final long serialVersionUID = -7745955098435417418L; + /** * @param expectedAccessToken * @param actualAccessToken diff --git a/web/src/main/java/org/springframework/security/web/csrf/LazyCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/csrf/LazyCsrfTokenRepository.java index 5a6a63f4bb0..a8326fa2a7d 100644 --- a/web/src/main/java/org/springframework/security/web/csrf/LazyCsrfTokenRepository.java +++ b/web/src/main/java/org/springframework/security/web/csrf/LazyCsrfTokenRepository.java @@ -159,6 +159,7 @@ public String toString() { } + @SuppressWarnings("serial") private static final class SaveOnAccessCsrfToken implements CsrfToken { private transient CsrfTokenRepository tokenRepository; diff --git a/web/src/main/java/org/springframework/security/web/firewall/RequestRejectedException.java b/web/src/main/java/org/springframework/security/web/firewall/RequestRejectedException.java index b997031a476..ea91775b62f 100644 --- a/web/src/main/java/org/springframework/security/web/firewall/RequestRejectedException.java +++ b/web/src/main/java/org/springframework/security/web/firewall/RequestRejectedException.java @@ -16,11 +16,16 @@ package org.springframework.security.web.firewall; +import java.io.Serial; + /** * @author Luke Taylor */ public class RequestRejectedException extends RuntimeException { + @Serial + private static final long serialVersionUID = 7226768874760909859L; + public RequestRejectedException(String message) { super(message); } diff --git a/web/src/main/java/org/springframework/security/web/jackson2/WebJackson2Module.java b/web/src/main/java/org/springframework/security/web/jackson2/WebJackson2Module.java index a54a55a96de..87daedcc40d 100644 --- a/web/src/main/java/org/springframework/security/web/jackson2/WebJackson2Module.java +++ b/web/src/main/java/org/springframework/security/web/jackson2/WebJackson2Module.java @@ -40,6 +40,7 @@ * @since 4.2 * @see SecurityJackson2Modules */ +@SuppressWarnings("serial") public class WebJackson2Module extends SimpleModule { public WebJackson2Module() { diff --git a/web/src/main/java/org/springframework/security/web/jackson2/WebServletJackson2Module.java b/web/src/main/java/org/springframework/security/web/jackson2/WebServletJackson2Module.java index 70b098e4fed..b5fd4d0777c 100644 --- a/web/src/main/java/org/springframework/security/web/jackson2/WebServletJackson2Module.java +++ b/web/src/main/java/org/springframework/security/web/jackson2/WebServletJackson2Module.java @@ -44,6 +44,7 @@ * @since 5.1 * @see SecurityJackson2Modules */ +@SuppressWarnings("serial") public class WebServletJackson2Module extends SimpleModule { public WebServletJackson2Module() { diff --git a/web/src/main/java/org/springframework/security/web/savedrequest/SimpleSavedRequest.java b/web/src/main/java/org/springframework/security/web/savedrequest/SimpleSavedRequest.java index 08165eb0cd3..e74e7fcb117 100644 --- a/web/src/main/java/org/springframework/security/web/savedrequest/SimpleSavedRequest.java +++ b/web/src/main/java/org/springframework/security/web/savedrequest/SimpleSavedRequest.java @@ -16,6 +16,7 @@ package org.springframework.security.web.savedrequest; +import java.io.Serial; import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; @@ -35,6 +36,9 @@ */ public class SimpleSavedRequest implements SavedRequest { + @Serial + private static final long serialVersionUID = 807650604272166969L; + private String redirectUrl; private List cookies = new ArrayList<>(); diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/SwitchUserWebFilter.java b/web/src/main/java/org/springframework/security/web/server/authentication/SwitchUserWebFilter.java index 8eab25cf1f6..85686f5815a 100644 --- a/web/src/main/java/org/springframework/security/web/server/authentication/SwitchUserWebFilter.java +++ b/web/src/main/java/org/springframework/security/web/server/authentication/SwitchUserWebFilter.java @@ -353,6 +353,7 @@ public void setSwitchUserMatcher(ServerWebExchangeMatcher switchUserMatcher) { this.switchUserMatcher = switchUserMatcher; } + @SuppressWarnings("serial") private static class SwitchUserAuthenticationException extends RuntimeException { SwitchUserAuthenticationException(AuthenticationException exception) { diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/ott/GenerateOneTimeTokenWebFilter.java b/web/src/main/java/org/springframework/security/web/server/authentication/ott/GenerateOneTimeTokenWebFilter.java index 8301e17dcf2..170d1d0b680 100644 --- a/web/src/main/java/org/springframework/security/web/server/authentication/ott/GenerateOneTimeTokenWebFilter.java +++ b/web/src/main/java/org/springframework/security/web/server/authentication/ott/GenerateOneTimeTokenWebFilter.java @@ -58,7 +58,6 @@ public Mono filter(ServerWebExchange exchange, WebFilterChain chain) { // @formatter:off return this.matcher.matches(exchange) .filter(ServerWebExchangeMatcher.MatchResult::isMatch) - .switchIfEmpty(chain.filter(exchange).then(Mono.empty())) .then(exchange.getFormData()) .mapNotNull((data) -> data.getFirst(USERNAME)) .switchIfEmpty(chain.filter(exchange).then(Mono.empty())) diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/CsrfException.java b/web/src/main/java/org/springframework/security/web/server/csrf/CsrfException.java index 631c5b7fdc0..bdb693e95ca 100644 --- a/web/src/main/java/org/springframework/security/web/server/csrf/CsrfException.java +++ b/web/src/main/java/org/springframework/security/web/server/csrf/CsrfException.java @@ -16,6 +16,8 @@ package org.springframework.security.web.server.csrf; +import java.io.Serial; + import org.springframework.security.access.AccessDeniedException; import