aot improvements

Signed-off-by: Josh Long <54473+joshlong@users.noreply.github.com>

acl/src/main/java/org/springframework/security/acls/aot/hint/AclRuntimeHints.java

@@ -0,0 +1,74 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.acls.aot.hint;
+
+import org.jspecify.annotations.Nullable;
+import org.springframework.aot.hint.MemberCategory;
+import org.springframework.aot.hint.RuntimeHints;
+import org.springframework.aot.hint.RuntimeHintsRegistrar;
+import org.springframework.aot.hint.TypeReference;
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
+import org.springframework.security.acls.domain.*;
+import org.springframework.security.acls.model.*;
+
+import java.util.stream.Stream;
+
+/**
+ * {@link RuntimeHintsRegistrar} for ACL (Access Control List) classes.
+ *
+ * @author Josh Long
+ */
+class AclRuntimeHints implements RuntimeHintsRegistrar {
+
+	@Override
+	public void registerHints(RuntimeHints hints, @Nullable ClassLoader classLoader) {
+		registerAclDomainHints(hints);
+		registerJdbcSchemaHints(hints);
+	}
+
+	private void registerAclDomainHints(RuntimeHints hints) {
+		// Register core ACL domain types
+		Stream.of(Acl.class, AccessControlEntry.class, AuditableAccessControlEntry.class,
+						ObjectIdentity.class, Sid.class, AclImpl.class, AccessControlEntry.class,
+						AuditLogger.class, ObjectIdentityImpl.class, PrincipalSid.class, GrantedAuthoritySid.class, BasePermission.class)
+				.forEach(c -> hints.reflection().registerType(TypeReference.of(c), builder ->
+						builder.withMembers(MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
+								MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.ACCESS_DECLARED_FIELDS)));
+
+
+	}
+
+	private void registerJdbcSchemaHints(RuntimeHints hints) {
+		String[] sqlFiles = new String[]{
+				"createAclSchema.sql",
+				"createAclSchemaMySQL.sql",
+				"createAclSchemaOracle.sql",
+				"createAclSchemaPostgres.sql",
+				"createAclSchemaSqlServer.sql",
+				"createAclSchemaWithAclClassIdType.sql",
+				"select.sql"
+		};
+		for (String sqlFile : sqlFiles) {
+			Resource sqlResource = new ClassPathResource(sqlFile);
+			if (sqlResource.exists()) {
+				hints.resources().registerResource(sqlResource);
+			}
+		}
+	}
+
+}

acl/src/main/java/org/springframework/security/acls/aot/hint/package-info.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * AOT and native image hint support for ACLs.
+ */
+package org.springframework.security.acls.aot.hint;

acl/src/main/resources/META-INF/spring/aot.factories

@@ -0,0 +1,2 @@
+org.springframework.aot.hint.RuntimeHintsRegistrar=\
+org.springframework.security.acls.aot.hint.AclRuntimeHints

core/src/main/java/org/springframework/security/aot/hint/CoreSecurityRuntimeHints.java

@@ -16,37 +16,23 @@
 
 package org.springframework.security.aot.hint;
 
-import java.util.List;
-import java.util.stream.Stream;
-
 import org.jspecify.annotations.Nullable;
-
 import org.springframework.aot.hint.MemberCategory;
 import org.springframework.aot.hint.RuntimeHints;
 import org.springframework.aot.hint.RuntimeHintsRegistrar;
 import org.springframework.aot.hint.TypeReference;
 import org.springframework.security.access.expression.SecurityExpressionOperations;
 import org.springframework.security.access.expression.SecurityExpressionRoot;
-import org.springframework.security.authentication.AbstractAuthenticationToken;
-import org.springframework.security.authentication.AccountExpiredException;
-import org.springframework.security.authentication.AuthenticationServiceException;
-import org.springframework.security.authentication.BadCredentialsException;
-import org.springframework.security.authentication.CredentialsExpiredException;
-import org.springframework.security.authentication.DisabledException;
-import org.springframework.security.authentication.LockedException;
-import org.springframework.security.authentication.ProviderNotFoundException;
-import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
-import org.springframework.security.authentication.event.AuthenticationFailureCredentialsExpiredEvent;
-import org.springframework.security.authentication.event.AuthenticationFailureDisabledEvent;
-import org.springframework.security.authentication.event.AuthenticationFailureExpiredEvent;
-import org.springframework.security.authentication.event.AuthenticationFailureLockedEvent;
-import org.springframework.security.authentication.event.AuthenticationFailureProviderNotFoundEvent;
-import org.springframework.security.authentication.event.AuthenticationFailureProxyUntrustedEvent;
-import org.springframework.security.authentication.event.AuthenticationFailureServiceExceptionEvent;
+import org.springframework.security.authentication.*;
+import org.springframework.security.authentication.event.*;
+import org.springframework.security.authentication.ott.OneTimeTokenAuthentication;
 import org.springframework.security.core.context.SecurityContextImpl;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl;
 
