Merge branch '6.4.x'

2025-06-22 20:12:14 +00:00 · 2025-02-14 13:08:17 -07:00 · 2025-02-14 13:08:17 -07:00 · e42865b926
commit e42865b926
parent f9e04594a7 946812691e
20 changed files with 155 additions and 18 deletions
--- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
+++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
@ -50,6 +50,7 @@ import org.apache.commons.lang3.ObjectUtils;
 import org.apereo.cas.client.validation.AssertionImpl;
 import org.instancio.Instancio;
 import org.instancio.InstancioApi;
 import org.instancio.InstancioOfClassApi;
 import org.instancio.Select;
 import org.instancio.generator.Generator;
 import org.junit.jupiter.api.Disabled;
@ -59,6 +60,7 @@ import org.junit.jupiter.params.provider.MethodSource;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider;
 import org.springframework.core.ResolvableType;
 import org.springframework.core.type.filter.AssignableTypeFilter;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpSession;
@ -217,21 +219,31 @@ import org.springframework.security.web.savedrequest.SimpleSavedRequest;
 import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
 import org.springframework.security.web.session.HttpSessionCreatedEvent;
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientInputs;
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientOutputs;
 import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
 import org.springframework.security.web.webauthn.api.AuthenticatorAttachment;
 import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
 import org.springframework.security.web.webauthn.api.Bytes;
 import org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput;
 import org.springframework.security.web.webauthn.api.CredentialPropertiesOutput;
 import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput;
 import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs;
 import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs;
 import org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity;
 import org.springframework.security.web.webauthn.api.PublicKeyCredential;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialType;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialUserEntity;
 import org.springframework.security.web.webauthn.api.TestAuthenticationAssertionResponses;
 import org.springframework.security.web.webauthn.api.TestBytes;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredential;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialRequestOptions;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialUserEntity;
 import org.springframework.security.web.webauthn.api.UserVerificationRequirement;
 import org.springframework.security.web.webauthn.authentication.WebAuthnAuthentication;
 import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken;
 import org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest;
 import org.springframework.util.ReflectionUtils;
 import static org.assertj.core.api.Assertions.assertThat;
@ -621,6 +633,27 @@ class SpringSecurityCoreVersionSerializableTests {
 				.allowCredentials(List.of(descriptor))
 				.build()
 		);
 		CredentialPropertiesOutput credentialOutput = new CredentialPropertiesOutput(false);
 		AuthenticationExtensionsClientOutputs outputs = new ImmutableAuthenticationExtensionsClientOutputs(credentialOutput);
 		AuthenticatorAssertionResponse response = TestAuthenticationAssertionResponses.createAuthenticatorAssertionResponse()
 				.build();
 		PublicKeyCredential<AuthenticatorAssertionResponse> credential = TestPublicKeyCredential.createPublicKeyCredential(
 				response, outputs)
 				.build();
 		RelyingPartyAuthenticationRequest authRequest = new RelyingPartyAuthenticationRequest(
 				TestPublicKeyCredentialRequestOptions.create().build(),
 				credential
 		);
 		WebAuthnAuthenticationRequestToken requestToken = new WebAuthnAuthenticationRequestToken(authRequest);
 		requestToken.setDetails(details);
 		generatorByClassName.put(CredentialPropertiesOutput.class, (o) -> credentialOutput);
 		generatorByClassName.put(ImmutableAuthenticationExtensionsClientOutputs.class, (o) -> outputs);
 		generatorByClassName.put(AuthenticatorAssertionResponse.class, (r) -> response);
 		generatorByClassName.put(RelyingPartyAuthenticationRequest.class, (r) -> authRequest);
 		generatorByClassName.put(PublicKeyCredential.class, (r) -> credential);
 		generatorByClassName.put(WebAuthnAuthenticationRequestToken.class, (r) -> requestToken);
