diff --git a/access/src/main/java/org/springframework/security/web/access/expression/WebExpressionConfigAttribute.java b/access/src/main/java/org/springframework/security/web/access/expression/WebExpressionConfigAttribute.java index 6e3b140a51..17cbc63ba5 100644 --- a/access/src/main/java/org/springframework/security/web/access/expression/WebExpressionConfigAttribute.java +++ b/access/src/main/java/org/springframework/security/web/access/expression/WebExpressionConfigAttribute.java @@ -35,6 +35,7 @@ import org.springframework.security.web.FilterInvocation; */ @Deprecated @NullUnmarked +@SuppressWarnings("serial") class WebExpressionConfigAttribute implements ConfigAttribute, EvaluationContextPostProcessor { private final Expression authorizeExpression; diff --git a/cas/src/main/java/org/springframework/security/cas/jackson/CasJacksonModule.java b/cas/src/main/java/org/springframework/security/cas/jackson/CasJacksonModule.java index 0e5e2cc4d1..a7e8bdd164 100644 --- a/cas/src/main/java/org/springframework/security/cas/jackson/CasJacksonModule.java +++ b/cas/src/main/java/org/springframework/security/cas/jackson/CasJacksonModule.java @@ -48,6 +48,7 @@ import org.springframework.security.jackson.SecurityJacksonModules; * @since 7.0 * @see SecurityJacksonModules */ +@SuppressWarnings("serial") public class CasJacksonModule extends SecurityJacksonModule { public CasJacksonModule() { diff --git a/config/src/test/java/org/springframework/security/SerializationSamples.java b/config/src/test/java/org/springframework/security/SerializationSamples.java index 43e10d58a4..7136763b6b 100644 --- a/config/src/test/java/org/springframework/security/SerializationSamples.java +++ b/config/src/test/java/org/springframework/security/SerializationSamples.java @@ -86,6 +86,9 @@ import org.springframework.security.authentication.password.CompromisedPasswordE import org.springframework.security.authorization.AuthorityAuthorizationDecision; import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationDeniedException; +import org.springframework.security.authorization.FactorAuthorizationDecision; +import org.springframework.security.authorization.RequiredFactor; +import org.springframework.security.authorization.RequiredFactorError; import org.springframework.security.authorization.event.AuthorizationEvent; import org.springframework.security.authorization.event.AuthorizationGrantedEvent; import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken; @@ -162,6 +165,7 @@ import org.springframework.security.oauth2.jwt.JwtException; import org.springframework.security.oauth2.jwt.JwtValidationException; import org.springframework.security.oauth2.jwt.TestJwts; import org.springframework.security.oauth2.server.authorization.OAuth2Authorization; +import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationServerMetadata; import org.springframework.security.oauth2.server.authorization.OAuth2ClientRegistration; @@ -169,15 +173,22 @@ import org.springframework.security.oauth2.server.authorization.OAuth2TokenIntro import org.springframework.security.oauth2.server.authorization.OAuth2TokenType; import org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken; +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationException; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationConsentAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationGrantAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken; +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientRegistrationAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2DeviceAuthorizationConsentAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2DeviceAuthorizationRequestAuthenticationToken; +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2DeviceCodeAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2DeviceVerificationAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2PushedAuthorizationRequestAuthenticationToken; +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2RefreshTokenAuthenticationToken; +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeActor; +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeAuthenticationToken; +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeCompositeAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenIntrospectionAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenRevocationAuthenticationToken; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; @@ -191,6 +202,7 @@ import org.springframework.security.oauth2.server.authorization.settings.Authori import org.springframework.security.oauth2.server.authorization.settings.ClientSettings; import org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat; import org.springframework.security.oauth2.server.authorization.settings.TokenSettings; +import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenClaimNames; import org.springframework.security.oauth2.server.resource.BearerTokenError; import org.springframework.security.oauth2.server.resource.BearerTokenErrors; import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException; @@ -251,6 +263,7 @@ import org.springframework.security.web.webauthn.api.AuthenticationExtensionsCli import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientOutputs; import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse; import org.springframework.security.web.webauthn.api.AuthenticatorAttachment; +import org.springframework.security.web.webauthn.api.AuthenticatorAttestationResponse; import org.springframework.security.web.webauthn.api.AuthenticatorSelectionCriteria; import org.springframework.security.web.webauthn.api.AuthenticatorTransport; import org.springframework.security.web.webauthn.api.Bytes; @@ -271,6 +284,7 @@ import org.springframework.security.web.webauthn.api.PublicKeyCredentialType; import org.springframework.security.web.webauthn.api.PublicKeyCredentialUserEntity; import org.springframework.security.web.webauthn.api.ResidentKeyRequirement; import org.springframework.security.web.webauthn.api.TestAuthenticationAssertionResponses; +import org.springframework.security.web.webauthn.api.TestAuthenticatorAttestationResponses; import org.springframework.security.web.webauthn.api.TestBytes; import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialCreationOptions; import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialRequestOptions; @@ -445,6 +459,8 @@ final class SerializationSamples { generatorByClassName.put(RegisteredClient.class, (r) -> registeredClient); generatorByClassName.put(OAuth2Authorization.class, (r) -> authorization); generatorByClassName.put(OAuth2Authorization.Token.class, (r) -> authorization.getAccessToken()); + generatorByClassName.put(OAuth2AuthorizationCode.class, + (r) -> new OAuth2AuthorizationCode("code", Instant.now(), Instant.now().plusSeconds(300))); generatorByClassName.put(OAuth2AuthorizationConsent.class, (r) -> OAuth2AuthorizationConsent.withId("registeredClientId", "principalName") .scope("scope1") @@ -470,6 +486,58 @@ final class SerializationSamples { authenticationToken.setDetails(details); return authenticationToken; }); + generatorByClassName.put( + org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken.class, + (r) -> { + org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken token = new org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken( + "code", principal, "https://localhost/callback", Map.of("custom_param", "custom_value")); + token.setDetails(details); + return token; + }); + generatorByClassName.put(OAuth2AuthorizationCodeRequestAuthenticationException.class, (r) -> { + OAuth2AuthorizationCodeRequestAuthenticationToken authToken = new OAuth2AuthorizationCodeRequestAuthenticationToken( + "https://localhost/authorize", "clientId", principal, "https://localhost/callback", "state", + authorizationRequest.getScopes(), authorizationRequest.getAdditionalParameters()); + return new OAuth2AuthorizationCodeRequestAuthenticationException( + new OAuth2Error("invalid_request", "Missing required parameter", "https://example.com/error"), + authToken); + }); + generatorByClassName.put(OAuth2ClientCredentialsAuthenticationToken.class, (r) -> { + OAuth2ClientCredentialsAuthenticationToken token = new OAuth2ClientCredentialsAuthenticationToken(principal, + Set.of("scope1", "scope2"), Map.of("custom_param", "custom_value")); + token.setDetails(details); + return token; + }); + generatorByClassName.put(OAuth2DeviceCodeAuthenticationToken.class, (r) -> { + OAuth2DeviceCodeAuthenticationToken token = new OAuth2DeviceCodeAuthenticationToken("device-code", + principal, Map.of("custom_param", "custom_value")); + token.setDetails(details); + return token; + }); + generatorByClassName.put(OAuth2RefreshTokenAuthenticationToken.class, (r) -> { + OAuth2RefreshTokenAuthenticationToken token = new OAuth2RefreshTokenAuthenticationToken("refresh-token", + principal, Set.of("scope1", "scope2"), Map.of("custom_param", "custom_value")); + token.setDetails(details); + return token; + }); + generatorByClassName.put(OAuth2TokenExchangeAuthenticationToken.class, (r) -> { + OAuth2TokenExchangeAuthenticationToken token = new OAuth2TokenExchangeAuthenticationToken( + "urn:ietf:params:oauth:token-type:access_token", "subject-token", + "urn:ietf:params:oauth:token-type:jwt", principal, "actor-token", + "urn:ietf:params:oauth:token-type:jwt", Set.of("https://resource.example.com"), Set.of("audience"), + Set.of("scope1"), Map.of("custom_param", "custom_value")); + token.setDetails(details); + return token; + }); + OAuth2TokenExchangeActor actor = new OAuth2TokenExchangeActor(Map.of(OAuth2TokenClaimNames.ISS, + "https://issuer.example.com", OAuth2TokenClaimNames.SUB, "actor-subject")); + generatorByClassName.put(OAuth2TokenExchangeActor.class, (r) -> actor); + generatorByClassName.put(OAuth2TokenExchangeCompositeAuthenticationToken.class, (r) -> { + AbstractAuthenticationToken token = new OAuth2TokenExchangeCompositeAuthenticationToken(authentication, + List.of(actor)); + token.setDetails(details); + return token; + }); generatorByClassName.put(OAuth2AuthorizationConsentAuthenticationToken.class, (r) -> { OAuth2AuthorizationConsentAuthenticationToken