Support Serialization in Exceptions

Issue gh-16276

config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java

@@ -54,15 +54,29 @@ import org.junit.jupiter.params.provider.MethodSource;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider;
 import org.springframework.core.type.filter.AssignableTypeFilter;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.access.AuthorizationServiceException;
 import org.springframework.security.access.intercept.RunAsUserToken;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.authentication.AccountExpiredException;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.CredentialsExpiredException;
+import org.springframework.security.authentication.DisabledException;
+import org.springframework.security.authentication.InsufficientAuthenticationException;
+import org.springframework.security.authentication.InternalAuthenticationServiceException;
+import org.springframework.security.authentication.LockedException;
+import org.springframework.security.authentication.ProviderNotFoundException;
 import org.springframework.security.authentication.RememberMeAuthenticationToken;
 import org.springframework.security.authentication.TestAuthentication;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.authentication.jaas.JaasAuthenticationToken;
+import org.springframework.security.authentication.ott.InvalidOneTimeTokenException;
 import org.springframework.security.authentication.ott.OneTimeTokenAuthenticationToken;
+import org.springframework.security.authentication.password.CompromisedPasswordException;
 import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
 import org.springframework.security.cas.authentication.CasAuthenticationToken;
 import org.springframework.security.cas.authentication.CasServiceTicketAuthenticationToken;
@@ -72,7 +86,12 @@ import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.session.ReactiveSessionInformation;
 import org.springframework.security.core.session.SessionInformation;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.ldap.ppolicy.PasswordPolicyErrorStatus;
+import org.springframework.security.ldap.ppolicy.PasswordPolicyException;
 import org.springframework.security.ldap.userdetails.LdapAuthority;
+import org.springframework.security.oauth2.client.ClientAuthorizationException;
+import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
 import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
 import org.springframework.security.oauth2.client.authentication.OAuth2AuthorizationCodeAuthenticationToken;
@@ -88,7 +107,10 @@ import org.springframework.security.oauth2.client.registration.TestClientRegistr
 import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
 import org.springframework.security.oauth2.core.OAuth2DeviceCode;
+import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2RefreshToken;
 import org.springframework.security.oauth2.core.OAuth2UserCode;
 import org.springframework.security.oauth2.core.TestOAuth2AccessTokens;
@@ -108,14 +130,22 @@ import org.springframework.security.oauth2.core.oidc.user.TestOidcUsers;
 import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
 import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
 import org.springframework.security.oauth2.core.user.TestOAuth2Users;
+import org.springframework.security.oauth2.jwt.BadJwtException;
 import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtDecoderInitializationException;
+import org.springframework.security.oauth2.jwt.JwtEncodingException;
+import org.springframework.security.oauth2.jwt.JwtException;
+import org.springframework.security.oauth2.jwt.JwtValidationException;
 import org.springframework.security.oauth2.jwt.TestJwts;
 import org.springframework.security.oauth2.server.resource.BearerTokenError;
 import org.springframework.security.oauth2.server.resource.BearerTokenErrors;
+import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
+import org.springframework.security.oauth2.server.resource.introspection.BadOpaqueTokenException;
 import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionAuthenticatedPrincipal;
+import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException;
 import org.springframework.security.saml2.Saml2Exception;
 import org.springframework.security.saml2.core.Saml2Error;
 import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
@@ -138,6 +168,8 @@ import org.springframework.security.web.csrf.CsrfException;
 import org.springframework.security.web.csrf.DefaultCsrfToken;
 import org.springframework.security.web.csrf.InvalidCsrfTokenException;
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
+import org.springframework.security.web.firewall.RequestRejectedException;
+import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.fail;
@@ -193,6 +225,12 @@ class SpringSecurityCoreVersionSerializableTests {
 		generatorByClassName.put(OidcUserAuthority.class,
 				(r) -> new OidcUserAuthority(TestOidcIdTokens.idToken().build(),
 						new OidcUserInfo(Map.of("claim", "value")), "claim"));
+		generatorByClassName.put(OAuth2AuthenticationException.class,
+				(r) -> new OAuth2AuthenticationException(new OAuth2Error("error", "description", "uri"), "message",
+						new RuntimeException()));
+		generatorByClassName.put(OAuth2AuthorizationException.class,
+				(r) -> new OAuth2AuthorizationException(new OAuth2Error("error", "description", "uri"), "message",
+						new RuntimeException()));
 
