Merge branch '6.4.x'

2025-06-23 12:32:13 +00:00 · 2025-01-23 17:03:53 -07:00 · 2025-01-23 17:03:53 -07:00 · e1a42db845
commit e1a42db845
parent 177ce59a4b e1e5970a24
16 changed files with 58 additions and 0 deletions
--- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
+++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
@ -39,11 +39,13 @@ import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import jakarta.servlet.http.Cookie;
 import org.apache.commons.lang3.ObjectUtils;
 import org.apereo.cas.client.validation.AssertionImpl;
 import org.instancio.Instancio;
@ -58,9 +60,11 @@ import org.junit.jupiter.params.provider.MethodSource;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider;
 import org.springframework.core.type.filter.AssignableTypeFilter;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.AuthorizationServiceException;
 import org.springframework.security.access.SecurityConfig;
 import org.springframework.security.access.intercept.RunAsUserToken;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.authentication.AccountExpiredException;
@ -104,13 +108,16 @@ import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextImpl;
 import org.springframework.security.core.context.TransientSecurityContext;
 import org.springframework.security.core.session.AbstractSessionEvent;
 import org.springframework.security.core.session.ReactiveSessionInformation;
 import org.springframework.security.core.session.SessionInformation;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.ldap.ppolicy.PasswordPolicyControl;
 import org.springframework.security.ldap.ppolicy.PasswordPolicyErrorStatus;
 import org.springframework.security.ldap.ppolicy.PasswordPolicyException;
 import org.springframework.security.ldap.ppolicy.PasswordPolicyResponseControl;
 import org.springframework.security.ldap.userdetails.LdapAuthority;
 import org.springframework.security.oauth2.client.ClientAuthorizationException;
 import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException;
@ -179,6 +186,7 @@ import org.springframework.security.saml2.provider.service.authentication.Saml2R
 import org.springframework.security.saml2.provider.service.authentication.TestSaml2Authentications;
 import org.springframework.security.saml2.provider.service.authentication.TestSaml2PostAuthenticationRequests;
 import org.springframework.security.saml2.provider.service.authentication.TestSaml2RedirectAuthenticationRequests;
 import org.springframework.security.web.PortResolverImpl;
 import org.springframework.security.web.authentication.WebAuthenticationDetails;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException;
@ -194,6 +202,8 @@ import org.springframework.security.web.csrf.DefaultCsrfToken;
 import org.springframework.security.web.csrf.InvalidCsrfTokenException;
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
 import org.springframework.security.web.firewall.RequestRejectedException;
 import org.springframework.security.web.savedrequest.DefaultSavedRequest;
 import org.springframework.security.web.savedrequest.SimpleSavedRequest;
 import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
 import org.springframework.security.web.session.HttpSessionCreatedEvent;
 import org.springframework.security.web.webauthn.api.Bytes;
@ -442,6 +452,8 @@ class SpringSecurityCoreVersionSerializableTests {
 		generatorByClassName.put(JaasAuthenticationSuccessEvent.class,
 				(r) -> new JaasAuthenticationSuccessEvent(authentication));
 		generatorByClassName.put(AbstractSessionEvent.class, (r) -> new AbstractSessionEvent(securityContext));
 		generatorByClassName.put(SecurityConfig.class, (r) -> new SecurityConfig("value"));
 		generatorByClassName.put(TransientSecurityContext.class, (r) -> new TransientSecurityContext(authentication));
 		// cas
 		generatorByClassName.put(CasServiceTicketAuthenticationToken.class, (r) -> {
@ -466,6 +478,11 @@ class SpringSecurityCoreVersionSerializableTests {
 				(r) -> new LdapAuthority("USER", "username", Map.of("attribute", List.of("value1", "value2"))));
 		generatorByClassName.put(PasswordPolicyException.class,
 				(r) -> new PasswordPolicyException(PasswordPolicyErrorStatus.INSUFFICIENT_PASSWORD_QUALITY));
 		generatorByClassName.put(PasswordPolicyControl.class, (r) -> new PasswordPolicyControl(true));
 		generatorByClassName.put(PasswordPolicyResponseControl.class, (r) -> {
 			byte[] encodedResponse = { 0x30, 0x05, (byte) 0xA0, 0x03, (byte) 0xA0, 0x1, 0x21 };
 			return new PasswordPolicyResponseControl(encodedResponse);
 		});
 		// saml2-service-provider
 		generatorByClassName.put(Saml2AuthenticationException.class,
@ -521,6 +538,20 @@ class SpringSecurityCoreVersionSerializableTests {
 				(r) -> new AuthenticationSwitchUserEvent(authentication, user));
 		generatorByClassName.put(HttpSessionCreatedEvent.class,
 				(r) -> new HttpSessionCreatedEvent(new MockHttpSession()));
 		generatorByClassName.put(SimpleSavedRequest.class, (r) -> {
 			MockHttpServletRequest request = new MockHttpServletRequest("GET", "/uri");
 			request.setQueryString("query=string");
 			request.setScheme("https");
 			request.setServerName("localhost");
 			request.setServerPort(80);
 			request.setRequestURI("/uri");
 			request.setCookies(new Cookie("name", "value"));
 			request.addHeader("header", "value");
 			request.addParameter("parameter", "value");
 			request.setPathInfo("/path");
 			request.addPreferredLocale(Locale.ENGLISH);
 			return new SimpleSavedRequest(new DefaultSavedRequest(request, new PortResolverImpl(), "continue"));
 		});
 		// webauthn
 		generatorByClassName.put(Bytes.class, (r) -> TestBytes.get());
--- a/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.SecurityConfig.serialized
+++ b/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.SecurityConfig.serialized
--- a/config/src/test/resources/serialized/6.4.x/org.springframework.security.core.context.TransientSecurityContext.serialized
+++ b/config/src/test/resources/serialized/6.4.x/org.springframework.security.core.context.TransientSecurityContext.serialized
