SEC-1700: Add fixed serializationVersionUID values to security context, authentication tokens and related classes

2011-04-21 19:55:32 +01:00 · 2011-04-21 19:55:32 +01:00 · 8178371927
parent ac96f27136
commit 8178371927
26 changed files with 107 additions and 7 deletions
--- a/cas/src/main/java/org/springframework/security/cas/authentication/CasAssertionAuthenticationToken.java
+++ b/cas/src/main/java/org/springframework/security/cas/authentication/CasAssertionAuthenticationToken.java
@ -19,6 +19,7 @@ import java.util.ArrayList;
 import org.jasig.cas.client.validation.Assertion;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;

 /**
 * Temporary authentication object needed to load the user details service.
@ -28,6 +29,8 @@ import org.springframework.security.core.GrantedAuthority;
 */
 public final class CasAssertionAuthenticationToken extends AbstractAuthenticationToken {

+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    private final Assertion assertion;

    private final String ticket;
--- a/cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationToken.java
+++ b/cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationToken.java
@ -21,6 +21,7 @@ import java.util.Collection;
 import org.jasig.cas.client.validation.Assertion;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.userdetails.UserDetails;

 /**
@ -30,9 +31,10 @@ import org.springframework.security.core.userdetails.UserDetails;
 * @author Scott Battaglia
 */
 public class CasAuthenticationToken extends AbstractAuthenticationToken implements Serializable {
-    //~ Instance fields ================================================================================================

-    private static final long serialVersionUID = 1L;
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
+    //~ Instance fields ================================================================================================
    private final Object credentials;
    private final Object principal;
    private final UserDetails userDetails;
--- a/core/src/main/java/org/springframework/security/access/intercept/RunAsUserToken.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/RunAsUserToken.java
@ -21,6 +21,7 @@ import java.util.Collection;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;


 /**
@ -29,6 +30,9 @@ import org.springframework.security.core.GrantedAuthority;
 * @author Ben Alex
 */
 public class RunAsUserToken extends AbstractAuthenticationToken {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    //~ Instance fields ================================================================================================

    private final Class<? extends Authentication> originalAuthentication;
--- a/core/src/main/java/org/springframework/security/authentication/AuthenticationDetails.java
+++ b/core/src/main/java/org/springframework/security/authentication/AuthenticationDetails.java
@ -1,5 +1,7 @@
 package org.springframework.security.authentication;

+import org.springframework.security.core.SpringSecurityCoreVersion;
+
 import java.io.Serializable;

 /**
@ -10,6 +12,9 @@ import java.io.Serializable;
 */
@Deprecated
 public class AuthenticationDetails implements Serializable {
+
+   private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
   //~ Instance fields ================================================================================================

   private final String context;
--- a/core/src/main/java/org/springframework/security/authentication/RememberMeAuthenticationToken.java
+++ b/core/src/main/java/org/springframework/security/authentication/RememberMeAuthenticationToken.java
@ -18,6 +18,7 @@ package org.springframework.security.authentication;
 import java.util.Collection;

 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;


 /**
@ -30,6 +31,9 @@ import org.springframework.security.core.GrantedAuthority;
 * @author Luke Taylor
 */
 public class RememberMeAuthenticationToken extends AbstractAuthenticationToken {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    //~ Instance fields ================================================================================================

    private final Object principal;
--- a/core/src/main/java/org/springframework/security/authentication/UsernamePasswordAuthenticationToken.java
+++ b/core/src/main/java/org/springframework/security/authentication/UsernamePasswordAuthenticationToken.java
@ -18,6 +18,7 @@ package org.springframework.security.authentication;
 import java.util.Collection;

 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;


 /**
@ -31,6 +32,9 @@ import org.springframework.security.core.GrantedAuthority;
 * @author Ben Alex
 */
 public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationToken {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    //~ Instance fields ================================================================================================

    private final Object principal;
--- a/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationToken.java
+++ b/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationToken.java
@ -20,6 +20,7 @@ import java.util.List;