+import java.util.List;
+import java.util.stream.Stream;
+
 /**
  * {@link RuntimeHintsRegistrar} for core classes
  *
@@ -60,6 +46,7 @@ class CoreSecurityRuntimeHints implements RuntimeHintsRegistrar {
 		registerExceptionEventsHints(hints);
 		registerExpressionEvaluationHints(hints);
 		registerMethodSecurityHints(hints);
+		registerAdditionalAuthenticationTypes(hints);
 		hints.resources().registerResourceBundle("org.springframework.security.messages");
 		registerDefaultJdbcSchemaFileHint(hints);
 		registerSecurityContextHints(hints);
@@ -67,41 +54,41 @@ class CoreSecurityRuntimeHints implements RuntimeHintsRegistrar {
 
 	private void registerMethodSecurityHints(RuntimeHints hints) {
 		hints.reflection()
-			.registerType(
-					TypeReference
-						.of("org.springframework.security.access.expression.method.MethodSecurityExpressionRoot"),
-					(builder) -> builder.withMembers(MemberCategory.INVOKE_PUBLIC_METHODS));
+				.registerType(
+						TypeReference
+								.of("org.springframework.security.access.expression.method.MethodSecurityExpressionRoot"),
+						(builder) -> builder.withMembers(MemberCategory.INVOKE_PUBLIC_METHODS));
 		hints.reflection()
-			.registerType(AbstractAuthenticationToken.class,
-					(builder) -> builder.withMembers(MemberCategory.INVOKE_PUBLIC_METHODS));
+				.registerType(AbstractAuthenticationToken.class,
+						(builder) -> builder.withMembers(MemberCategory.INVOKE_PUBLIC_METHODS));
 	}
 
 	private void registerExpressionEvaluationHints(RuntimeHints hints) {
 		hints.reflection()
-			.registerTypes(
-					List.of(TypeReference.of(SecurityExpressionOperations.class),
-							TypeReference.of(SecurityExpressionRoot.class)),
-					(builder) -> builder.withMembers(MemberCategory.ACCESS_DECLARED_FIELDS,
-							MemberCategory.INVOKE_DECLARED_METHODS));
+				.registerTypes(
+						List.of(TypeReference.of(SecurityExpressionOperations.class),
+								TypeReference.of(SecurityExpressionRoot.class)),
+						(builder) -> builder.withMembers(MemberCategory.ACCESS_DECLARED_FIELDS,
+								MemberCategory.INVOKE_DECLARED_METHODS));
 	}
 
 	private void registerExceptionEventsHints(RuntimeHints hints) {
 		hints.reflection()
-			.registerTypes(getDefaultAuthenticationExceptionEventPublisherTypes(),
-					(builder) -> builder.withMembers(MemberCategory.INVOKE_DECLARED_CONSTRUCTORS));
+				.registerTypes(getDefaultAuthenticationExceptionEventPublisherTypes(),
+						(builder) -> builder.withMembers(MemberCategory.INVOKE_DECLARED_CONSTRUCTORS));
 	}
 
 	private List<TypeReference> getDefaultAuthenticationExceptionEventPublisherTypes() {
 		return Stream
-			.of(AuthenticationFailureBadCredentialsEvent.class, AuthenticationFailureCredentialsExpiredEvent.class,
-					AuthenticationFailureDisabledEvent.class, AuthenticationFailureExpiredEvent.class,
-					AuthenticationFailureLockedEvent.class, AuthenticationFailureProviderNotFoundEvent.class,
-					AuthenticationFailureProxyUntrustedEvent.class, AuthenticationFailureServiceExceptionEvent.class,
-					AuthenticationServiceException.class, AccountExpiredException.class, BadCredentialsException.class,
-					CredentialsExpiredException.class, DisabledException.class, LockedException.class,
-					UsernameNotFoundException.class, ProviderNotFoundException.class)
-			.map(TypeReference::of)
-			.toList();
+				.of(AuthenticationFailureBadCredentialsEvent.class, AuthenticationFailureCredentialsExpiredEvent.class,
+						AuthenticationFailureDisabledEvent.class, AuthenticationFailureExpiredEvent.class,
+						AuthenticationFailureLockedEvent.class, AuthenticationFailureProviderNotFoundEvent.class,
+						AuthenticationFailureProxyUntrustedEvent.class, AuthenticationFailureServiceExceptionEvent.class,
+						AuthenticationServiceException.class, AccountExpiredException.class, BadCredentialsException.class,
+						CredentialsExpiredException.class, DisabledException.class, LockedException.class,
+						UsernameNotFoundException.class, ProviderNotFoundException.class)
+				.map(TypeReference::of)
+				.toList();
 	}
 