authenticationToken = new OAuth2AuthorizationConsentAuthenticationToken( "authorizationUri", "clientId", principal, "state", authorizationRequest.getScopes(), @@ -685,6 +753,12 @@ final class SerializationSamples { generatorByClassName.put(AuthorizationDecision.class, (r) -> new AuthorizationDecision(true)); generatorByClassName.put(AuthorityAuthorizationDecision.class, (r) -> new AuthorityAuthorizationDecision(true, AuthorityUtils.createAuthorityList("ROLE_USER"))); + RequiredFactor factor = RequiredFactor.withAuthority("authority").validDuration(Duration.ofSeconds(5)).build(); + generatorByClassName.put(RequiredFactor.class, (r) -> factor); + RequiredFactorError error = RequiredFactorError.createMissing(factor); + generatorByClassName.put(RequiredFactorError.class, (r) -> error); + generatorByClassName.put(FactorAuthorizationDecision.class, + (r) -> new FactorAuthorizationDecision(List.of(error))); generatorByClassName.put(CycleInRoleHierarchyException.class, (r) -> new CycleInRoleHierarchyException()); generatorByClassName.put(AuthorizationEvent.class, (r) -> new AuthorizationEvent(new SerializableSupplier<>(authentication), "source", @@ -875,6 +949,8 @@ final class SerializationSamples { generatorByClassName.put(CredentialPropertiesOutput.class, (o) -> credentialOutput); generatorByClassName.put(ImmutableAuthenticationExtensionsClientOutputs.class, (o) -> outputs); generatorByClassName.put(AuthenticatorAssertionResponse.class, (r) -> response); + generatorByClassName.put(AuthenticatorAttestationResponse.class, + (r) -> TestAuthenticatorAttestationResponses.createAuthenticatorAttestationResponse().build()); generatorByClassName.put(RelyingPartyAuthenticationRequest.class, (r) -> authRequest); generatorByClassName.put(PublicKeyCredential.class, (r) -> credential); generatorByClassName.put(WebAuthnAuthenticationRequestToken.class, (r) -> requestToken); diff --git a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java index 98b1d346ee..8ce925cdc3 100644 --- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java +++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java @@ -33,10 +33,10 @@ import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; import java.util.ArrayList; -import java.util.Arrays; import java.util.HashSet; import java.util.List; import java.util.Set; +import java.util.regex.Pattern; import java.util.stream.Stream; import org.apache.commons.lang3.ObjectUtils; @@ -207,10 +207,7 @@ class SpringSecurityCoreVersionSerializableTests { boolean hasSerialVersion = Stream.of(clazz.getDeclaredFields()) .map(Field::getName) .anyMatch((n) -> n.equals("serialVersionUID")); - SuppressWarnings suppressWarnings = clazz.getAnnotation(SuppressWarnings.class); - boolean hasSerialIgnore = suppressWarnings == null - || Arrays.asList(suppressWarnings.value()).contains("Serial"); - if (!hasSerialVersion && !hasSerialIgnore) { + if (!hasSerialVersion && !hasSuppressSerialInSource(clazz)) { classes.add(clazz); continue; } @@ -249,6 +246,58 @@ class SpringSecurityCoreVersionSerializableTests { return classes.stream(); } + private static boolean hasSuppressSerialInSource(Class clazz) { + try { + Class fileClass = clazz; + while (fileClass.getEnclosingClass() != null) { + fileClass = fileClass.getEnclosingClass(); + } + var codeSource = fileClass.getProtectionDomain().getCodeSource(); + if (codeSource == null) { + return false; + } + Path sourceFile = findSourceFile(Path.of(codeSource.getLocation().toURI()), fileClass); + if (sourceFile == null) { + return false; + } + return hasSuppressSerialAnnotation(Files.readAllLines(sourceFile), clazz.getSimpleName()); + } + catch (Exception ex) { + return false; + } + } + + private static Path findSourceFile(Path start, Class clazz) { + String relativePath = clazz.getName().replace('.', '/') + ".java"; + Path dir = start; + for (int i = 0; i < 10 && dir != null; i++) { + for (String sourceRoot : List.of("src/main/java", "src/test/java")) { + Path candidate = dir.resolve(sourceRoot).resolve(relativePath); + if (Files.exists(candidate)) { + return candidate; + } + } + dir = dir.getParent(); + } + return null; + } + + private static boolean hasSuppressSerialAnnotation(List lines, String simpleClassName) { + Pattern classDeclaration = Pattern + .compile("\\b(?:class|interface|enum|record)\\s+" + Pattern.quote(simpleClassName) + "\\b"); + for (int i = 0; i < lines.size(); i++) { + if (classDeclaration.matcher(lines.get(i)).find()) { + for (int j = Math.max(0, i - 5); j < i; j++) { + String line = lines.get(j); + if (line.contains("@SuppressWarnings") && line.contains("\"serial\"")) { + return true; + } + } + } + } + return false; + } + private static String getCurrentVersion() { String version = System.getProperty("springSecurityVersion"); String[] parts = version.split("\\."); diff --git a/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.AuthenticatorAttestationResponse.serialized b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.AuthenticatorAttestationResponse.serialized new file mode 100644 index 0000000000..5ca34eea22 Binary files /dev/null and b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.AuthenticatorAttestationResponse.serialized differ diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.authorization.FactorAuthorizationDecision.