org.springframework.security.web.csrf.CsrfToken; @@ -25,9 +27,11 @@ * @author Rob Winch * @since 3.2 */ -@SuppressWarnings("serial") public class CsrfException extends AccessDeniedException { + @Serial + private static final long serialVersionUID = -8209680716517631141L; + public CsrfException(String message) { super(message); } diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/DefaultCsrfToken.java b/web/src/main/java/org/springframework/security/web/server/csrf/DefaultCsrfToken.java index eb49369e6fe..2a32018a5cb 100644 --- a/web/src/main/java/org/springframework/security/web/server/csrf/DefaultCsrfToken.java +++ b/web/src/main/java/org/springframework/security/web/server/csrf/DefaultCsrfToken.java @@ -16,6 +16,8 @@ package org.springframework.security.web.server.csrf; +import java.io.Serial; + import org.springframework.util.Assert; /** @@ -24,9 +26,11 @@ * @author Rob Winch * @since 5.0 */ -@SuppressWarnings("serial") public final class DefaultCsrfToken implements CsrfToken { + @Serial + private static final long serialVersionUID = 308340117851874929L; + private final String token; private final String parameterName; diff --git a/web/src/main/java/org/springframework/security/web/server/firewall/ServerExchangeRejectedException.java b/web/src/main/java/org/springframework/security/web/server/firewall/ServerExchangeRejectedException.java index 5246838dcfb..f46140d3515 100644 --- a/web/src/main/java/org/springframework/security/web/server/firewall/ServerExchangeRejectedException.java +++ b/web/src/main/java/org/springframework/security/web/server/firewall/ServerExchangeRejectedException.java @@ -16,6 +16,8 @@ package org.springframework.security.web.server.firewall; +import java.io.Serial; + /** * Thrown when a {@link org.springframework.web.server.ServerWebExchange} is rejected. * @@ -24,6 +26,9 @@ */ public class ServerExchangeRejectedException extends RuntimeException { + @Serial + private static final long serialVersionUID = 904984955691607748L; + public ServerExchangeRejectedException(String message) { super(message); } diff --git a/web/src/main/java/org/springframework/security/web/server/jackson2/WebServerJackson2Module.java b/web/src/main/java/org/springframework/security/web/server/jackson2/WebServerJackson2Module.java index ceea54bdbc1..001a5accf4a 100644 --- a/web/src/main/java/org/springframework/security/web/server/jackson2/WebServerJackson2Module.java +++ b/web/src/main/java/org/springframework/security/web/server/jackson2/WebServerJackson2Module.java @@ -38,6 +38,7 @@ * @since 5.1 * @see SecurityJackson2Modules */ +@SuppressWarnings("serial") public class WebServerJackson2Module extends SimpleModule { private static final String NAME = WebServerJackson2Module.class.getName(); diff --git a/web/src/main/java/org/springframework/security/web/session/HttpSessionCreatedEvent.java b/web/src/main/java/org/springframework/security/web/session/HttpSessionCreatedEvent.java index 15dcfff296a..547bc7fcdba 100644 --- a/web/src/main/java/org/springframework/security/web/session/HttpSessionCreatedEvent.java +++ b/web/src/main/java/org/springframework/security/web/session/HttpSessionCreatedEvent.java @@ -27,6 +27,7 @@ * @author Ray Krueger * @author Luke Taylor */ +@SuppressWarnings("serial") public class HttpSessionCreatedEvent extends SessionCreationEvent { public HttpSessionCreatedEvent(HttpSession session) { diff --git a/web/src/main/java/org/springframework/security/web/session/HttpSessionDestroyedEvent.java b/web/src/main/java/org/springframework/security/web/session/HttpSessionDestroyedEvent.java index 944dd3c202d..d3ac900ad47 100644 --- a/web/src/main/java/org/springframework/security/web/session/HttpSessionDestroyedEvent.java +++ b/web/src/main/java/org/springframework/security/web/session/HttpSessionDestroyedEvent.java @@ -33,6 +33,7 @@ * @author Luke Taylor * @author Rob Winch */ +@SuppressWarnings("serial") public class HttpSessionDestroyedEvent extends SessionDestroyedEvent { public HttpSessionDestroyedEvent(HttpSession session) { diff --git a/web/src/main/java/org/springframework/security/web/session/HttpSessionIdChangedEvent.java b/web/src/main/java/org/springframework/security/web/session/HttpSessionIdChangedEvent.java index 1320c1bb50d..ec0b645d580 100644 --- a/web/src/main/java/org/springframework/security/web/session/HttpSessionIdChangedEvent.java +++ b/web/src/main/java/org/springframework/security/web/session/HttpSessionIdChangedEvent.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.web.session; +import java.io.Serial; + import jakarta.servlet.http.HttpSession; import org.springframework.security.core.session.SessionIdChangedEvent; @@ -26,8 +28,12 @@ * * @since 5.4 */ +@SuppressWarnings("serial") public class HttpSessionIdChangedEvent extends SessionIdChangedEvent { + @Serial + private static final long serialVersionUID = -5725731666499807941L; + private final String oldSessionId; private final String newSessionId; diff --git a/web/src/main/java/org/springframework/security/web/session/SessionInformationExpiredEvent.java b/web/src/main/java/org/springframework/security/web/session/SessionInformationExpiredEvent.java index 1fa8e1573c6..44c99a56b5d 100644 --- a/web/src/main/java/org/springframework/security/web/session/SessionInformationExpiredEvent.java +++ b/web/src/main/java/org/springframework/security/web/session/SessionInformationExpiredEvent.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,6 +30,7 @@ * @author Rob Winch * @since 4.2 */ +@SuppressWarnings("serial") public final class SessionInformationExpiredEvent extends ApplicationEvent { private final HttpServletRequest request; diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInput.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInput.java index f3fb229af1b..736a3b29609 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInput.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInput.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serializable; + /** * A client extension * input entry in the {@link AuthenticationExtensionsClientInputs}. @@ -25,7 +27,7 @@ * @since 6.4 * @see ImmutableAuthenticationExtensionsClientInput */ -public interface AuthenticationExtensionsClientInput { +public interface AuthenticationExtensionsClientInput extends Serializable { /** * Gets the extension diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInputs.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInputs.java index 44a26a41c12..3befaa601fc 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInputs.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInputs.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serializable; import java.util.List; /** @@ -31,7 +32,7 @@ * @since 6.4 * @see PublicKeyCredentialCreationOptions#getExtensions() */ -public interface AuthenticationExtensionsClientInputs { +public interface AuthenticationExtensionsClientInputs extends Serializable { /** * Gets all of the {@link AuthenticationExtensionsClientInput}. diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutput.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutput.java index c635acf2d0b..5eadabcaf8a 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutput.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutput.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serializable; + /** * A client extension * output entry in {@link AuthenticationExtensionsClientOutputs}. @@ -24,7 +26,7 @@ * @see AuthenticationExtensionsClientOutputs#getOutputs() * @see CredentialPropertiesOutput */ -public interface AuthenticationExtensionsClientOutput { +public interface AuthenticationExtensionsClientOutput extends Serializable { /** * Gets the extension diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutputs.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutputs.java index 54038e95889..8f1adccf05e 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutputs.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutputs.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serializable; import java.util.List; /** @@ -31,7 +32,7 @@ * @since 6.4 * @see PublicKeyCredential#getClientExtensionResults() */ -public interface AuthenticationExtensionsClientOutputs { +public interface AuthenticationExtensionsClientOutputs extends Serializable { /** * Gets all of the {@link AuthenticationExtensionsClientOutput}. diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAssertionResponse.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAssertionResponse.java index 5d4609951f3..045384128f3 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAssertionResponse.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAssertionResponse.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; + /** * The AuthenticatorAssertionResponse @@ -38,6 +40,9 @@ */ public final class AuthenticatorAssertionResponse extends AuthenticatorResponse { + @Serial + private static final long serialVersionUID = 324976481675434298L; + private final Bytes authenticatorData; private final Bytes signature; diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttachment.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttachment.java index b56371936de..e18f26fbaac 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttachment.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttachment.java @@ -16,6 +16,10 @@ package org.springframework.security.web.webauthn.api; +import java.io.ObjectStreamException; +import java.io.Serial; +import java.io.Serializable; + /** * The AuthenticatorAttachment. @@ -23,7 +27,10 @@ * @author Rob Winch * @since 6.4 */ -public final class AuthenticatorAttachment { +public final class AuthenticatorAttachment implements Serializable { + + @Serial + private static final long serialVersionUID = 8446133215195918090L; /** * Indicates AuthenticatorResponse @@ -26,7 +28,7 @@ * @author Rob Winch * @since 6.4 */ -public abstract class AuthenticatorResponse { +public abstract class AuthenticatorResponse implements Serializable { private final Bytes clientDataJSON; diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorTransport.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorTransport.java index 33e9d2123cb..0974d295697 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorTransport.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorTransport.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,9 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; +import java.io.Serializable; + /** * AuthenticatorTransport @@ -25,7 +28,10 @@ * @author Rob Winch * @since 6.4 */ -public final class AuthenticatorTransport { +public final class AuthenticatorTransport implements Serializable { + + @Serial + private static final long serialVersionUID = -5617945441117386982L; /** * usbc diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java b/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java index 6fbcc3596c6..6c96a11efd8 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; +import java.io.Serializable; import java.security.SecureRandom; import java.util.Arrays; import java.util.Base64; @@ -28,7 +30,10 @@ * @author Rob Winch * @since 6.4 */ -public final class Bytes { +public final class Bytes implements Serializable { + + @Serial + private static final long serialVersionUID = -3278138671365709777L; private static final SecureRandom RANDOM = new SecureRandom(); diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java b/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java index 22372717595..e28da6d7897 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,9 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; +import java.io.Serializable; + /** * Implements @@ -27,6 +30,9 @@ public class CredProtectAuthenticationExtensionsClientInput implements AuthenticationExtensionsClientInput { + @Serial + private static final long serialVersionUID = -6418175591005843455L; + private final CredProtect input; public CredProtectAuthenticationExtensionsClientInput(CredProtect input) { @@ -43,7 +49,10 @@ public CredProtect getInput() { return this.input; } - public static class CredProtect { + public static class CredProtect implements Serializable { + + @Serial + private static final long serialVersionUID = 109597301115842688L; private final ProtectionPolicy credProtectionPolicy; diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/CredentialPropertiesOutput.java b/web/src/main/java/org/springframework/security/web/webauthn/api/CredentialPropertiesOutput.java index 193fe6cbb43..45deb043b5c 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/CredentialPropertiesOutput.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/CredentialPropertiesOutput.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,9 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; +import java.io.Serializable; + /** * CredentialPropertiesOutput @@ -27,6 +30,9 @@ public class CredentialPropertiesOutput implements AuthenticationExtensionsClientOutput { + @Serial + private static final long serialVersionUID = -3201699313968303331L; + /** * The extension id. */ @@ -59,7 +65,10 @@ public ExtensionOutput getOutput() { * @since 6.4 * @see #getOutput() */ - public static final class ExtensionOutput { + public static final class ExtensionOutput implements Serializable { + + @Serial + private static final long serialVersionUID = 4557406414847424019L; private final boolean rk; diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java index eb656c3cdfb..ad479b4a017 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; + /** * An immutable {@link AuthenticationExtensionsClientInput}. * @@ -26,6 +28,9 @@ */ public class ImmutableAuthenticationExtensionsClientInput implements AuthenticationExtensionsClientInput { + @Serial + private static final long serialVersionUID = -1738152485672656808L; + /** * https://www.w3.org/TR/webauthn-3/#sctn-authenticator-credential-properties-extension */ diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java index cef29f378a5..f9c43608b18 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; import java.util.Arrays; import java.util.List; @@ -27,6 +28,9 @@ */ public class ImmutableAuthenticationExtensionsClientInputs implements AuthenticationExtensionsClientInputs { + @Serial + private static final long serialVersionUID = 4277817521578485720L; + private final List inputs; public ImmutableAuthenticationExtensionsClientInputs(List inputs) { diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientOutputs.java b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientOutputs.java index b1b74d48bf8..2e35bf4cfe8 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientOutputs.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientOutputs.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; import java.util.Arrays; import java.util.List; @@ -26,6 +27,9 @@ */ public class ImmutableAuthenticationExtensionsClientOutputs implements AuthenticationExtensionsClientOutputs { + @Serial + private static final long serialVersionUID = -4656390173585180393L; + private final List> outputs; public ImmutableAuthenticationExtensionsClientOutputs(List> outputs) { diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutablePublicKeyCredentialUserEntity.java b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutablePublicKeyCredentialUserEntity.java index 3b2fe5adfa0..a383967f7db 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutablePublicKeyCredentialUserEntity.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutablePublicKeyCredentialUserEntity.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; + /** * PublicKeyCredentialUserEntity @@ -28,6 +30,9 @@ */ public final class ImmutablePublicKeyCredentialUserEntity implements PublicKeyCredentialUserEntity { + @Serial + private static final long serialVersionUID = -3438693960347279759L; + /** * When inherited by PublicKeyCredentialUserEntity, it is a human-palatable identifier * for a user account. It is intended only for display, i.e., aiding the user in diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredential.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredential.java index ac04b22f0fa..d8cdaf23198 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredential.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredential.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,9 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; +import java.io.Serializable; + /** * PublicKeyCredential * contains the attributes that are returned to the caller when a new credential is @@ -24,7 +27,10 @@ * @author Rob Winch * @since 6.4 */ -public final class PublicKeyCredential { +public final class PublicKeyCredential implements Serializable { + + @Serial + private static final long serialVersionUID = -1864035469276082606L; private final String id; diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialDescriptor.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialDescriptor.java index ad454814b0f..6fbe5250ac1 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialDescriptor.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialDescriptor.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; +import java.io.Serializable; import java.util.Set; /** @@ -29,7 +31,10 @@ * @author Rob Winch * @since 6.4 */ -public final class PublicKeyCredentialDescriptor { +public final class PublicKeyCredentialDescriptor implements Serializable { + + @Serial + private static final long serialVersionUID = 8793385059692676240L; private final PublicKeyCredentialType type; diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRequestOptions.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRequestOptions.java index b0cf592009c..9cadc1cb29f 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRequestOptions.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRequestOptions.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; +import java.io.Serializable; import java.time.Duration; import java.util.ArrayList; import java.util.Collections; @@ -32,7 +34,10 @@ * @author Rob Winch * @since 6.4 */ -public final class PublicKeyCredentialRequestOptions { +public final class PublicKeyCredentialRequestOptions implements Serializable { + + @Serial + private static final long serialVersionUID = -2970057592835694354L; private final Bytes challenge; diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialType.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialType.java index 57f1c6ec463..99087a5d291 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialType.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialType.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,9 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; +import java.io.Serializable; + /** * The PublicKeyCredentialType @@ -24,7 +27,10 @@ * @author Rob Winch * @since 6.4 */ -public final class PublicKeyCredentialType { +public final class PublicKeyCredentialType implements Serializable { + + @Serial + private static final long serialVersionUID = 7025333122210061679L; /** * The only credential type that currently exists. diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialUserEntity.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialUserEntity.java index fd95a24c715..b3d1b9a86ac 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialUserEntity.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialUserEntity.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serializable; + /** * PublicKeyCredentialUserEntity @@ -27,7 +29,7 @@ * @since 6.4 * @see org.springframework.security.web.webauthn.management.WebAuthnRelyingPartyOperations#authenticate(org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest) */ -public interface PublicKeyCredentialUserEntity { +public interface PublicKeyCredentialUserEntity extends Serializable { /** * The UserVerificationRequirement @@ -24,7 +27,10 @@ * @author Rob Winch * @since 6.4 */ -public final class UserVerificationRequirement { +public final class UserVerificationRequirement implements Serializable { + + @Serial + private static final long serialVersionUID = -2801001231345540040L; /** * The { AttestationConveyancePreferenceSerializer() { diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputSerializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputSerializer.java index 4d7ca1e38df..2746a0928b3 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputSerializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputSerializer.java @@ -30,6 +30,7 @@ * @author Rob Winch * @since 6.4 */ +@SuppressWarnings("serial") class AuthenticationExtensionsClientInputSerializer extends StdSerializer { /** diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsSerializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsSerializer.java index 8009f0f16f6..e6ad216c8c7 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsSerializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsSerializer.java @@ -31,6 +31,7 @@ * @author Rob Winch * @since 6.4 */ +@SuppressWarnings("serial") class AuthenticationExtensionsClientInputsSerializer extends StdSerializer { /** diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsDeserializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsDeserializer.java index 0cfd084936c..dc0d588c7cd 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsDeserializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsDeserializer.java @@ -39,6 +39,7 @@ * @author Rob Winch * @since 6.4 */ +@SuppressWarnings("serial") class AuthenticationExtensionsClientOutputsDeserializer extends StdDeserializer { private static final Log logger = LogFactory.getLog(AuthenticationExtensionsClientOutputsDeserializer.class); diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentDeserializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentDeserializer.java index 0c6b9c9e741..8263081ddc8 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentDeserializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentDeserializer.java @@ -31,6 +31,7 @@ * @author Rob Winch * @since 6.4 */ +@SuppressWarnings("serial") class AuthenticatorAttachmentDeserializer extends StdDeserializer { AuthenticatorAttachmentDeserializer() { diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentSerializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentSerializer.java index 67c1a2b9b3c..a6ea540716e 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentSerializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentSerializer.java @@ -30,6 +30,7 @@ * @author Rob Winch * @since 6.4 */ +@SuppressWarnings("serial") class AuthenticatorAttachmentSerializer extends StdSerializer { AuthenticatorAttachmentSerializer() { diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportDeserializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportDeserializer.java index 77085c43502..8cafd92aa96 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportDeserializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportDeserializer.java @@ -31,6 +31,7 @@ * @author Rob Winch * @since 6.4 */ +@SuppressWarnings("serial") class AuthenticatorTransportDeserializer extends StdDeserializer { AuthenticatorTransportDeserializer() { diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/BytesSerializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/BytesSerializer.java index b02b33eecb8..894cab4ed5a 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/BytesSerializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/BytesSerializer.java @@ -30,6 +30,7 @@ * @author Rob Winch * @since 6.4 */ +@SuppressWarnings("serial") class BytesSerializer extends StdSerializer { /** diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierDeserializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierDeserializer.java index 343b0bde1ce..ed1e6e48370 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierDeserializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierDeserializer.java @@ -31,6 +31,7 @@ * @author Rob Winch * @since 6.4 */ +@SuppressWarnings("serial") class COSEAlgorithmIdentifierDeserializer extends StdDeserializer { COSEAlgorithmIdentifierDeserializer() { diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierSerializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierSerializer.java index eb408569fa5..6cc3d844135 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierSerializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierSerializer.java @@ -30,6 +30,7 @@ * @author Rob Winch * @since 6.4 */ +@SuppressWarnings("serial") class COSEAlgorithmIdentifierSerializer extends StdSerializer { COSEAlgorithmIdentifierSerializer() { diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputSerializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputSerializer.java index b1cd17892d0..05619965668 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputSerializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputSerializer.java @@ -31,6 +31,7 @@ * * @author Rob Winch */ +@SuppressWarnings("serial") class CredProtectAuthenticationExtensionsClientInputSerializer extends StdSerializer { diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/DurationSerializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/DurationSerializer.java index 442acc5fd0d..f1a27e17b5e 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/DurationSerializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/DurationSerializer.java @@ -29,6 +29,7 @@ * @author Rob Winch * @since 6.4 */ +@SuppressWarnings("serial") class DurationSerializer extends StdSerializer { /** diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeDeserializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeDeserializer.java index b7709d41f2b..7640d7a366c 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeDeserializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeDeserializer.java @@ -31,6 +31,7 @@ * @author Rob Winch * @since 6.4 */ +@SuppressWarnings("serial") class PublicKeyCredentialTypeDeserializer extends StdDeserializer { /** diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeSerializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeSerializer.java index 06eb0bbbe6d..23319e366a3 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeSerializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeSerializer.java @@ -30,6 +30,7 @@ * @author Rob Winch * @since 6.4 */ +@SuppressWarnings("serial") class PublicKeyCredentialTypeSerializer extends StdSerializer { /** diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementSerializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementSerializer.java index 158e8627cde..31b85366d44 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementSerializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementSerializer.java @@ -30,6 +30,7 @@ * @author Rob Winch * @since 6.4 */ +@SuppressWarnings("serial") class ResidentKeyRequirementSerializer extends StdSerializer { /** diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/UserVerificationRequirementSerializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/UserVerificationRequirementSerializer.java index 1bb29904460..07a6184a96f 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/UserVerificationRequirementSerializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/UserVerificationRequirementSerializer.java @@ -30,6 +30,7 @@ * @author Rob Winch * @since 6.4 */ +@SuppressWarnings("serial") class UserVerificationRequirementSerializer extends StdSerializer { /** diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/WebauthnJackson2Module.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/WebauthnJackson2Module.java index 0fe386aecc4..97a1c8e1f46 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/WebauthnJackson2Module.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/WebauthnJackson2Module.java @@ -47,6 +47,7 @@ * @author Rob Winch * @since 6.4 */ +@SuppressWarnings("serial") public class WebauthnJackson2Module extends SimpleModule { /** diff --git a/web/src/main/java/org/springframework/security/web/webauthn/management/RelyingPartyAuthenticationRequest.java b/web/src/main/java/org/springframework/security/web/webauthn/management/RelyingPartyAuthenticationRequest.java index 1dd1a66c843..62565d7f5c9 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/management/RelyingPartyAuthenticationRequest.