 	private void registerDefaultJdbcSchemaFileHint(RuntimeHints hints) {
@@ -110,8 +97,19 @@ class CoreSecurityRuntimeHints implements RuntimeHintsRegistrar {
 
 	private void registerSecurityContextHints(RuntimeHints hints) {
 		hints.reflection()
-			.registerType(SecurityContextImpl.class,
-					(builder) -> builder.withMembers(MemberCategory.INVOKE_PUBLIC_METHODS));
+				.registerType(SecurityContextImpl.class,
+						(builder) -> builder.withMembers(MemberCategory.INVOKE_PUBLIC_METHODS));
+	}
+
+	private void registerAdditionalAuthenticationTypes(RuntimeHints hints) {
+		// RememberMeAuthenticationToken can be stored in the HTTP session and
+		// deserialized via Jackson (RememberMeAuthenticationTokenMixin exists for both
+		// Jackson 2 and 3), so it needs reflection hints in all native image scenarios.
+		Stream.of(RememberMeAuthenticationToken.class, OneTimeTokenAuthentication.class, UsernamePasswordAuthenticationToken.class)
+				.map(TypeReference::of)
+				.forEach(it ->
+						hints.reflection().registerType(it, (builder) -> builder.withMembers(MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
+								MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.ACCESS_DECLARED_FIELDS)));
 	}
 
 }

kerberos/kerberos-core/src/main/java/org/springframework/security/kerberos/aot/hint/KerberosRuntimeHints.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.kerberos.aot.hint;
+
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.aot.hint.MemberCategory;
+import org.springframework.aot.hint.RuntimeHints;
+import org.springframework.aot.hint.RuntimeHintsRegistrar;
+import org.springframework.aot.hint.TypeReference;
+
+/**
+ * {@link RuntimeHintsRegistrar} for Kerberos authentication classes.
+ *
+ * @author Josh Long
+ */
+class KerberosRuntimeHints implements RuntimeHintsRegistrar {
+
+	@Override
+	public void registerHints(RuntimeHints hints, @Nullable ClassLoader classLoader) {
+		// Krb5LoginModule is referenced as a plain string in LoginConfig and loaded by
+		// JAAS via Class.forName at runtime, so it needs an explicit reflection hint.
+		hints.reflection()
+			.registerType(TypeReference.of("com.sun.security.auth.module.Krb5LoginModule"),
+					(builder) -> builder.withMembers(MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
+							MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.ACCESS_DECLARED_FIELDS));
+	}
+
+}

kerberos/kerberos-core/src/main/java/org/springframework/security/kerberos/aot/hint/package-info.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * AOT and native image hint support for Kerberos authentication.
+ */
+package org.springframework.security.kerberos.aot.hint;

kerberos/kerberos-core/src/main/resources/META-INF/spring/aot.factories

@@ -0,0 +1,2 @@
+org.springframework.aot.hint.RuntimeHintsRegistrar=\
+org.springframework.security.kerberos.aot.hint.KerberosRuntimeHints

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/aot/hint/OAuth2ClientRuntimeHints.java

@@ -16,8 +16,13 @@
 
 package org.springframework.security.oauth2.client.aot.hint;
 
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.aot.hint.MemberCategory;
 import org.springframework.aot.hint.RuntimeHints;
 import org.springframework.aot.hint.RuntimeHintsRegistrar;
+import org.springframework.aot.hint.TypeReference;
+import org.springframework.util.ClassUtils;
 
 /**
  * {@link RuntimeHintsRegistrar} for OAuth2 Client
@@ -27,9 +32,20 @@ import org.springframework.aot.hint.RuntimeHintsRegistrar;
  */
 class OAuth2ClientRuntimeHints implements RuntimeHintsRegistrar {
 
