Merge branch 'fix-17729' into 7.0.x

2026-04-01 15:06:52 +00:00 · 2026-03-30 17:19:31 -06:00 · 2026-03-30 17:19:31 -06:00 · 067f79dde5
commit 067f79dde5
parent 45758a5cec 52d98ab7af
4 changed files with 57 additions and 5 deletions
--- a/access/src/main/java/org/springframework/security/web/access/expression/WebExpressionConfigAttribute.java
+++ b/access/src/main/java/org/springframework/security/web/access/expression/WebExpressionConfigAttribute.java
@ -35,6 +35,7 @@ import org.springframework.security.web.FilterInvocation;
 */
@Deprecated
@NullUnmarked
+@SuppressWarnings("serial")
 class WebExpressionConfigAttribute implements ConfigAttribute, EvaluationContextPostProcessor<FilterInvocation> {

 	private final Expression authorizeExpression;
--- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
+++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
@ -33,10 +33,10 @@ import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.regex.Pattern;
 import java.util.stream.Stream;

 import org.apache.commons.lang3.ObjectUtils;
@ -207,10 +207,7 @@ class SpringSecurityCoreVersionSerializableTests {
 			boolean hasSerialVersion = Stream.of(clazz.getDeclaredFields())
 				.map(Field::getName)
 				.anyMatch((n) -> n.equals("serialVersionUID"));
-			SuppressWarnings suppressWarnings = clazz.getAnnotation(SuppressWarnings.class);
-			boolean hasSerialIgnore = suppressWarnings == null
-					|| Arrays.asList(suppressWarnings.value()).contains("Serial");
-			if (!hasSerialVersion && !hasSerialIgnore) {
+			if (!hasSerialVersion && !hasSuppressSerialInSource(clazz)) {
 				classes.add(clazz);
 				continue;
 			}
@ -249,6 +246,58 @@ class SpringSecurityCoreVersionSerializableTests {
 		return classes.stream();
 	}

+	private static boolean hasSuppressSerialInSource(Class<?> clazz) {
+		try {
+			Class<?> fileClass = clazz;
+			while (fileClass.getEnclosingClass() != null) {
+				fileClass = fileClass.getEnclosingClass();
+			}
+			var codeSource = fileClass.getProtectionDomain().getCodeSource();
+			if (codeSource == null) {
+				return false;
+			}
+			Path sourceFile = findSourceFile(Path.of(codeSource.getLocation().toURI()), fileClass);
+			if (sourceFile == null) {
+				return false;
+			}
+			return hasSuppressSerialAnnotation(Files.readAllLines(sourceFile), clazz.getSimpleName());
+		}
+		catch (Exception ex) {
+			return false;
+		}
+	}
+
+	private static Path findSourceFile(Path start, Class<?> clazz) {
+		String relativePath = clazz.getName().replace('.', '/') + ".java";
+		Path dir = start;
+		for (int i = 0; i < 10 && dir != null; i++) {
+			for (String sourceRoot : List.of("src/main/java", "src/test/java")) {
+				Path candidate = dir.resolve(sourceRoot).resolve(relativePath);
+				if (Files.exists(candidate)) {
+					return candidate;
+				}
+			}
+			dir = dir.getParent();
+		}
+		return null;
+	}
+
+	private static boolean hasSuppressSerialAnnotation(List<String> lines, String simpleClassName) {
+		Pattern classDeclaration = Pattern
+			.compile("\\b(?:class|interface|enum|record)\\s+" + Pattern.quote(simpleClassName) + "\\b");
+		for (int i = 0; i < lines.size(); i++) {
+			if (classDeclaration.matcher(lines.get(i)).find()) {
+				for (int j = Math.max(0, i - 5); j < i; j++) {
+					String line = lines.get(j);
+					if (line.contains("@SuppressWarnings") && line.contains("\"serial\"")) {
+						return true;
+					}
+				}
+			}
+		}
+		return false;
+	}
+
 	private static String getCurrentVersion() {
 		String version = System.getProperty("springSecurityVersion");
 		String[] parts = version.split("\\.");
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java
@ -266,6 +266,7 @@ public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilt

 	}

+	@SuppressWarnings("serial")
 	private static final class OAuth2AuthorizationRequestException extends AuthenticationException {

 		OAuth2AuthorizationRequestException(Throwable cause) {
--- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/DPoPProofJwtDecoderFactory.java
+++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/DPoPProofJwtDecoderFactory.java
@ -185,6 +185,7 @@ public final class DPoPProofJwtDecoderFactory implements JwtDecoderFactory<DPoPP
 			return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
 		}

+		@SuppressWarnings("serial")
 		private static final class JtiCache extends LinkedHashMap<String, Long> {

 			private static final int MAX_SIZE = 1000;