 		generatorByClassName.put(AuthenticatorAttachment.class, (r) -> AuthenticatorAttachment.PLATFORM);
 		// @formatter:on
 		generatorByClassName.put(ImmutablePublicKeyCredentialUserEntity.class,
 				(r) -> TestPublicKeyCredentialUserEntity.userEntity().id(TestBytes.get()).build());
@ -784,7 +817,11 @@ class SpringSecurityCoreVersionSerializableTests {
 	}
 	private static InstancioApi<?> instancioWithDefaults(Class<?> clazz) {
-		InstancioApi<?> instancio = Instancio.of(clazz);
+		InstancioOfClassApi<?> instancio = Instancio.of(clazz);
 		ResolvableType[] generics = ResolvableType.forClass(clazz).getGenerics();
 		for (ResolvableType type : generics) {
 			instancio.withTypeParameters(type.resolve());
 		}
 		if (generatorByClassName.containsKey(clazz)) {
 			instancio.supply(Select.all(clazz), generatorByClassName.get(clazz));
 		}
--- a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse.serialized
+++ b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse.serialized
--- a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAttachment.serialized
+++ b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAttachment.serialized
--- a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredentialPropertiesOutput.serialized
+++ b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredentialPropertiesOutput.serialized
--- a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs.serialized
+++ b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs.serialized
--- a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredential.serialized
+++ b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredential.serialized
--- a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken.serialized
+++ b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken.serialized
--- a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest.serialized
+++ b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest.serialized
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutput.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutput.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,6 +16,8 @@
 package org.springframework.security.web.webauthn.api;
 import java.io.Serializable;
 /**
 * A <a href="https://www.w3.org/TR/webauthn-3/#client-extension-output">client extension
 * output</a> entry in {@link AuthenticationExtensionsClientOutputs}.
@ -24,7 +26,7 @@ package org.springframework.security.web.webauthn.api;
 * @see AuthenticationExtensionsClientOutputs#getOutputs()
 * @see CredentialPropertiesOutput
 */
-public interface AuthenticationExtensionsClientOutput<T> {
+public interface AuthenticationExtensionsClientOutput<T> extends Serializable {
 	/**
 	 * Gets the <a href="https://www.w3.org/TR/webauthn-3/#extension-identifier">extension
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutputs.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutputs.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,6 +16,7 @@
 package org.springframework.security.web.webauthn.api;
 import java.io.Serializable;
 import java.util.List;
 /**
@ -31,7 +32,7 @@ import java.util.List;
 * @since 6.4
 * @see PublicKeyCredential#getClientExtensionResults()
 */
-public interface AuthenticationExtensionsClientOutputs {
+public interface AuthenticationExtensionsClientOutputs extends Serializable {
 	/**
 	 * Gets all of the {@link AuthenticationExtensionsClientOutput}.
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAssertionResponse.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAssertionResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,6 +16,8 @@
 package org.springframework.security.web.webauthn.api;
 import java.io.Serial;
 /**
 * The <a href=
 * "https://www.w3.org/TR/webauthn-3/#authenticatorassertionresponse">AuthenticatorAssertionResponse</a>
@ -38,6 +40,9 @@ package org.springframework.security.web.webauthn.api;
 */
 public final class AuthenticatorAssertionResponse extends AuthenticatorResponse {
 	@Serial
 	private static final long serialVersionUID = 324976481675434298L;
 	private final Bytes authenticatorData;
 	private final Bytes signature;
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttachment.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttachment.java
@ -16,6 +16,10 @@
 package org.springframework.security.web.webauthn.api;
 import java.io.ObjectStreamException;
 import java.io.Serial;
 import java.io.Serializable;
 /**
 * The <a href=
 * "https://www.w3.org/TR/webauthn-3/#enumdef-authenticatorattachment">AuthenticatorAttachment</a>.