+	private static final boolean r2dbcPresent;
+
+	static {
+		ClassLoader classLoader = ClassUtils.getDefaultClassLoader();
+		r2dbcPresent = ClassUtils.isPresent("io.r2dbc.spi.Row", classLoader)
+				&& ClassUtils.isPresent("org.springframework.r2dbc.core.DatabaseClient", classLoader);
+	}
+
 	@Override
-	public void registerHints(RuntimeHints hints, ClassLoader classLoader) {
+	public void registerHints(RuntimeHints hints, @Nullable ClassLoader classLoader) {
 		registerOAuth2ClientSchemaFilesHints(hints);
+		if (r2dbcPresent) {
+			registerR2dbcHints(hints);
+		}
 	}
 
 	private void registerOAuth2ClientSchemaFilesHints(RuntimeHints hints) {
@@ -38,4 +54,25 @@ class OAuth2ClientRuntimeHints implements RuntimeHintsRegistrar {
 			.registerPattern("org/springframework/security/oauth2/client/oauth2-client-schema-postgres.sql");
 	}
 
+	private void registerR2dbcHints(RuntimeHints hints) {
+		// Register R2DBC OAuth2 client service types
+		hints.reflection()
+			.registerType(
+					TypeReference
+						.of("org.springframework.security.oauth2.client.R2dbcReactiveOAuth2AuthorizedClientService"),
+					(builder) -> builder.withMembers(MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
+							MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.ACCESS_DECLARED_FIELDS));
+
+		// Register OAuth2 client types that may be serialized in R2DBC scenarios
+		hints.reflection()
+			.registerTypes(
+					java.util.List.of(
+							TypeReference
+								.of("org.springframework.security.oauth2.client.OAuth2AuthorizedClient"),
+							TypeReference
+								.of("org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken")),
+					(builder) -> builder.withMembers(MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
+							MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.ACCESS_DECLARED_FIELDS));
+	}
+
 }

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/aot/hint/Saml2RuntimeHints.java