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/management/RelyingPartyAuthenticationRequest.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,9 @@ package org.springframework.security.web.webauthn.management; +import java.io.Serial; +import java.io.Serializable; + import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse; import org.springframework.security.web.webauthn.api.PublicKeyCredential; import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions; @@ -29,7 +32,10 @@ * @since 6.4 * @see WebAuthnRelyingPartyOperations#authenticate(RelyingPartyAuthenticationRequest) */ -public class RelyingPartyAuthenticationRequest { +public class RelyingPartyAuthenticationRequest implements Serializable { + + @Serial + private static final long serialVersionUID = -928083091875202086L; private final PublicKeyCredentialRequestOptions requestOptions; diff --git a/web/src/test/java/org/springframework/security/web/webauthn/api/TestAuthenticationAssertionResponses.java b/web/src/test/java/org/springframework/security/web/webauthn/api/TestAuthenticationAssertionResponses.java new file mode 100644 index 00000000000..a81b0d06ab7 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/webauthn/api/TestAuthenticationAssertionResponses.java @@ -0,0 +1,37 @@ +/* + * Copyright 2002-2025 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.webauthn.api; + +/** + * @author Max Batischev + */ +public final class TestAuthenticationAssertionResponses { + + public static AuthenticatorAssertionResponse.AuthenticatorAssertionResponseBuilder createAuthenticatorAssertionResponse() { + return AuthenticatorAssertionResponse.builder() + .authenticatorData(Bytes.fromBase64("SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MdAAAAAA")) + .clientDataJSON(Bytes.fromBase64( + "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiaDB2Z3dHUWpvQ3pBekRVc216UHBrLUpWSUpSUmduMEw0S1ZTWU5SY0VaYyIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MCIsImNyb3NzT3JpZ2luIjpmYWxzZX0")) + .signature(Bytes.fromBase64( + "MEUCIAdfzPAn3voyXynwa0IXk1S0envMY5KP3NEe9aj4B2BuAiEAm_KJhQoWXdvfhbzwACU3NM4ltQe7_Il46qFUwtpuTdg")) + .userHandle(Bytes.fromBase64("oWJtkJ6vJ_m5b84LB4_K7QKTCTEwLIjCh4tFMCGHO4w")); + } + + private TestAuthenticationAssertionResponses() { + } + +} diff --git a/web/src/test/java/org/springframework/security/web/webauthn/api/TestBytes.java b/web/src/test/java/org/springframework/security/web/webauthn/api/TestBytes.java new file mode 100644 index 00000000000..b8850c12de8 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/webauthn/api/TestBytes.java @@ -0,0 +1,31 @@ +/* + * Copyright 2002-2025 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.webauthn.api; + +/** + * @author Rob Winch + */ +public final class TestBytes { + + public static Bytes get() { + return Bytes.fromBase64("OSCtNugR-n4YR4ozlHRa-CKXzY9v-yMKtQGcvui5xN8"); + } + + private TestBytes() { + } + +} diff --git a/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredential.java b/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredential.java index f2f919b3daf..5ae19ac23cc 100644 --- a/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredential.java +++ b/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredential.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -38,6 +38,17 @@ public static PublicKeyCredential.PublicKeyCre .clientExtensionResults(clientExtensionResults); } + public static PublicKeyCredential.PublicKeyCredentialBuilder createPublicKeyCredential( + R response, AuthenticationExtensionsClientOutputs outputs) { + return PublicKeyCredential.builder() + .id("AX6nVVERrH6opMafUGn3Z9EyNEy6cftfBKV_2YxYl1jdW8CSJxMKGXFV3bnrKTiMSJeInkG7C6B2lPt8E5i3KaM") + .rawId(Bytes + .fromBase64("AX6nVVERrH6opMafUGn3Z9EyNEy6cftfBKV_2YxYl1jdW8CSJxMKGXFV3bnrKTiMSJeInkG7C6B2lPt8E5i3KaM")) + .response(response) + .type(PublicKeyCredentialType.PUBLIC_KEY) + .clientExtensionResults(outputs); + } + private TestPublicKeyCredential() { } diff --git a/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredentialUserEntity.java b/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredentialUserEntity.java index 704e6ce17fc..cc35752d15c 100644 --- a/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredentialUserEntity.java +++ b/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredentialUserEntity.java @@ -21,7 +21,7 @@ public final class TestPublicKeyCredentialUserEntity { public static PublicKeyCredentialUserEntityBuilder userEntity() { - return ImmutablePublicKeyCredentialUserEntity.builder().name("user").id(Bytes.random()).displayName("user"); + return ImmutablePublicKeyCredentialUserEntity.builder().name("user").id(TestBytes.get()).displayName("user"); } private TestPublicKeyCredentialUserEntity() { diff --git a/web/src/test/java/org/springframework/security/web/webauthn/management/MapUserCredentialRepositoryTests.java b/web/src/test/java/org/springframework/security/web/webauthn/management/MapUserCredentialRepositoryTests.java index 36081973f88..d14e98df126 100644 --- a/web/src/test/java/org/springframework/security/web/webauthn/management/MapUserCredentialRepositoryTests.java +++ b/web/src/test/java/org/springframework/security/web/webauthn/management/MapUserCredentialRepositoryTests.java @@ -20,9 +20,9 @@ import org.junit.jupiter.api.Test; -import org.springframework.security.web.webauthn.api.Bytes; import org.springframework.security.web.webauthn.api.CredentialRecord; import org.springframework.security.web.webauthn.api.ImmutableCredentialRecord; +import