Merge branch '6.4.x'

config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java

@@ -134,6 +134,10 @@ import org.springframework.security.web.authentication.rememberme.InvalidCookieE
 import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationException;
 import org.springframework.security.web.authentication.session.SessionAuthenticationException;
 import org.springframework.security.web.authentication.www.NonceExpiredException;
+import org.springframework.security.web.csrf.CsrfException;
+import org.springframework.security.web.csrf.DefaultCsrfToken;
+import org.springframework.security.web.csrf.InvalidCsrfTokenException;
+import org.springframework.security.web.csrf.MissingCsrfTokenException;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.fail;
@@ -344,6 +348,13 @@ class SpringSecurityCoreVersionSerializableTests {
 				(r) -> new SessionAuthenticationException("message"));
 		generatorByClassName.put(NonceExpiredException.class,
 				(r) -> new NonceExpiredException("message", new IOException("fail")));
+		generatorByClassName.put(CsrfException.class, (r) -> new CsrfException("message"));
+		generatorByClassName.put(org.springframework.security.web.server.csrf.CsrfException.class, (r) -> new org.springframework.security.web.server.csrf.CsrfException("message"));
+		generatorByClassName.put(InvalidCsrfTokenException.class, (r) -> new InvalidCsrfTokenException(new DefaultCsrfToken("header", "parameter", "token"), "token"));
+		generatorByClassName.put(MissingCsrfTokenException.class, (r) -> new MissingCsrfTokenException("token"));
+		generatorByClassName.put(DefaultCsrfToken.class, (r) -> new DefaultCsrfToken("header", "parameter", "token"));
+		generatorByClassName.put(org.springframework.security.web.server.csrf.DefaultCsrfToken.class, (r) -> new org.springframework.security.web.server.csrf.DefaultCsrfToken("header", "parameter", "token"));
+
 	}
 
 	@ParameterizedTest

web/src/main/java/org/springframework/security/web/csrf/CsrfException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.csrf;
 
+import java.io.Serial;
+
 import org.springframework.security.access.AccessDeniedException;
 
 /**
@@ -24,9 +26,11 @@ import org.springframework.security.access.AccessDeniedException;
  * @author Rob Winch
  * @since 3.2
  */
-@SuppressWarnings("serial")
 public class CsrfException extends AccessDeniedException {
 
+	@Serial
+	private static final long serialVersionUID = 7802567627837252670L;
+
 	public CsrfException(String message) {
 		super(message);
 	}

web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java

@@ -62,6 +62,7 @@ public class CsrfTokenRequestAttributeHandler implements CsrfTokenRequestHandler
 		request.setAttribute(csrfAttrName, csrfToken);
 	}
 
+	@SuppressWarnings("serial")
 	private static final class SupplierCsrfToken implements CsrfToken {
 
 		private final Supplier<CsrfToken> csrfTokenSupplier;

web/src/main/java/org/springframework/security/web/csrf/DefaultCsrfToken.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.csrf;
 
+import java.io.Serial;
+
 import org.springframework.util.Assert;
 
 /**
@@ -24,9 +26,11 @@ import org.springframework.util.Assert;
  * @author Rob Winch
  * @since 3.2
  */
-@SuppressWarnings("serial")
 public final class DefaultCsrfToken implements CsrfToken {
 
+	@Serial
+	private static final long serialVersionUID = 6552658053267913685L;
+
 	private final String token;
 
 	private final String parameterName;

web/src/main/java/org/springframework/security/web/csrf/InvalidCsrfTokenException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.csrf;
 
+import java.io.Serial;
+
 import jakarta.servlet.http.HttpServletRequest;
 
 /**
@@ -25,9 +27,11 @@ import jakarta.servlet.http.HttpServletRequest;
  * @author Rob Winch
  * @since 3.2
  */
-@SuppressWarnings("serial")
 public class InvalidCsrfTokenException extends CsrfException {
 
+	@Serial
+	private static final long serialVersionUID = -7745955098435417418L;
+
 	/**
 	 * @param expectedAccessToken
 	 * @param actualAccessToken

web/src/main/java/org/springframework/security/web/csrf/LazyCsrfTokenRepository.java

@@ -159,6 +159,7 @@ public final class LazyCsrfTokenRepository implements CsrfTokenRepository {
 
 	}
 
+	@SuppressWarnings("serial")
 	private static final class SaveOnAccessCsrfToken implements CsrfToken {
 
 		private transient CsrfTokenRepository tokenRepository;

web/src/main/java/org/springframework/security/web/server/csrf/CsrfException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.server.csrf;
 
+import java.io.Serial;
+
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.web.csrf.CsrfToken;
 
@@ -25,9 +27,11 @@ import org.springframework.security.web.csrf.CsrfToken;
  * @author Rob Winch
  * @since 3.2
  */
-@SuppressWarnings("serial")
 public class CsrfException extends AccessDeniedException {
 
+	@Serial
+	private static final long serialVersionUID = -8209680716517631141L;
+
 	public CsrfException(String message) {
 		super(message);
 	}

web/src/main/java/org/springframework/security/web/server/csrf/DefaultCsrfToken.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.server.csrf;
 
+import java.io.Serial;
+
 import org.springframework.util.Assert;
 
 /**
@@ -24,9 +26,11 @@ import org.springframework.util.Assert;
  * @author Rob Winch
  * @since 5.0
  */
-@SuppressWarnings("serial")
 public final class DefaultCsrfToken implements CsrfToken {
 
+	@Serial
+	private static final long serialVersionUID = 308340117851874929L;
+
 	private final String token;
 
 	private final String parameterName;