From b4c7795699ee686c68ae6b05bd83d6a4ddf95155 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Wed, 5 Feb 2025 13:54:12 -0700
Subject: [PATCH] Support Serialization for Authorization Components

Closes gh-16544
---
 ...pringSecurityCoreVersionSerializableTests.java |   8 ++++++++
 ...tion.AuthorityAuthorizationDecision.serialized | Bin 0 -> 400 bytes
 ...authorization.AuthorizationDecision.serialized | Bin 0 -> 96 bytes
 ...zation.AuthorizationDeniedException.serialized | Bin
 .../AuthorityAuthorizationDecision.java           |   4 ++++
 .../authorization/AuthorizationDecision.java      |   5 +++++
 .../authorization/AuthorizationManagers.java      |   2 ++
 .../authorization/AuthorizationResult.java        |   4 +++-
 .../ExpressionAuthorizationDecision.java          |   1 +
 9 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorityAuthorizationDecision.serialized
 create mode 100644 config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorizationDecision.serialized
 create mode 100644 config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorizationDeniedException.serialized

diff --git a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
index 2c806ce39f..afc044effa 100644
--- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
+++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
@@ -95,6 +95,9 @@ import org.springframework.security.authentication.jaas.event.JaasAuthentication
 import org.springframework.security.authentication.ott.InvalidOneTimeTokenException;
 import org.springframework.security.authentication.ott.OneTimeTokenAuthenticationToken;
 import org.springframework.security.authentication.password.CompromisedPasswordException;
+import org.springframework.security.authorization.AuthorityAuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
 import org.springframework.security.cas.authentication.CasAuthenticationToken;
 import org.springframework.security.cas.authentication.CasServiceTicketAuthenticationToken;
@@ -454,6 +457,11 @@ class SpringSecurityCoreVersionSerializableTests {
 		generatorByClassName.put(AbstractSessionEvent.class, (r) -> new AbstractSessionEvent(securityContext));
 		generatorByClassName.put(SecurityConfig.class, (r) -> new SecurityConfig("value"));
 		generatorByClassName.put(TransientSecurityContext.class, (r) -> new TransientSecurityContext(authentication));
+		generatorByClassName.put(AuthorizationDeniedException.class,
+				(r) -> new AuthorizationDeniedException("message", new AuthorizationDecision(false)));
+		generatorByClassName.put(AuthorizationDecision.class, (r) -> new AuthorizationDecision(true));
+		generatorByClassName.put(AuthorityAuthorizationDecision.class,
+				(r) -> new AuthorityAuthorizationDecision(true, AuthorityUtils.createAuthorityList("ROLE_USER")));
 
 		// cas
 		generatorByClassName.put(CasServiceTicketAuthenticationToken.class, (r) -> {
diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorityAuthorizationDecision.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorityAuthorizationDecision.serialized
new file mode 100644
index 0000000000000000000000000000000000000000..ad5c632ccffb50b0a05ff874675b820a4a934c1e
GIT binary patch
literal 400
zcmZ4UmVvdnh`}?zC|$3(peQphJ*_A)H?=&!C|j>MHMz7Xv!qflv9u&3zbLaRu_QA;
zPtOs;E2)GsAi^%G$(hAK=^l>+sSTMb222c$J`CJYoh6y6#U%`4K3R!niTb4_nK}B-
z`8heM$sqHrD~cE#NVgu<*2`88b2$<_8GyD%F|el>CFYf+rc@L#0=*^-vQ!Ubsh(p|
zQDUV}W^qYH<0aXd#}nr=GcbBGuoP!jrB)O$FfcHdvw%pTCMUcOO3p7zg#`*Qc!D!?
z3vyE3A(p~J2WS!yFy(*)f~6=wC$)q@2oeH0iFxVz!6l&3wyr2BVc-n%_i>F64R#Hx
F008nhjrITl

literal 0
HcmV?d00001

diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorizationDecision.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorizationDecision.serialized
new file mode 100644
index 0000000000000000000000000000000000000000..3992b0122aacc8328aaffd7c7538c96b3352f4fe
GIT binary patch
literal 96
zcmZ4UmVvdnh`}MhC|$3(peQphJ*_A)H?=&!C|j>MHMz7Xv!qflv9u&3zbLaRu_QA;
oPtOsV=aQP7Sqv1tZ1pggBe9c#iGeYSfjzw_F|Q;wrJ{fl03x|0OaK4?

