diff --git a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java index 208b64e17c..73a28f6dd6 100644 --- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java +++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java @@ -39,11 +39,13 @@ import java.util.Date; import java.util.HashMap; import java.util.HashSet; import java.util.List; +import java.util.Locale; import java.util.Map; import java.util.Set; import java.util.stream.Collectors; import java.util.stream.Stream; +import jakarta.servlet.http.Cookie; import org.apache.commons.lang3.ObjectUtils; import org.apereo.cas.client.validation.AssertionImpl; import org.instancio.Instancio; @@ -58,9 +60,11 @@ import org.junit.jupiter.params.provider.MethodSource; import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider; import org.springframework.core.type.filter.AssignableTypeFilter; +import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpSession; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.AuthorizationServiceException; +import org.springframework.security.access.SecurityConfig; import org.springframework.security.access.intercept.RunAsUserToken; import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.authentication.AccountExpiredException; @@ -104,13 +108,16 @@ import org.springframework.security.core.SpringSecurityCoreVersion; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextImpl; +import org.springframework.security.core.context.TransientSecurityContext; import org.springframework.security.core.session.AbstractSessionEvent; import org.springframework.security.core.session.ReactiveSessionInformation; import org.springframework.security.core.session.SessionInformation; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UsernameNotFoundException; +import org.springframework.security.ldap.ppolicy.PasswordPolicyControl; import org.springframework.security.ldap.ppolicy.PasswordPolicyErrorStatus; import org.springframework.security.ldap.ppolicy.PasswordPolicyException; +import org.springframework.security.ldap.ppolicy.PasswordPolicyResponseControl; import org.springframework.security.ldap.userdetails.LdapAuthority; import org.springframework.security.oauth2.client.ClientAuthorizationException; import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException; @@ -179,6 +186,7 @@ import org.springframework.security.saml2.provider.service.authentication.Saml2R import org.springframework.security.saml2.provider.service.authentication.TestSaml2Authentications; import org.springframework.security.saml2.provider.service.authentication.TestSaml2PostAuthenticationRequests; import org.springframework.security.saml2.provider.service.authentication.TestSaml2RedirectAuthenticationRequests; +import org.springframework.security.web.PortResolverImpl; import org.springframework.security.web.authentication.WebAuthenticationDetails; import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; import org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException; @@ -194,6 +202,8 @@ import org.springframework.security.web.csrf.DefaultCsrfToken; import org.springframework.security.web.csrf.InvalidCsrfTokenException; import org.springframework.security.web.csrf.MissingCsrfTokenException; import org.springframework.security.web.firewall.RequestRejectedException; +import org.springframework.security.web.savedrequest.DefaultSavedRequest; +import org.springframework.security.web.savedrequest.SimpleSavedRequest; import org.springframework.security.web.server.firewall.ServerExchangeRejectedException; import org.springframework.security.web.session.HttpSessionCreatedEvent; import org.springframework.security.web.webauthn.api.Bytes; @@ -442,6 +452,8 @@ class SpringSecurityCoreVersionSerializableTests { generatorByClassName.put(JaasAuthenticationSuccessEvent.class, (r) -> new JaasAuthenticationSuccessEvent(authentication)); generatorByClassName.put(AbstractSessionEvent.class, (r) -> new AbstractSessionEvent(securityContext)); + generatorByClassName.put(SecurityConfig.class, (r) -> new SecurityConfig("value")); + generatorByClassName.put(TransientSecurityContext.class, (r) -> new TransientSecurityContext(authentication)); // cas generatorByClassName.put(CasServiceTicketAuthenticationToken.class, (r) -> { @@ -466,6 +478,11 @@ class SpringSecurityCoreVersionSerializableTests { (r) -> new LdapAuthority("USER", "username", Map.of("attribute", List.of("value1", "value2")))); generatorByClassName.put(PasswordPolicyException.class, (r) -> new PasswordPolicyException(PasswordPolicyErrorStatus.INSUFFICIENT_PASSWORD_QUALITY)); + generatorByClassName.put(PasswordPolicyControl.class, (r) -> new PasswordPolicyControl(true)); + generatorByClassName.put(PasswordPolicyResponseControl.class, (r) -> { + byte[] encodedResponse = { 0x30, 0x05, (byte) 0xA0, 0x03, (byte) 0xA0, 0x1, 0x21 }; + return new PasswordPolicyResponseControl(encodedResponse); + }); // saml2-service-provider