@ -23,7 +27,10 @@ package org.springframework.security.web.webauthn.api;
 * @author Rob Winch
 * @since 6.4
 */
-public final class AuthenticatorAttachment {
+public final class AuthenticatorAttachment implements Serializable {
 	@Serial
 	private static final long serialVersionUID = 8446133215195918090L;
 	/**
 	 * Indicates <a href=
@ -85,4 +92,9 @@ public final class AuthenticatorAttachment {
 		return new AuthenticatorAttachment[] { CROSS_PLATFORM, PLATFORM };
 	}
 	@Serial
 	private Object readResolve() throws ObjectStreamException {
 		return valueOf(this.value);
 	}
 }
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorResponse.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorResponse.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,6 +16,8 @@
 package org.springframework.security.web.webauthn.api;
 import java.io.Serializable;
 /**
 * The <a href=
 * "https://www.w3.org/TR/webauthn-3/#iface-authenticatorresponse">AuthenticatorResponse</a>
@ -26,7 +28,7 @@ package org.springframework.security.web.webauthn.api;
 * @author Rob Winch
 * @since 6.4
 */
-public abstract class AuthenticatorResponse {
+public abstract class AuthenticatorResponse implements Serializable {
 	private final Bytes clientDataJSON;
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/CredentialPropertiesOutput.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/CredentialPropertiesOutput.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,6 +16,9 @@
 package org.springframework.security.web.webauthn.api;
 import java.io.Serial;
 import java.io.Serializable;
 /**
 * <a href=
 * "https://www.w3.org/TR/webauthn-3/#dictdef-credentialpropertiesoutput">CredentialPropertiesOutput</a>
@ -27,6 +30,9 @@ package org.springframework.security.web.webauthn.api;
 public class CredentialPropertiesOutput
 		implements AuthenticationExtensionsClientOutput<CredentialPropertiesOutput.ExtensionOutput> {
 	@Serial
 	private static final long serialVersionUID = -3201699313968303331L;
 	/**
 	 * The extension id.
 	 */
@ -59,7 +65,10 @@ public class CredentialPropertiesOutput
 	 * @since 6.4
 	 * @see #getOutput()
 	 */
-	public static final class ExtensionOutput {
+	public static final class ExtensionOutput implements Serializable {
 		@Serial
 		private static final long serialVersionUID = 4557406414847424019L;
 		private final boolean rk;
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientOutputs.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientOutputs.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,6 +16,7 @@
 package org.springframework.security.web.webauthn.api;
 import java.io.Serial;
 import java.util.Arrays;
 import java.util.List;
@ -26,6 +27,9 @@ import java.util.List;
 */
 public class ImmutableAuthenticationExtensionsClientOutputs implements AuthenticationExtensionsClientOutputs {
 	@Serial
 	private static final long serialVersionUID = -4656390173585180393L;
 	private final List<AuthenticationExtensionsClientOutput<?>> outputs;
 	public ImmutableAuthenticationExtensionsClientOutputs(List<AuthenticationExtensionsClientOutput<?>> outputs) {
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredential.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredential.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,6 +16,9 @@
 package org.springframework.security.web.webauthn.api;
 import java.io.Serial;
 import java.io.Serializable;
 /**
 * <a href="https://www.w3.org/TR/webauthn-3/#iface-pkcredential">PublicKeyCredential</a>
 * contains the attributes that are returned to the caller when a new credential is
@ -24,7 +27,10 @@ package org.springframework.security.web.webauthn.api;
 * @author Rob Winch
 * @since 6.4
 */
-public final class PublicKeyCredential<R extends AuthenticatorResponse> {
+public final class PublicKeyCredential<R extends AuthenticatorResponse> implements Serializable {
 	@Serial
 	private static final long serialVersionUID = -1864035469276082606L;