--- a/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyControl.serialized
+++ b/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyControl.serialized
--- a/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyResponseControl.serialized
+++ b/config/src/test/resources/serialized/6.4.x/org.springframework.security.ldap.ppolicy.PasswordPolicyResponseControl.serialized
--- a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.savedrequest.SimpleSavedRequest.serialized
+++ b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.savedrequest.SimpleSavedRequest.serialized
--- a/core/src/main/java/org/springframework/security/access/SecurityConfig.java
+++ b/core/src/main/java/org/springframework/security/access/SecurityConfig.java
@ -16,6 +16,7 @@
 package org.springframework.security.access;
 import java.io.Serial;
 import java.util.ArrayList;
 import java.util.List;
@ -29,6 +30,9 @@ import org.springframework.util.StringUtils;
 */
 public class SecurityConfig implements ConfigAttribute {
 	@Serial
 	private static final long serialVersionUID = -7138084564199804304L;
 	private final String attrib;
 	public SecurityConfig(String config) {
--- a/core/src/main/java/org/springframework/security/access/annotation/Jsr250SecurityConfig.java
+++ b/core/src/main/java/org/springframework/security/access/annotation/Jsr250SecurityConfig.java
@ -30,6 +30,7 @@ import org.springframework.security.authorization.method.AuthorizationManagerBef
 * @deprecated Use {@link AuthorizationManagerBeforeMethodInterceptor#jsr250()} instead
 */
@Deprecated
@SuppressWarnings("serial")
 public class Jsr250SecurityConfig extends SecurityConfig {
 	public static final Jsr250SecurityConfig PERMIT_ALL_ATTRIBUTE = new Jsr250SecurityConfig(PermitAll.class.getName());
--- a/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java
+++ b/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java
@ -28,6 +28,7 @@ import org.springframework.security.access.prepost.PostInvocationAttribute;
 * instead
 */
@Deprecated
@SuppressWarnings("serial")
 class PostInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute
 		implements PostInvocationAttribute {
--- a/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java
+++ b/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java
@ -28,6 +28,7 @@ import org.springframework.security.access.prepost.PreInvocationAttribute;
 * instead
 */
@Deprecated
@SuppressWarnings("serial")
 class PreInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute
 		implements PreInvocationAttribute {
--- a/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java
@ -54,6 +54,7 @@ import org.springframework.util.CollectionUtils;
 * @deprecated Use {@link EnableMethodSecurity} or publish interceptors directly
 */
@Deprecated
@SuppressWarnings("serial")
 public class MethodSecurityMetadataSourceAdvisor extends AbstractPointcutAdvisor implements BeanFactoryAware {
 	private transient MethodSecurityMetadataSource attributeSource;
--- a/core/src/main/java/org/springframework/security/core/ComparableVersion.java
+++ b/core/src/main/java/org/springframework/security/core/ComparableVersion.java
@ -405,6 +405,7 @@ class ComparableVersion implements Comparable<ComparableVersion> {
 	 * Represents a version list item. This class is used both for the global item list
 	 * and for sub-lists (which start with '-(number)' in the version specification).
 	 */
 	@SuppressWarnings("serial")
 	private static class ListItem extends ArrayList<Item> implements Item {
 		@Override
--- a/core/src/main/java/org/springframework/security/core/context/TransientSecurityContext.java
+++ b/core/src/main/java/org/springframework/security/core/context/TransientSecurityContext.java
@ -16,6 +16,8 @@
 package org.springframework.security.core.context;
 import java.io.Serial;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.Transient;
@ -30,6 +32,9 @@ import org.springframework.security.core.Transient;
@Transient
 public class TransientSecurityContext extends SecurityContextImpl {
 	@Serial
 	private static final long serialVersionUID = -7925492364422193347L;
 	public TransientSecurityContext() {
 	}
--- a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControl.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControl.java
@ -16,6 +16,8 @@
 package org.springframework.security.ldap.ppolicy;
 import java.io.Serial;
 import javax.naming.ldap.Control;
 /**
@ -37,6 +39,9 @@ public class PasswordPolicyControl implements Control {
 	 */
 	public static final String OID = "1.3.6.1.4.1.42.2.27.8.5.1";
 	@Serial
 	private static final long serialVersionUID = 2843242715616817932L;
 	private final boolean critical;
 	/**
--- a/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyResponseControl.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyResponseControl.java
@ -19,6 +19,7 @@ package org.springframework.security.ldap.ppolicy;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.Serial;
 import netscape.ldap.ber.stream.BERChoice;
 import netscape.ldap.ber.stream.BERElement;
@ -53,6 +54,9 @@ public class PasswordPolicyResponseControl extends PasswordPolicyControl {
 	private static final Log logger = LogFactory.getLog(PasswordPolicyResponseControl.class);
 	@Serial
 	private static final long serialVersionUID = -4592657167939234499L;
 	private final byte[] encodedValue;
 	private PasswordPolicyErrorStatus errorStatus;
--- a/web/src/main/java/org/springframework/security/web/savedrequest/SimpleSavedRequest.java
+++ b/web/src/main/java/org/springframework/security/web/savedrequest/SimpleSavedRequest.java
@ -16,6 +16,7 @@
 package org.springframework.security.web.savedrequest;
 import java.io.Serial;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
@ -35,6 +36,9 @@ import org.springframework.util.Assert;
 */
 public class SimpleSavedRequest implements SavedRequest {
 	@Serial
 	private static final long serialVersionUID = 807650604272166969L;
 	private String redirectUrl;
 	private List<Cookie> cookies = new ArrayList<>();