 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;

 import javax.security.auth.login.LoginContext;

@ -30,6 +31,9 @@ import javax.security.auth.login.LoginContext;
 * @author Ray Krueger
 */
 public class JaasAuthenticationToken extends UsernamePasswordAuthenticationToken {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    //~ Instance fields ================================================================================================

    private final transient LoginContext loginContext;
--- a/core/src/main/java/org/springframework/security/authentication/jaas/JaasGrantedAuthority.java
+++ b/core/src/main/java/org/springframework/security/authentication/jaas/JaasGrantedAuthority.java
@ -16,6 +16,7 @@
 package org.springframework.security.authentication.jaas;

 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;

 import java.security.Principal;

@ -29,13 +30,12 @@ import java.security.Principal;
 * @see AuthorityGranter
 */
 public final class JaasGrantedAuthority implements GrantedAuthority {
-    //~ Instance fields ================================================================================================
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;

    private final String role;
    private final Principal principal;

-    //~ Constructors ===================================================================================================
-
    public JaasGrantedAuthority(String role, Principal principal) {
        this.role = role;
        this.principal = principal;
--- a/core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationException.java
+++ b/core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationException.java
@ -16,6 +16,7 @@
 package org.springframework.security.authentication.rcp;

 import org.springframework.core.NestedRuntimeException;
+import org.springframework.security.core.SpringSecurityCoreVersion;

 /**
 * Thrown if a <code>RemoteAuthenticationManager</code> cannot validate the presented authentication request.
@ -27,6 +28,9 @@ import org.springframework.core.NestedRuntimeException;
 * @author Ben Alex
 */
 public class RemoteAuthenticationException extends NestedRuntimeException {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    //~ Constructors ===================================================================================================

    /**
--- a/core/src/main/java/org/springframework/security/core/SpringSecurityCoreVersion.java
+++ b/core/src/main/java/org/springframework/security/core/SpringSecurityCoreVersion.java
@ -12,13 +12,20 @@ import org.springframework.core.SpringVersion;
 public class SpringSecurityCoreVersion {
    private static final Log logger = LogFactory.getLog(SpringSecurityCoreVersion.class);

+    /**
+     * Global Serialization value for Spring Security classes.
+     *
+     * N.B. Classes are not intended to be serializable between different versions.
+     * See SEC-1709 for why we still need a serial version.
+     */
+    public static final long SERIAL_VERSION_UID = 310L;
+
    static {
        // Check Spring Compatibility
        String springVersion = SpringVersion.getVersion();
        String version = getVersion();

        if (springVersion != null) {
-            // TODO: Generate version class and information dynamically from a template in the build file
            logger.info("You are running with Spring Security Core " + version);
            if (!springVersion.startsWith("3")) {
                logger.error("Spring Major version '3' expected, but you are running with version: "
--- a/core/src/main/java/org/springframework/security/core/authority/GrantedAuthoritiesContainerImpl.java
+++ b/core/src/main/java/org/springframework/security/core/authority/GrantedAuthoritiesContainerImpl.java
@ -3,10 +3,14 @@ package org.springframework.security.core.authority;
 import java.util.*;

 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.Assert;

@Deprecated
 public class GrantedAuthoritiesContainerImpl implements MutableGrantedAuthoritiesContainer {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    private List<GrantedAuthority> authorities;

    public void setGrantedAuthorities(Collection<? extends GrantedAuthority> newAuthorities) {
--- a/core/src/main/java/org/springframework/security/core/authority/GrantedAuthorityImpl.java
+++ b/core/src/main/java/org/springframework/security/core/authority/GrantedAuthorityImpl.java
@ -17,6 +17,7 @@ package org.springframework.security.core.authority;

 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.Assert;