 		// oauth2-client
 		ClientRegistration.Builder clientRegistrationBuilder = TestClientRegistrations.clientRegistration();
@@ -231,6 +269,21 @@ class SpringSecurityCoreVersionSerializableTests {
 			return new DefaultOAuth2AuthenticatedPrincipal(principal.getName(), principal.getAttributes(),
 					(Collection<GrantedAuthority>) principal.getAuthorities());
 		});
+		generatorByClassName.put(ClientAuthorizationException.class,
+				(r) -> new ClientAuthorizationException(new OAuth2Error("error", "description", "uri"), "id", "message",
+						new RuntimeException()));
+		generatorByClassName.put(ClientAuthorizationRequiredException.class,
+				(r) -> new ClientAuthorizationRequiredException("id"));
+
+		// oauth2-jose
+		generatorByClassName.put(BadJwtException.class, (r) -> new BadJwtException("token", new RuntimeException()));
+		generatorByClassName.put(JwtDecoderInitializationException.class,
+				(r) -> new JwtDecoderInitializationException("message", new RuntimeException()));
+		generatorByClassName.put(JwtEncodingException.class,
+				(r) -> new JwtEncodingException("message", new RuntimeException()));
+		generatorByClassName.put(JwtException.class, (r) -> new JwtException("message", new RuntimeException()));
+		generatorByClassName.put(JwtValidationException.class,
+				(r) -> new JwtValidationException("message", List.of(new OAuth2Error("error", "description", "uri"))));
 
 		// oauth2-jwt
 		generatorByClassName.put(Jwt.class, (r) -> TestJwts.user());
@@ -262,6 +315,12 @@ class SpringSecurityCoreVersionSerializableTests {
 		generatorByClassName.put(BearerTokenError.class, (r) -> BearerTokenErrors.invalidToken("invalid token"));
 		generatorByClassName.put(OAuth2IntrospectionAuthenticatedPrincipal.class,
 				(r) -> TestOAuth2AuthenticatedPrincipals.active());
+		generatorByClassName.put(InvalidBearerTokenException.class,
+				(r) -> new InvalidBearerTokenException("description", new RuntimeException()));
+		generatorByClassName.put(BadOpaqueTokenException.class,
+				(r) -> new BadOpaqueTokenException("message", new RuntimeException()));
+		generatorByClassName.put(OAuth2IntrospectionException.class,
+				(r) -> new OAuth2IntrospectionException("message", new RuntimeException()));
 
 		// core
 		generatorByClassName.put(RunAsUserToken.class, (r) -> {
@@ -287,7 +346,33 @@ class SpringSecurityCoreVersionSerializableTests {
 		});
 		generatorByClassName.put(OneTimeTokenAuthenticationToken.class,
 				(r) -> applyDetails(new OneTimeTokenAuthenticationToken("username", "token")));
-
+		generatorByClassName.put(AccessDeniedException.class,
+				(r) -> new AccessDeniedException("access denied", new RuntimeException()));
+		generatorByClassName.put(AuthorizationServiceException.class,
+				(r) -> new AuthorizationServiceException("access denied", new RuntimeException()));
+		generatorByClassName.put(AccountExpiredException.class,
+				(r) -> new AccountExpiredException("error", new RuntimeException()));
+		generatorByClassName.put(AuthenticationCredentialsNotFoundException.class,
+				(r) -> new AuthenticationCredentialsNotFoundException("error", new RuntimeException()));
+		generatorByClassName.put(AuthenticationServiceException.class,
+				(r) -> new AuthenticationServiceException("error", new RuntimeException()));
+		generatorByClassName.put(BadCredentialsException.class,
+				(r) -> new BadCredentialsException("error", new RuntimeException()));
+		generatorByClassName.put(CredentialsExpiredException.class,
+				(r) -> new CredentialsExpiredException("error", new RuntimeException()));
+		generatorByClassName.put(DisabledException.class,
+				(r) -> new DisabledException("error", new RuntimeException()));
+		generatorByClassName.put(InsufficientAuthenticationException.class,
+				(r) -> new InsufficientAuthenticationException("error", new RuntimeException()));
+		generatorByClassName.put(InternalAuthenticationServiceException.class,
+				(r) -> new InternalAuthenticationServiceException("error", new RuntimeException()));
+		generatorByClassName.put(LockedException.class, (r) -> new LockedException("error", new RuntimeException()));
+		generatorByClassName.put(ProviderNotFoundException.class, (r) -> new ProviderNotFoundException("error"));
+		generatorByClassName.put(InvalidOneTimeTokenException.class, (r) -> new InvalidOneTimeTokenException("error"));
+		generatorByClassName.put(CompromisedPasswordException.class,
+				(r) -> new CompromisedPasswordException("error", new RuntimeException()));
+		generatorByClassName.put(UsernameNotFoundException.class,
+				(r) -> new UsernameNotFoundException("error", new RuntimeException()));
 		generatorByClassName.put(TestingAuthenticationToken.class,
 				(r) -> applyDetails(new TestingAuthenticationToken("username", "password")));
 