 	private final String id;
--- a/web/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationRequestToken.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationRequestToken.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,6 +16,8 @@
 package org.springframework.security.web.webauthn.authentication;
 import java.io.Serial;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest;
@ -30,6 +32,9 @@ import org.springframework.util.Assert;
 */
 public class WebAuthnAuthenticationRequestToken extends AbstractAuthenticationToken {
 	@Serial
 	private static final long serialVersionUID = -1682693433877522403L;
 	private final RelyingPartyAuthenticationRequest webAuthnRequest;
 	/**
--- a/web/src/main/java/org/springframework/security/web/webauthn/management/RelyingPartyAuthenticationRequest.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/management/RelyingPartyAuthenticationRequest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,6 +16,9 @@
 package org.springframework.security.web.webauthn.management;
 import java.io.Serial;
 import java.io.Serializable;
 import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
 import org.springframework.security.web.webauthn.api.PublicKeyCredential;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
@ -29,7 +32,10 @@ import org.springframework.util.Assert;
 * @since 6.4
 * @see WebAuthnRelyingPartyOperations#authenticate(RelyingPartyAuthenticationRequest)
 */
-public class RelyingPartyAuthenticationRequest {
+public class RelyingPartyAuthenticationRequest implements Serializable {
 	@Serial
 	private static final long serialVersionUID = -928083091875202086L;
 	private final PublicKeyCredentialRequestOptions requestOptions;
--- a/web/src/test/java/org/springframework/security/web/webauthn/api/TestAuthenticationAssertionResponses.java
+++ b/web/src/test/java/org/springframework/security/web/webauthn/api/TestAuthenticationAssertionResponses.java
@ -0,0 +1,37 @@
 /*
 * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.springframework.security.web.webauthn.api;
 /**
 * @author Max Batischev
 */
 public final class TestAuthenticationAssertionResponses {
 	public static AuthenticatorAssertionResponse.AuthenticatorAssertionResponseBuilder createAuthenticatorAssertionResponse() {
 		return AuthenticatorAssertionResponse.builder()
 			.authenticatorData(Bytes.fromBase64("SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MdAAAAAA"))
 			.clientDataJSON(Bytes.fromBase64(
 					"eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiaDB2Z3dHUWpvQ3pBekRVc216UHBrLUpWSUpSUmduMEw0S1ZTWU5SY0VaYyIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MCIsImNyb3NzT3JpZ2luIjpmYWxzZX0"))
 			.signature(Bytes.fromBase64(
 					"MEUCIAdfzPAn3voyXynwa0IXk1S0envMY5KP3NEe9aj4B2BuAiEAm_KJhQoWXdvfhbzwACU3NM4ltQe7_Il46qFUwtpuTdg"))
 			.userHandle(Bytes.fromBase64("oWJtkJ6vJ_m5b84LB4_K7QKTCTEwLIjCh4tFMCGHO4w"));
 	}
 	private TestAuthenticationAssertionResponses() {
 	}
 }
--- a/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredential.java
+++ b/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredential.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -38,6 +38,17 @@ public final class TestPublicKeyCredential {
 			.clientExtensionResults(clientExtensionResults);
 	}
 	public static <R extends AuthenticatorResponse> PublicKeyCredential.PublicKeyCredentialBuilder<R> createPublicKeyCredential(
 			R response, AuthenticationExtensionsClientOutputs outputs) {
 		return PublicKeyCredential.builder()
 			.id("AX6nVVERrH6opMafUGn3Z9EyNEy6cftfBKV_2YxYl1jdW8CSJxMKGXFV3bnrKTiMSJeInkG7C6B2lPt8E5i3KaM")
 			.rawId(Bytes
 				.fromBase64("AX6nVVERrH6opMafUGn3Z9EyNEy6cftfBKV_2YxYl1jdW8CSJxMKGXFV3bnrKTiMSJeInkG7C6B2lPt8E5i3KaM"))
 			.response(response)
 			.type(PublicKeyCredentialType.PUBLIC_KEY)
 			.clientExtensionResults(outputs);
 	}
 	private TestPublicKeyCredential() {
 	}