@ -31,6 +32,9 @@ import org.springframework.util.Assert;
 */
@Deprecated
 public class GrantedAuthorityImpl implements GrantedAuthority {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    //~ Instance fields ================================================================================================

    private final String role;
--- a/core/src/main/java/org/springframework/security/core/authority/SimpleGrantedAuthority.java
+++ b/core/src/main/java/org/springframework/security/core/authority/SimpleGrantedAuthority.java
@ -1,6 +1,7 @@
 package org.springframework.security.core.authority;

 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.Assert;

 /**
@ -13,6 +14,9 @@ import org.springframework.util.Assert;
 * @author Luke Taylor
 */
 public final class SimpleGrantedAuthority implements GrantedAuthority {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    private final String role;

    public SimpleGrantedAuthority(String role) {
--- a/core/src/main/java/org/springframework/security/core/context/SecurityContextImpl.java
+++ b/core/src/main/java/org/springframework/security/core/context/SecurityContextImpl.java
@ -16,6 +16,7 @@
 package org.springframework.security.core.context;

 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.SpringSecurityCoreVersion;


 /**
@ -26,6 +27,9 @@ import org.springframework.security.core.Authentication;
 * @author Ben Alex
 */
 public class SecurityContextImpl implements SecurityContext {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    //~ Instance fields ================================================================================================

    private Authentication authentication;
--- a/core/src/main/java/org/springframework/security/core/session/SessionInformation.java
+++ b/core/src/main/java/org/springframework/security/core/session/SessionInformation.java
@ -15,6 +15,7 @@

 package org.springframework.security.core.session;

+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.Assert;

 import java.util.Date;
@ -35,6 +36,9 @@ import java.io.Serializable;
 * @author Ben Alex
 */
 public class SessionInformation implements Serializable {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    //~ Instance fields ================================================================================================

    private Date lastRequest;
--- a/core/src/main/java/org/springframework/security/core/userdetails/User.java
+++ b/core/src/main/java/org/springframework/security/core/userdetails/User.java
@ -25,6 +25,7 @@ import java.util.TreeSet;

 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.CredentialsContainer;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.Assert;

 /**
@ -43,6 +44,9 @@ import org.springframework.util.Assert;
 * @author Luke Taylor
 */
 public class User implements UserDetails, CredentialsContainer {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    //~ Instance fields ================================================================================================
    private String password;
    private final String username;
@ -149,6 +153,8 @@ public class User implements UserDetails, CredentialsContainer {
    }

    private static class AuthorityComparator implements Comparator<GrantedAuthority>, Serializable {
+        private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
        public int compare(GrantedAuthority g1, GrantedAuthority g2) {
            // Neither should ever be null as each entry is checked before adding it to the set.
            // If the authority is null, it is a custom authority and should precede others.
--- a/core/src/main/java/org/springframework/security/provisioning/MutableUser.java
+++ b/core/src/main/java/org/springframework/security/provisioning/MutableUser.java
@ -3,6 +3,7 @@ package org.springframework.security.provisioning;
 import java.util.Collection;

 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.userdetails.UserDetails;

 /**
@ -11,6 +12,9 @@ import org.springframework.security.core.userdetails.UserDetails;
 * @since 3.1
 */
 class MutableUser implements MutableUserDetails {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    private String password;
    private final UserDetails delegate;

--- a/core/src/main/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocation.java
+++ b/core/src/main/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocation.java
@ -15,6 +15,7 @@

 package org.springframework.security.remoting.rmi;

+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;

@ -43,7 +44,8 @@ import java.lang.reflect.InvocationTargetException;
 * @author Ben Alex
 */
 public class ContextPropagatingRemoteInvocation extends RemoteInvocation {
-    //~ Static fields/initializers =====================================================================================
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;

    private static final Log logger = LogFactory.getLog(ContextPropagatingRemoteInvocation.class);

--- a/ldap/src/main/java/org/springframework/security/ldap/userdetails/InetOrgPerson.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/userdetails/InetOrgPerson.java
@ -16,6 +16,7 @@ package org.springframework.security.ldap.userdetails;

 import org.springframework.ldap.core.DirContextAdapter;
 import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.security.core.SpringSecurityCoreVersion;