generatorByClassName.put(Saml2AuthenticationException.class, @@ -521,6 +538,20 @@ class SpringSecurityCoreVersionSerializableTests { (r) -> new AuthenticationSwitchUserEvent(authentication, user)); generatorByClassName.put(HttpSessionCreatedEvent.class, (r) -> new HttpSessionCreatedEvent(new MockHttpSession())); + generatorByClassName.put(SimpleSavedRequest.class, (r) -> { + MockHttpServletRequest request = new MockHttpServletRequest("GET", "/uri"); + request.setQueryString("query=string"); + request.setScheme("https"); + request.setServerName("localhost"); + request.setServerPort(80); + request.setRequestURI("/uri"); + request.setCookies(new Cookie("name", "value")); + request.addHeader("header", "value"); + request.addParameter("parameter", "value"); + request.setPathInfo("/path"); + request.addPreferredLocale(Locale.ENGLISH); + return new SimpleSavedRequest(new DefaultSavedRequest(request, new PortResolverImpl(), "continue")); + }); // webauthn generatorByClassName.put(Bytes.class, (r) -> TestBytes.get()); diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.SecurityConfig.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.SecurityConfig.serialized new file mode 100644 index 0000000000..ae659612d7 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.SecurityConfig.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.core.context.TransientSecurityContext.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.core.context.TransientSecurityContext.serialized new file mode 100644 index 0000000000..5a4ccd07b4 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.core.context.TransientSecurityContext.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyControl.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyControl.serialized new file mode 100644 index 0000000000..51e783d58c Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyControl.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyResponseControl.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyResponseControl.serialized new file mode 100644 index 0000000000..911742c981 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyResponseControl.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.savedrequest.SimpleSavedRequest.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.savedrequest.SimpleSavedRequest.serialized new file mode 100644 index 0000000000..58449b0e22 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.savedrequest.SimpleSavedRequest.serialized differ diff --git a/core/src/main/java/org/springframework/security/access/SecurityConfig.java b/core/src/main/java/org/springframework/security/access/SecurityConfig.java index 3079174e52..2cbc640b3a 100644 --- a/core/src/main/java/org/springframework/security/access/SecurityConfig.java +++ b/core/src/main/java/org/springframework/security/access/SecurityConfig.java @@ -16,6 +16,7 @@ package org.springframework.security.access; +import java.io.Serial; import java.util.ArrayList; import java.util.List; @@ -29,6 +30,9 @@ import org.springframework.util.StringUtils; */ public class SecurityConfig implements ConfigAttribute { + @Serial + private static final long serialVersionUID = -7138084564199804304L; + private final String attrib; public SecurityConfig(String config) { diff --git a/core/src/main/java/org/springframework/security/access/annotation/Jsr250SecurityConfig.java b/core/src/main/java/org/springframework/security/access/annotation/Jsr250SecurityConfig.java index 3a3ccdf91e..f129fdbe17 100644 --- a/core/src/main/java/org/springframework/security/access/annotation/Jsr250SecurityConfig.java +++ b/core/src/main/java/org/springframework/security/access/annotation/Jsr250SecurityConfig.java @@ -30,6 +30,7 @@ import org.springframework.security.authorization.method.AuthorizationManagerBef * @deprecated Use {@link AuthorizationManagerBeforeMethodInterceptor#jsr250()} instead */ @Deprecated +@SuppressWarnings("serial") public class Jsr250SecurityConfig extends SecurityConfig { public static final Jsr250SecurityConfig PERMIT_ALL_ATTRIBUTE = new Jsr250SecurityConfig(PermitAll.class.getName()); diff --git a/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java b/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java index 3dc86cc5a1..8642484a41 100644 --- a/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java @@ -28,6 +28,7 @@ import org.springframework.security.access.prepost.PostInvocationAttribute; * instead */ @Deprecated +@SuppressWarnings("serial") class PostInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute implements PostInvocationAttribute { diff --git a/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java b/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java index 26af51a6f1..41ec280bc7 100644 --- a/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java @@ -28,6 +28,7 @@ import org.springframework.security.access.prepost.PreInvocationAttribute; * instead */ @Deprecated +@SuppressWarnings("serial") class PreInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute implements PreInvocationAttribute { diff --git a/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java b/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java index 4bc3d19b5b..58174d9d1a 100644 --- a/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java +++ b/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java @@ -54,6 +54,7 @@ import org.springframework.util.CollectionUtils; * @deprecated Use {@link EnableMethodSecurity} or publish interceptors directly */ @Deprecated +@SuppressWarnings("serial") public class MethodSecurityMetadataSourceAdvisor extends AbstractPointcutAdvisor implements BeanFactoryAware { private transient MethodSecurityMetadataSource attributeSource; diff --git a/core/src/main/java/org/springframework/security/core/ComparableVersion.java b/core/src/main/java/org/springframework/security/core/ComparableVersion.java index f635e4933c..88708cecd4 100644 --- a/core/src/main/java/org/springframework/security/core/ComparableVersion.java +++ b/core/src/main/java/org/springframework/security/core/ComparableVersion.java @@ -405,6 +405,7 @@ class ComparableVersion implements Comparable { * Represents a version list item. This class is used both for the global item list * and for sub-lists (which start with '-(number)' in the version specification). */ + @SuppressWarnings("serial") private static class ListItem extends ArrayList implements Item { @Override diff --git a/core/src/main/java/org/springframework/security/core/context/TransientSecurityContext.java b/core/src/main/java/org/springframework/security/core/context/TransientSecurityContext.java index 0089ae455d..7a4b3d30fe 100644 --- a/core/src/main/java/org/springframework/security/core/context/TransientSecurityContext.java +++ b/core/src/main/java/org/springframework/security/core/context/TransientSecurityContext.java @@ -16,6 +16,8 @@ package org.springframework.security.core.context; +import java.io.Serial; + import org.springframework.security.core.Authentication; import org.springframework.security.core.Transient; @@ -30,6 +32,9 @@ import org.springframework.security.core.Transient; @Transient public class TransientSecurityContext extends SecurityContextImpl { + @Serial + private static final long serialVersionUID = -7925492364422193347L; + public TransientSecurityContext() { } diff --git a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControl.java b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControl.java index 84eb48cdf9..629513cc8b 100755 --- a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControl.java +++ b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControl.java @@ -16,6 +16,8 @@ package org.springframework.security.ldap.ppolicy; +import java.io.Serial; + import javax.naming.ldap.Control; /** @@ -37,6 +39,9 @@ public class PasswordPolicyControl implements Control { */ public static final String OID = "1.3.6.1.4.1.42.2.27.8.5.1"; + @Serial + private static final long serialVersionUID = 2843242715616817932L; + private final boolean critical; /** diff --git a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyResponseControl.java b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyResponseControl.java index 2aa2b330e0..a6ac94590d 100755 --- a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyResponseControl.java +++ b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyResponseControl.java @@ -19,6 +19,7 @@ package org.springframework.security.ldap.ppolicy; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; +import java.io.Serial; import netscape.ldap.ber.stream.BERChoice; import netscape.ldap.ber.stream.BERElement; @@ -53,6 +54,9 @@ public class PasswordPolicyResponseControl extends PasswordPolicyControl { private static final Log logger = LogFactory.getLog(PasswordPolicyResponseControl.class); + @Serial + private static final long serialVersionUID = -4592657167939234499L; + private final byte[] encodedValue; private PasswordPolicyErrorStatus errorStatus; diff --git a/web/src/main/java/org/springframework/security/web/savedrequest/SimpleSavedRequest.java b/web/src/main/java/org/springframework/security/web/savedrequest/SimpleSavedRequest.java index 08165eb0cd..e74e7fcb11 100644 --- a/web/src/main/java/org/springframework/security/web/savedrequest/SimpleSavedRequest.java +++ b/web/src/main/java/org/springframework/security/web/savedrequest/SimpleSavedRequest.java @@ -16,6 +16,7 @@ package org.springframework.security.web.savedrequest; +import java.io.Serial; import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; @@ -35,6 +36,9 @@ import org.springframework.util.Assert; */ public class SimpleSavedRequest implements SavedRequest { + @Serial + private static final long serialVersionUID = 807650604272166969L; + private String redirectUrl; private List cookies = new ArrayList<>();