literal 0
HcmV?d00001

diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorizationDeniedException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.AuthorizationDeniedException.serialized
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationDecision.java b/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationDecision.java
index f9dd43a784..629dfa4a39 100644
--- a/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationDecision.java
+++ b/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationDecision.java
@@ -16,6 +16,7 @@
 
 package org.springframework.security.authorization;
 
+import java.io.Serial;
 import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
@@ -28,6 +29,9 @@ import org.springframework.security.core.GrantedAuthority;
  */
 public class AuthorityAuthorizationDecision extends AuthorizationDecision {
 
+	@Serial
+	private static final long serialVersionUID = -8338309042331376592L;
+
 	private final Collection<GrantedAuthority> authorities;
 
 	public AuthorityAuthorizationDecision(boolean granted, Collection<GrantedAuthority> authorities) {
diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationDecision.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationDecision.java
index bd873ecdb1..a428fc28d9 100644
--- a/core/src/main/java/org/springframework/security/authorization/AuthorizationDecision.java
+++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationDecision.java
@@ -16,12 +16,17 @@
 
 package org.springframework.security.authorization;
 
+import java.io.Serial;
+
 /**
  * @author Rob Winch
  * @since 5.0
  */
 public class AuthorizationDecision implements AuthorizationResult {
 
+	@Serial
+	private static final long serialVersionUID = -3226018324649244416L;
+
 	private final boolean granted;
 
 	public AuthorizationDecision(boolean granted) {
diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java
index f3893c9743..d0de9bd647 100644
--- a/core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java
+++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java
@@ -145,6 +145,7 @@ public final class AuthorizationManagers {
 	private AuthorizationManagers() {
 	}
 
+	@SuppressWarnings("serial")
 	private static final class CompositeAuthorizationDecision extends AuthorizationDecision {
 
 		private final List<AuthorizationResult> results;
@@ -161,6 +162,7 @@ public final class AuthorizationManagers {
 
 	}
 
+	@SuppressWarnings("serial")
 	private static final class NotAuthorizationDecision extends AuthorizationDecision {
 
 		private final AuthorizationResult result;
diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationResult.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationResult.java
index 11c5cd4a76..a98c61a3aa 100644
--- a/core/src/main/java/org/springframework/security/authorization/AuthorizationResult.java
+++ b/core/src/main/java/org/springframework/security/authorization/AuthorizationResult.java
@@ -16,13 +16,15 @@
 
 package org.springframework.security.authorization;
 
+import java.io.Serializable;
+
 /**
  * Represents an authorization result
  *
  * @author Marcus da Coregio
  * @since 6.3
  */
-public interface AuthorizationResult {
+public interface AuthorizationResult extends Serializable {
 
 	/**
 	 * @return whether the access has been granted
diff --git a/core/src/main/java/org/springframework/security/authorization/ExpressionAuthorizationDecision.java b/core/src/main/java/org/springframework/security/authorization/ExpressionAuthorizationDecision.java
index 930b23a2cc..54f5adbbc6 100644
--- a/core/src/main/java/org/springframework/security/authorization/ExpressionAuthorizationDecision.java
+++ b/core/src/main/java/org/springframework/security/authorization/ExpressionAuthorizationDecision.java
@@ -24,6 +24,7 @@ import org.springframework.expression.Expression;
  * @author Marcus Da Coregio
  * @since 5.8
  */
+@SuppressWarnings("serial")
 public class ExpressionAuthorizationDecision extends AuthorizationDecision {
 
 	private final Expression expression;