org.springframework.security.web.webauthn.api.TestBytes; import org.springframework.security.web.webauthn.api.TestCredentialRecord; import static org.assertj.core.api.Assertions.assertThat; @@ -41,7 +41,7 @@ class MapUserCredentialRepositoryTests { @Test void findByUserIdWhenNotFoundThenEmpty() { - assertThat(this.userCredentials.findByUserId(Bytes.random())).isEmpty(); + assertThat(this.userCredentials.findByUserId(TestBytes.get())).isEmpty(); } @Test @@ -56,7 +56,7 @@ void findByCredentialIdWhenIdNullThenIllegalArgumentException() { @Test void findByCredentialIdWhenNotFoundThenIllegalArgumentException() { - assertThat(this.userCredentials.findByCredentialId(Bytes.random())).isNull(); + assertThat(this.userCredentials.findByCredentialId(TestBytes.get())).isNull(); } @Test @@ -114,7 +114,7 @@ void saveWhenSameUserThenUpdated() { ImmutableCredentialRecord credentialRecord = TestCredentialRecord.userCredential().build(); this.userCredentials.save(credentialRecord); CredentialRecord newCredentialRecord = ImmutableCredentialRecord.fromCredentialRecord(credentialRecord) - .credentialId(Bytes.random()) + .credentialId(TestBytes.get()) .build(); this.userCredentials.save(newCredentialRecord); assertThat(this.userCredentials.findByCredentialId(credentialRecord.getCredentialId())) @@ -130,8 +130,8 @@ void saveWhenDifferentUserThenNewEntryAdded() { ImmutableCredentialRecord credentialRecord = TestCredentialRecord.userCredential().build(); this.userCredentials.save(credentialRecord); CredentialRecord newCredentialRecord = ImmutableCredentialRecord.fromCredentialRecord(credentialRecord) - .userEntityUserId(Bytes.random()) - .credentialId(Bytes.random()) + .userEntityUserId(TestBytes.get()) + .credentialId(TestBytes.get()) .build(); this.userCredentials.save(newCredentialRecord); assertThat(this.userCredentials.findByCredentialId(credentialRecord.getCredentialId())) diff --git a/web/src/test/java/org/springframework/security/web/webauthn/registration/DefaultWebAuthnRegistrationPageGeneratingFilterTests.java b/web/src/test/java/org/springframework/security/web/webauthn/registration/DefaultWebAuthnRegistrationPageGeneratingFilterTests.java index 03fe8d0fece..7f681cc1dc9 100644 --- a/web/src/test/java/org/springframework/security/web/webauthn/registration/DefaultWebAuthnRegistrationPageGeneratingFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/webauthn/registration/DefaultWebAuthnRegistrationPageGeneratingFilterTests.java @@ -31,10 +31,10 @@ import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.DefaultCsrfToken; -import org.springframework.security.web.webauthn.api.Bytes; import org.springframework.security.web.webauthn.api.ImmutableCredentialRecord; import org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity; import org.springframework.security.web.webauthn.api.PublicKeyCredentialUserEntity; +import org.springframework.security.web.webauthn.api.TestBytes; import org.springframework.security.web.webauthn.api.TestCredentialRecord; import org.springframework.security.web.webauthn.management.PublicKeyCredentialUserEntityRepository; import org.springframework.security.web.webauthn.management.UserCredentialRepository; @@ -88,7 +88,7 @@ void doFilterWhenNotMatchThenNoInteractions() throws Exception { void doFilterThenCsrfDataAttrsPresent() throws Exception { PublicKeyCredentialUserEntity userEntity = ImmutablePublicKeyCredentialUserEntity.builder() .name("user") - .id(Bytes.random()) + .id(TestBytes.get()) .displayName("User") .build(); given(this.userEntities.findByUsername(any())).willReturn(userEntity); @@ -115,7 +115,7 @@ void doFilterWhenNullPublicKeyCredentialUserEntityThenNoResults() throws Excepti void doFilterWhenNoCredentialsThenNoResults() throws Exception { PublicKeyCredentialUserEntity userEntity = ImmutablePublicKeyCredentialUserEntity.builder() .name("user") - .id(Bytes.random()) + .id(TestBytes.get()) .displayName("User") .build(); given(this.userEntities.findByUsername(any())).willReturn(userEntity); @@ -129,7 +129,7 @@ void doFilterWhenNoCredentialsThenNoResults() throws Exception { void doFilterWhenResultsThenDisplayed() throws Exception { PublicKeyCredentialUserEntity userEntity = ImmutablePublicKeyCredentialUserEntity.builder() .name("user") - .id(Bytes.random()) + .id(TestBytes.get()) .displayName("User") .build(); @@ -225,7 +225,7 @@ void doFilterWhenResultsContainEntitiesThenEncoded() throws Exception { assertThat(label).isNotEqualTo(htmlEncodedLabel); PublicKeyCredentialUserEntity userEntity = ImmutablePublicKeyCredentialUserEntity.builder() .name("user") - .id(Bytes.random()) + .id(TestBytes.get()) .displayName("User") .build(); ImmutableCredentialRecord credential = TestCredentialRecord.userCredential().label(label).build(); @@ -240,7 +240,7 @@ void doFilterWhenResultsContainEntitiesThenEncoded() throws Exception { void doFilterWhenContextEmptyThenUrlsEmptyPrefix() throws Exception { PublicKeyCredentialUserEntity userEntity = ImmutablePublicKeyCredentialUserEntity.builder() .name("user") - .id(Bytes.random()) + .id(TestBytes.get()) .displayName("User") .build(); ImmutableCredentialRecord credential = TestCredentialRecord.userCredential().build(); @@ -256,7 +256,7 @@ void doFilterWhenContextEmptyThenUrlsEmptyPrefix() throws Exception { void doFilterWhenContextNotEmptyThenUrlsPrefixed() throws Exception { PublicKeyCredentialUserEntity userEntity = ImmutablePublicKeyCredentialUserEntity.builder() .name("user") - .id(Bytes.random()) + .id(TestBytes.get()) .displayName("User") .build(); ImmutableCredentialRecord credential = TestCredentialRecord.userCredential().build();