@@ -312,6 +397,8 @@ class SpringSecurityCoreVersionSerializableTests {
 		// ldap
 		generatorByClassName.put(LdapAuthority.class,
 				(r) -> new LdapAuthority("USER", "username", Map.of("attribute", List.of("value1", "value2"))));
+		generatorByClassName.put(PasswordPolicyException.class,
+				(r) -> new PasswordPolicyException(PasswordPolicyErrorStatus.INSUFFICIENT_PASSWORD_QUALITY));
 
 		// saml2-service-provider
 		generatorByClassName.put(Saml2AuthenticationException.class,
@@ -358,7 +445,9 @@ class SpringSecurityCoreVersionSerializableTests {
 		generatorByClassName.put(org.springframework.security.web.server.csrf.DefaultCsrfToken.class,
 				(r) -> new org.springframework.security.web.server.csrf.DefaultCsrfToken("header", "parameter",
 						"token"));
-
+		generatorByClassName.put(RequestRejectedException.class, (r) -> new RequestRejectedException("message"));
+		generatorByClassName.put(ServerExchangeRejectedException.class,
+				(r) -> new ServerExchangeRejectedException("message"));
 	}
 
 	@ParameterizedTest

core/src/main/java/org/springframework/security/access/AccessDeniedException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.access;
 
+import java.io.Serial;
+
 /**
  * Thrown if an {@link org.springframework.security.core.Authentication Authentication}
  * object does not hold a required authority.
@@ -24,6 +26,9 @@ package org.springframework.security.access;
  */
 public class AccessDeniedException extends RuntimeException {
 
+	@Serial
+	private static final long serialVersionUID = 6395817500121599533L;
+
 	/**
 	 * Constructs an <code>AccessDeniedException</code> with the specified message.
 	 * @param msg the detail message

core/src/main/java/org/springframework/security/access/AuthorizationServiceException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.access;
 
+import java.io.Serial;
+
 /**
  * Thrown if an authorization request could not be processed due to a system problem.
  * <p>
@@ -26,6 +28,9 @@ package org.springframework.security.access;
  */
 public class AuthorizationServiceException extends AccessDeniedException {
 
+	@Serial
+	private static final long serialVersionUID = 4817857292041606900L;
+
 	/**
 	 * Constructs an <code>AuthorizationServiceException</code> with the specified
 	 * message.

core/src/main/java/org/springframework/security/authentication/AccountExpiredException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication;
 
+import java.io.Serial;
+
 /**
  * Thrown if an authentication request is rejected because the account has expired. Makes
  * no assertion as to whether or not the credentials were valid.
@@ -24,6 +26,9 @@ package org.springframework.security.authentication;
  */
 public class AccountExpiredException extends AccountStatusException {
 
+	@Serial
+	private static final long serialVersionUID = 3732869526329993353L;
+
 	/**
 	 * Constructs a <code>AccountExpiredException</code> with the specified message.
 	 * @param msg the detail message

core/src/main/java/org/springframework/security/authentication/AuthenticationCredentialsNotFoundException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -28,6 +30,9 @@ import org.springframework.security.core.AuthenticationException;
  */
 public class AuthenticationCredentialsNotFoundException extends AuthenticationException {
 
+	@Serial
+	private static final long serialVersionUID = 4153580041526791384L;
+
 	/**
 	 * Constructs an <code>AuthenticationCredentialsNotFoundException</code> with the
 	 * specified message.

core/src/main/java/org/springframework/security/authentication/AuthenticationServiceException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication;
 
+import java.io.Serial;
+
 import org.springframework.security.core.AuthenticationException;
 
 /**
@@ -29,6 +31,9 @@ import org.springframework.security.core.AuthenticationException;
  */
 public class AuthenticationServiceException extends AuthenticationException {
 
+	@Serial
+	private static final long serialVersionUID = -1591626195291329340L;
+
 	/**
 	 * Constructs an <code>AuthenticationServiceException</code> with the specified
 	 * message.

core/src/main/java/org/springframework/security/authentication/BadCredentialsException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication;
 
+import java.io.Serial;
+
 import org.springframework.security.core.AuthenticationException;
 
 /**
@@ -26,6 +28,9 @@ import org.springframework.security.core.AuthenticationException;
  */
 public class BadCredentialsException extends AuthenticationException {
 