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.authorization.FactorAuthorizationDecision.serialized new file mode 100644 index 0000000000..747fc7d2e8 Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.authorization.FactorAuthorizationDecision.serialized differ diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.authorization.RequiredFactor.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.authorization.RequiredFactor.serialized new file mode 100644 index 0000000000..5232a96c9b Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.authorization.RequiredFactor.serialized differ diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.authorization.RequiredFactorError.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.authorization.RequiredFactorError.serialized new file mode 100644 index 0000000000..db9a321996 Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.authorization.RequiredFactorError.serialized differ diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode.serialized new file mode 100644 index 0000000000..2035cac048 Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode.serialized differ diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken.serialized new file mode 100644 index 0000000000..261b9100f9 Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken.serialized differ diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationException.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationException.serialized new file mode 100644 index 0000000000..df7b151a3c Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationException.serialized differ diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken.serialized new file mode 100644 index 0000000000..b4b92f420a Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken.serialized differ diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2DeviceCodeAuthenticationToken.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2DeviceCodeAuthenticationToken.serialized new file mode 100644 index 0000000000..db2b28832d Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2DeviceCodeAuthenticationToken.serialized differ diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2RefreshTokenAuthenticationToken.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2RefreshTokenAuthenticationToken.serialized new file mode 100644 index 0000000000..8eefaebfef Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2RefreshTokenAuthenticationToken.serialized differ diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeActor.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeActor.serialized new file mode 100644 index 0000000000..7fb91346d4 Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeActor.serialized differ diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeAuthenticationToken.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeAuthenticationToken.serialized new file mode 100644 index 0000000000..ee60626a7c Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeAuthenticationToken.serialized differ diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeCompositeAuthenticationToken.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeCompositeAuthenticationToken.serialized new file mode 100644 index 0000000000..2417844ded Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeCompositeAuthenticationToken.serialized differ diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.AuthenticatorAttestationResponse.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.AuthenticatorAttestationResponse.serialized new file mode 100644 index 0000000000..b728aa265f Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.AuthenticatorAttestationResponse.serialized differ diff --git a/core/src/main/java/org/springframework/security/authorization/FactorAuthorizationDecision.java b/core/src/main/java/org/springframework/security/authorization/FactorAuthorizationDecision.java index 6a3c428834..b26e48a97f 100644 --- a/core/src/main/java/org/springframework/security/authorization/FactorAuthorizationDecision.java +++ b/core/src/main/java/org/springframework/security/authorization/FactorAuthorizationDecision.java @@ -16,6 +16,7 @@ package org.springframework.security.authorization; +import java.io.Serial; import java.util.Collections; import java.util.List; @@ -29,6 +30,9 @@ import org.springframework.util.Assert; */ public class FactorAuthorizationDecision implements AuthorizationResult { + @Serial + private static final long serialVersionUID = -245342816437885039L; + private final List factorErrors; /** diff --git a/core/src/main/java/org/springframework/security/authorization/RequiredFactor.java b/core/src/main/java/org/springframework/security/authorization/RequiredFactor.java index c169f2f68a..fcc272bc71 100644 --- a/core/src/main/java/org/springframework/security/authorization/RequiredFactor.java +++ b/core/src/main/java/org/springframework/security/authorization/RequiredFactor.java @@ -16,6 +16,8 @@ package org.springframework.security.authorization; +import java.io.Serial; +import java.io.Serializable; import java.time.Duration; import java.util.Objects; @@ -40,7 +42,10 @@ import org.springframework.util.Assert; * @author Rob Winch * @since 7.0 */ -public final class RequiredFactor { +public final class RequiredFactor implements Serializable { + + @Serial + private static final long serialVersionUID = 295501208651764485L; private final String authority; diff --git a/core/src/main/java/org/springframework/security/authorization/RequiredFactorError.java b/core/src/main/java/org/springframework/security/authorization/RequiredFactorError.java index 102be8db17..e0e455f44b 100644 --- a/core/src/main/java/org/springframework/security/authorization/RequiredFactorError.java +++ b/core/src/main/java/org/springframework/security/authorization/RequiredFactorError.java @@ -16,6 +16,8 @@ package org.springframework.security.authorization; +import java.io.Serial; +import java.io.Serializable; import java.util.Objects; import org.jspecify.annotations.Nullable; @@ -29,7 +31,10 @@ import org.springframework.util.Assert; * @author Rob Winch * @since 7.0 */ -public class RequiredFactorError { +public class RequiredFactorError implements Serializable { + + @Serial + private static final long serialVersionUID = 1946221547278528901L; private final RequiredFactor requiredFactor; diff --git a/core/src/test/java/org/springframework/security/authentication/NonBuildableAuthenticationToken.java b/core/src/test/java/org/springframework/security/authentication/NonBuildableAuthenticationToken.java index 8099b826f3..ef4e416158 100644 --- a/core/src/test/java/org/springframework/security/authentication/NonBuildableAuthenticationToken.java +++ b/core/src/test/java/org/springframework/security/authentication/NonBuildableAuthenticationToken.java @@ -16,6 +16,7 @@ package org.springframework.security.authentication; +@SuppressWarnings("serial") public class NonBuildableAuthenticationToken extends TestingAuthenticationToken { public NonBuildableAuthenticationToken(String user, String password, String... authorities) { diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/InMemoryOAuth2AuthorizationService.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/InMemoryOAuth2AuthorizationService.java index da1b94efa0..c84d57f70a 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/InMemoryOAuth2AuthorizationService.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/InMemoryOAuth2AuthorizationService.java @@ -225,6 +225,7 @@ public final class InMemoryOAuth2AuthorizationService implements OAuth2Authoriza return userCode != null && userCode.getToken().getTokenValue().equals(token); } + @SuppressWarnings("serial") private static final class MaxSizeHashMap extends LinkedHashMap { private final int maxSize; diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationCode.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationCode.java index 56b8bb185a..2fce5ab24a 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationCode.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationCode.java @@ -16,6 +16,7 @@ package org.springframework.security.oauth2.server.authorization; +import java.io.Serial; import java.time.Instant; import org.springframework.security.oauth2.core.AbstractOAuth2Token; @@ -32,6 +33,9 @@ import org.springframework.security.oauth2.core.AbstractOAuth2Token; */ public class OAuth2AuthorizationCode extends AbstractOAuth2Token { + @Serial + private static final long serialVersionUID = 3789328028057414501L; + /** * Constructs an {@code OAuth2AuthorizationCode} using the provided parameters. * @param tokenValue the token value diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationToken.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationToken.java index b4869952af..95c7ca71fe 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationToken.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationToken.java @@ -16,6 +16,7 @@ package org.springframework.security.oauth2.server.authorization.authentication; +import java.io.Serial; import java.util.Map; import org.jspecify.annotations.Nullable; @@ -37,6 +38,9 @@ import org.springframework.util.Assert; */ public class OAuth2AuthorizationCodeAuthenticationToken extends OAuth2AuthorizationGrantAuthenticationToken { + @Serial + private static final long serialVersionUID = 4629166286850598162L; + private final String code; private final @Nullable String redirectUri; diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationException.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationException.java index 49bad93d54..68703f5fad 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationException.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationException.java @@ -16,8 +16,9 @@ package org.springframework.security.oauth2.server.authorization.authentication; -import org.jspecify.annotations.Nullable; +import java.io.Serial; +import org.springframework.lang.Nullable; import org.springframework.security.core.Authentication; import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2Error; @@ -34,6 +35,9 @@ import org.springframework.security.oauth2.core.OAuth2Error; */ public class OAuth2AuthorizationCodeRequestAuthenticationException extends OAuth2AuthenticationException { + @Serial + private static final long serialVersionUID = -3791188557904282453L; + private final @Nullable OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication; /** diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationToken.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationToken.java index 7e72d5fb39..9b05bed042 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationToken.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationToken.java @@ -16,6 +16,7 @@ package org.springframework.security.oauth2.server.authorization.authentication; +import java.io.Serial; import java.util.Collections; import java.util.HashSet; import java.util.Map; @@ -37,6 +38,9 @@ import org.springframework.security.oauth2.core.AuthorizationGrantType; */ public class OAuth2ClientCredentialsAuthenticationToken extends OAuth2AuthorizationGrantAuthenticationToken { + @Serial + private static final long serialVersionUID = -220223451609576578L; + private final Set scopes; /** diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceCodeAuthenticationToken.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceCodeAuthenticationToken.java index 2022c77a23..0ee90ac58c 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceCodeAuthenticationToken.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceCodeAuthenticationToken.java @@ -16,6 +16,7 @@ package org.springframework.security.oauth2.server.authorization.authentication; +import java.io.Serial; import java.util.Map; import org.jspecify.annotations.Nullable; @@ -35,6 +36,9 @@ import org.springframework.util.Assert; */ public class OAuth2DeviceCodeAuthenticationToken extends OAuth2AuthorizationGrantAuthenticationToken { + @Serial + private static final long serialVersionUID = 8364555864666204030L; + private final String deviceCode; /** diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationToken.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationToken.java index 9acc0bebd4..e80f9249d7 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationToken.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationToken.java @@ -16,6 +16,7 @@ package org.springframework.security.oauth2.server.authorization.authentication; +import java.io.Serial; import java.util.Collections; import java.util.HashSet; import java.util.Map; @@ -37,6 +38,9 @@ import org.springframework.util.Assert; */ public class OAuth2RefreshTokenAuthenticationToken extends OAuth2AuthorizationGrantAuthenticationToken { + @Serial + private static final long serialVersionUID = 328697547826078993L; + private final String refreshToken; private final Set scopes; diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeActor.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeActor.java index 76b2e5c3a9..f4de6b65a0 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeActor.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeActor.java @@ -16,6 +16,8 @@ package org.springframework.security.oauth2.server.authorization.authentication; +import java.io.Serial; +import java.io.Serializable; import java.util.Collections; import java.util.Map; import java.util.Objects; @@ -33,7 +35,10 @@ import org.springframework.util.Assert; * @since 7.0 * @see OAuth2TokenExchangeCompositeAuthenticationToken */ -public final class OAuth2TokenExchangeActor implements ClaimAccessor { +public final class OAuth2TokenExchangeActor implements ClaimAccessor, Serializable { + + @Serial + private static final long serialVersionUID = -3966261411784615574L; private final Map claims; diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeAuthenticationToken.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeAuthenticationToken.java index 90c9c238f3..f0f4112887 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeAuthenticationToken.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeAuthenticationToken.java @@ -16,6 +16,7 @@ package org.springframework.security.oauth2.server.authorization.authentication; +import java.io.Serial; import java.util.Collections; import java.util.HashSet; import java.util.LinkedHashSet; @@ -38,6 +39,9 @@ import org.springframework.util.Assert; */ public class OAuth2TokenExchangeAuthenticationToken extends OAuth2AuthorizationGrantAuthenticationToken { + @Serial + private static final long serialVersionUID = 2484741634669297785L; + private final String requestedTokenType; private final String subjectToken; diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeCompositeAuthenticationToken.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeCompositeAuthenticationToken.java index 45af4308c7..753f3e628a 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeCompositeAuthenticationToken.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeCompositeAuthenticationToken.java @@ -16,6 +16,7 @@ package org.springframework.security.oauth2.server.authorization.authentication; +import java.io.Serial; import java.util.ArrayList; import java.util.Collections; import java.util.List; @@ -37,6 +38,9 @@ import org.springframework.util.Assert; */ public class OAuth2TokenExchangeCompositeAuthenticationToken extends AbstractAuthenticationToken { + @Serial + private static final long serialVersionUID = 1912280308201180854L; + private final Authentication subject; private final List actors; diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/token/OAuth2AccessTokenGenerator.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/token/OAuth2AccessTokenGenerator.java index eb12f5c6b8..a7e5fac337 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/token/OAuth2AccessTokenGenerator.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/token/OAuth2AccessTokenGenerator.java @@ -155,6 +155,7 @@ public final class OAuth2AccessTokenGenerator implements OAuth2TokenGenerator claims; diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java index 8baca2a962..ae34b16f18 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java @@ -268,6 +268,7 @@ public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilt } + @SuppressWarnings("serial") private static final class OAuth2AuthorizationRequestException extends AuthenticationException { OAuth2AuthorizationRequestException(Throwable cause) { diff --git a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/TestOidcAuthorizationRequest.java b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/TestOidcAuthorizationRequest.java index 54b14a2231..37aa3e557f 100644 --- a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/TestOidcAuthorizationRequest.java +++ b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/TestOidcAuthorizationRequest.java @@ -23,6 +23,7 @@ import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames /** * @author Joe Grandja */ +@SuppressWarnings("serial") public class TestOidcAuthorizationRequest extends OAuth2AuthorizationRequest { private final String nonce; diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/DPoPProofJwtDecoderFactory.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/DPoPProofJwtDecoderFactory.java index be89885b7b..de88ba57ae 100644 --- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/DPoPProofJwtDecoderFactory.java +++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/DPoPProofJwtDecoderFactory.java @@ -185,6 +185,7 @@ public final class DPoPProofJwtDecoderFactory implements JwtDecoderFactory { private static final int MAX_SIZE = 1000; diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationToken.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationToken.java index 4d64edc90a..7dec6d450a 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationToken.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationToken.java @@ -16,6 +16,7 @@ package org.springframework.security.saml2.provider.service.authentication; +import java.io.Serial; import java.util.Collections; import org.jspecify.annotations.Nullable; @@ -35,6 +36,9 @@ import org.springframework.util.Assert; */ public class Saml2AuthenticationToken extends AbstractAuthenticationToken { + @Serial + private static final long serialVersionUID = 5225098478444036532L; + private final RelyingPartyRegistration relyingPartyRegistration; private final String saml2Response; diff --git a/web/src/test/java/org/springframework/security/web/authentication/DefaultEqualsGrantedAuthority.java b/web/src/test/java/org/springframework/security/web/authentication/DefaultEqualsGrantedAuthority.java index 1970ea2691..0220e66767 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/DefaultEqualsGrantedAuthority.java +++ b/web/src/test/java/org/springframework/security/web/authentication/DefaultEqualsGrantedAuthority.java @@ -25,6 +25,7 @@ import org.springframework.security.core.GrantedAuthority; * @author Rob Winch * @since 7.0 */ +@SuppressWarnings("serial") public class DefaultEqualsGrantedAuthority implements GrantedAuthority { public static final String AUTHORITY = "CUSTOM_AUTHORITY"; diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttestationResponse.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttestationResponse.java index 44a1e234f1..10793a45a9 100644 --- a/webauthn/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttestationResponse.java +++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttestationResponse.java @@ -16,6 +16,7 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; import java.util.Arrays; import java.util.List; @@ -36,6 +37,9 @@ import org.jspecify.annotations.Nullable; */ public final class AuthenticatorAttestationResponse extends AuthenticatorResponse { + @Serial + private static final long serialVersionUID = -1628559840895428945L; + private final Bytes attestationObject; private final @Nullable List transports;