@@ -0,0 +1,140 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.aot.hint;
+
+import org.jspecify.annotations.Nullable;
+import org.springframework.aot.hint.MemberCategory;
+import org.springframework.aot.hint.RuntimeHints;
+import org.springframework.aot.hint.RuntimeHintsRegistrar;
+import org.springframework.aot.hint.TypeReference;
+import org.springframework.security.saml2.core.Saml2Error;
+import org.springframework.security.saml2.jackson2.Saml2Jackson2Module;
+import org.springframework.security.saml2.provider.service.authentication.*;
+import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
+import org.springframework.util.ClassUtils;
+
+/**
+ * {@link RuntimeHintsRegistrar} for SAML2 Service Provider classes.
+ *
+ * @author Josh Long
+ */
+class Saml2RuntimeHints implements RuntimeHintsRegistrar {
+
+	private static final boolean jackson2Present;
+
+	private static final boolean jackson3Present;
+
+	static {
+		ClassLoader classLoader = ClassUtils.getDefaultClassLoader();
+		jackson2Present = ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", classLoader)
+				&& ClassUtils.isPresent("com.fasterxml.jackson.core.JsonGenerator", classLoader);
+		jackson3Present = ClassUtils.isPresent("tools.jackson.databind.json.JsonMapper", classLoader);
+	}
+
+	@Override
+	public void registerHints(RuntimeHints hints, @Nullable ClassLoader classLoader) {
+		registerAuthenticationHints(hints);
+		registerJacksonHints(hints);
+		registerJdbcSchemaHints(hints);
+	}
+
+	private void registerAuthenticationHints(RuntimeHints hints) {
+		hints.reflection()
+				.registerTypes(
+						java.util.List.of(TypeReference.of(Saml2Authentication.class),
+								TypeReference.of(Saml2AssertionAuthentication.class),
+								TypeReference.of(DefaultSaml2AuthenticatedPrincipal.class),
+								TypeReference.of(Saml2PostAuthenticationRequest.class),
+								TypeReference.of(Saml2RedirectAuthenticationRequest.class),
+								TypeReference.of(Saml2ResponseAssertion.class),
+								TypeReference.of(Saml2LogoutRequest.class), TypeReference.of(Saml2Error.class),
+								TypeReference.of(Saml2AuthenticationException.class)),
+						(builder) -> builder.withMembers(MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
+								MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.ACCESS_DECLARED_FIELDS));
+	}
+
+	private void registerJacksonHints(RuntimeHints hints) {
+		// Jackson 2 Module
+		if (jackson2Present) {
+			hints.reflection()
+					.registerType(Saml2Jackson2Module.class,
+							(builder) -> builder.withMembers(MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
+									MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.ACCESS_DECLARED_FIELDS));
+
+			// Register mixins for Jackson 2
+			registerJackson2Mixins(hints);
+		}
+
+		// Jackson 3 Module
+		if (jackson3Present) {
+			hints.reflection()
+					.registerType(
+							TypeReference.of("org.springframework.security.saml2.jackson.Saml2JacksonModule"),
+							(builder) -> builder.withMembers(MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
+									MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.ACCESS_DECLARED_FIELDS));
+
+			// Register mixins for Jackson 3
+			registerJackson3Mixins(hints);
+		}
+	}
+
+	private void registerJackson2Mixins(RuntimeHints hints) {
+		String[] mixinClasses = {"org.springframework.security.saml2.jackson2.Saml2AuthenticationMixin",
+				"org.springframework.security.saml2.jackson2.Saml2AssertionAuthenticationMixin",
+				"org.springframework.security.saml2.jackson2.SimpleSaml2ResponseAssertionAccessorMixin",
+				"org.springframework.security.saml2.jackson2.DefaultSaml2AuthenticatedPrincipalMixin",
+				"org.springframework.security.saml2.jackson2.Saml2LogoutRequestMixin",
+				"org.springframework.security.saml2.jackson2.Saml2RedirectAuthenticationRequestMixin",
+				"org.springframework.security.saml2.jackson2.Saml2PostAuthenticationRequestMixin",
+				"org.springframework.security.saml2.jackson2.Saml2ErrorMixin",
+				"org.springframework.security.saml2.jackson2.Saml2AuthenticationExceptionMixin"};
+
+		for (String mixinClass : mixinClasses) {
+			hints.reflection()
+					.registerType(TypeReference.of(mixinClass),
+							(builder) -> builder.withMembers(MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
+									MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.ACCESS_DECLARED_FIELDS));
+		}
+	}
+
+	private void registerJackson3Mixins(RuntimeHints hints) {
+		String[] mixinClasses = {"org.springframework.security.saml2.jackson.Saml2AuthenticationMixin",
+				"org.springframework.security.saml2.jackson.Saml2AssertionAuthenticationMixin",
+				"org.springframework.security.saml2.jackson.SimpleSaml2ResponseAssertionAccessorMixin",
+				"org.springframework.security.saml2.jackson.DefaultSaml2AuthenticatedPrincipalMixin",
+				"org.springframework.security.saml2.jackson.Saml2LogoutRequestMixin",
+				"org.springframework.security.saml2.jackson.Saml2RedirectAuthenticationRequestMixin",
+				"org.springframework.security.saml2.jackson.Saml2PostAuthenticationRequestMixin",
+				"org.springframework.security.saml2.jackson.Saml2ErrorMixin",
+				"org.springframework.security.saml2.jackson.Saml2AuthenticationExceptionMixin"};
+
+		for (String mixinClass : mixinClasses) {
+			hints.reflection()
+					.registerType(TypeReference.of(mixinClass),
+							(builder) -> builder.withMembers(MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
+									MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.ACCESS_DECLARED_FIELDS));
+		}
+	}
+
+	private void registerJdbcSchemaHints(RuntimeHints hints) {
+		hints.resources()
+				.registerPattern("org/springframework/security/saml2/saml2-asserting-party-metadata-schema.sql")
+				.registerPattern(
+						"org/springframework/security/saml2/saml2-asserting-party-metadata-schema-postgres.sql");
+	}
+
+}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/aot/hint/package-info.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * AOT and native image hint support for SAML2.
+ */
+package org.springframework.security.saml2.aot.hint;

saml2/saml2-service-provider/src/main/resources/META-INF/spring/aot.factories

@@ -0,0 +1,2 @@
+org.springframework.aot.hint.RuntimeHintsRegistrar=\
+org.springframework.security.saml2.aot.hint.Saml2RuntimeHints

web/src/main/java/org/springframework/security/web/aot/hint/WebMvcSecurityRuntimeHints.java

@@ -24,6 +24,7 @@ import org.springframework.aot.hint.RuntimeHintsRegistrar;
 import org.springframework.aot.hint.TypeReference;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.security.web.access.expression.WebSecurityExpressionRoot;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 
 /**
  * {@link RuntimeHintsRegistrar} for WebMVC classes
@@ -44,6 +45,10 @@ class WebMvcSecurityRuntimeHints implements RuntimeHintsRegistrar {
 					TypeReference
 						.of("org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler$SupplierCsrfToken"),
 					MemberCategory.INVOKE_DECLARED_METHODS);
+		hints.reflection()
+			.registerType(PreAuthenticatedAuthenticationToken.class,
+					(builder) -> builder.withMembers(MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
+							MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.ACCESS_DECLARED_FIELDS));
 
 		ClassPathResource css = new ClassPathResource("org/springframework/security/default-ui.css");
 		if (css.exists()) {