 /**
@ -28,6 +29,9 @@ import org.springframework.ldap.core.DirContextOperations;
 * @author Luke
 */
 public class InetOrgPerson extends Person {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    private String carLicense;
    // Person.cn
    private String destinationIndicator;
--- a/ldap/src/main/java/org/springframework/security/ldap/userdetails/LdapUserDetailsImpl.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/userdetails/LdapUserDetailsImpl.java
@ -24,6 +24,7 @@ import javax.naming.Name;

 import org.springframework.ldap.core.DirContextOperations;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.ldap.ppolicy.PasswordPolicyData;
 import org.springframework.util.Assert;
@ -46,6 +47,8 @@ import org.springframework.util.Assert;
 */
 public class LdapUserDetailsImpl implements LdapUserDetails, PasswordPolicyData {

+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    //~ Instance fields ================================================================================================

    private String dn;
--- a/ldap/src/main/java/org/springframework/security/ldap/userdetails/Person.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/userdetails/Person.java
@ -15,6 +15,7 @@
 package org.springframework.security.ldap.userdetails;


+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.Assert;

 import org.springframework.ldap.core.DirContextAdapter;
@ -33,6 +34,9 @@ import java.util.Arrays;
 * @since 2.0
 */
 public class Person extends LdapUserDetailsImpl {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    private String sn;
    private String description;
    private String telephoneNumber;
--- a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationToken.java
+++ b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationToken.java
@ -20,6 +20,7 @@ import java.util.List;

 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;

 /**
 * OpenID Authentication Token
@ -27,6 +28,9 @@ import org.springframework.security.core.GrantedAuthority;
 * @author Robin Bramley
 */
 public class OpenIDAuthenticationToken extends AbstractAuthenticationToken {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    //~ Instance fields ================================================================================================

    private final OpenIDAuthenticationStatus status;
--- a/web/src/main/java/org/springframework/security/web/authentication/WebAuthenticationDetails.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/WebAuthenticationDetails.java
@ -15,6 +15,8 @@

 package org.springframework.security.web.authentication;

+import org.springframework.security.core.SpringSecurityCoreVersion;
+
 import java.io.Serializable;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
@ -27,6 +29,9 @@ import javax.servlet.http.HttpSession;
 * @author Luke Taylor
 */
 public class WebAuthenticationDetails implements Serializable {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    //~ Instance fields ================================================================================================

    private final String remoteAddress;
--- a/web/src/main/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedAuthenticationToken.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedAuthenticationToken.java
@ -4,6 +4,7 @@ import java.util.Collection;

 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;


 /**
@ -14,6 +15,9 @@ import org.springframework.security.core.GrantedAuthority;
 * @since 2.0
 */
 public class PreAuthenticatedAuthenticationToken extends AbstractAuthenticationToken {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    private final Object principal;
    private final Object credentials;

--- a/web/src/main/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails.java
@ -1,6 +1,7 @@
 package org.springframework.security.web.authentication.preauth;

 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.authority.GrantedAuthoritiesContainer;
 import org.springframework.security.web.authentication.WebAuthenticationDetails;

@ -18,6 +19,8 @@ import java.util.*;
 public class PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails extends WebAuthenticationDetails implements
        GrantedAuthoritiesContainer {

+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    private final List<GrantedAuthority> authorities;

    public PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails(HttpServletRequest request,
--- a/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserGrantedAuthority.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserGrantedAuthority.java
@ -17,6 +17,7 @@ package org.springframework.security.web.authentication.switchuser;

 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;


 /**
@ -30,6 +31,9 @@ import org.springframework.security.core.GrantedAuthority;
 * @see org.springframework.security.web.authentication.switchuser.SwitchUserFilter
 */
 public final class SwitchUserGrantedAuthority implements GrantedAuthority {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    //~ Instance fields ================================================================================================
    private final String role;
    private final Authentication source;