+	@Serial
+	private static final long serialVersionUID = 2742216069043066973L;
+
 	/**
 	 * Constructs a <code>BadCredentialsException</code> with the specified message.
 	 * @param msg the detail message

core/src/main/java/org/springframework/security/authentication/CredentialsExpiredException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication;
 
+import java.io.Serial;
+
 /**
  * Thrown if an authentication request is rejected because the account's credentials have
  * expired. Makes no assertion as to whether or not the credentials were valid.
@@ -24,6 +26,9 @@ package org.springframework.security.authentication;
  */
 public class CredentialsExpiredException extends AccountStatusException {
 
+	@Serial
+	private static final long serialVersionUID = -3306615738048904753L;
+
 	/**
 	 * Constructs a <code>CredentialsExpiredException</code> with the specified message.
 	 * @param msg the detail message

core/src/main/java/org/springframework/security/authentication/DisabledException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication;
 
+import java.io.Serial;
+
 /**
  * Thrown if an authentication request is rejected because the account is disabled. Makes
  * no assertion as to whether or not the credentials were valid.
@@ -24,6 +26,9 @@ package org.springframework.security.authentication;
  */
 public class DisabledException extends AccountStatusException {
 
+	@Serial
+	private static final long serialVersionUID = 2295984593872502361L;
+
 	/**
 	 * Constructs a <code>DisabledException</code> with the specified message.
 	 * @param msg the detail message

core/src/main/java/org/springframework/security/authentication/InsufficientAuthenticationException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication;
 
+import java.io.Serial;
+
 import org.springframework.security.core.AuthenticationException;
 
 /**
@@ -33,6 +35,9 @@ import org.springframework.security.core.AuthenticationException;
  */
 public class InsufficientAuthenticationException extends AuthenticationException {
 
+	@Serial
+	private static final long serialVersionUID = -5514084346181236128L;
+
 	/**
 	 * Constructs an <code>InsufficientAuthenticationException</code> with the specified
 	 * message.

core/src/main/java/org/springframework/security/authentication/InternalAuthenticationServiceException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication;
 
+import java.io.Serial;
+
 /**
  * <p>
  * Thrown if an authentication request could not be processed due to a system problem that
@@ -37,6 +39,9 @@ package org.springframework.security.authentication;
  */
 public class InternalAuthenticationServiceException extends AuthenticationServiceException {
 
+	@Serial
+	private static final long serialVersionUID = -6029644854192497840L;
+
 	public InternalAuthenticationServiceException(String message, Throwable cause) {
 		super(message, cause);
 	}

core/src/main/java/org/springframework/security/authentication/LockedException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication;
 
+import java.io.Serial;
+
 /**
  * Thrown if an authentication request is rejected because the account is locked. Makes no
  * assertion as to whether or not the credentials were valid.
@@ -24,6 +26,9 @@ package org.springframework.security.authentication;
  */
 public class LockedException extends AccountStatusException {
 
+	@Serial
+	private static final long serialVersionUID = 548864198455046567L;
+
 	/**
 	 * Constructs a <code>LockedException</code> with the specified message.
 	 * @param msg the detail message.

core/src/main/java/org/springframework/security/authentication/ProviderNotFoundException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication;
 
+import java.io.Serial;
+
 import org.springframework.security.core.AuthenticationException;
 
 /**
@@ -27,6 +29,9 @@ import org.springframework.security.core.AuthenticationException;
  */
 public class ProviderNotFoundException extends AuthenticationException {
 
+	@Serial
+	private static final long serialVersionUID = 8107665253214447614L;
+
 	/**
 	 * Constructs a <code>ProviderNotFoundException</code> with the specified message.
 	 * @param msg the detail message

core/src/main/java/org/springframework/security/authentication/ott/InvalidOneTimeTokenException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.ott;
 
+import java.io.Serial;
+
 import org.springframework.security.core.AuthenticationException;
 
 /**
@@ -26,6 +28,9 @@ import org.springframework.security.core.AuthenticationException;
  */
 public class InvalidOneTimeTokenException extends AuthenticationException {
 
+	@Serial
+	private static final long serialVersionUID = -3651018515682919943L;
+
 	public InvalidOneTimeTokenException(String msg) {
 		super(msg);
 	}

core/src/main/java/org/springframework/security/authentication/password/CompromisedPasswordException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.password;
 
+import java.io.Serial;
+
 import org.springframework.security.core.AuthenticationException;
 
 /**
@@ -26,6 +28,9 @@ import org.springframework.security.core.AuthenticationException;
  */
 public class CompromisedPasswordException extends AuthenticationException {
 
+	@Serial
+	private static final long serialVersionUID = -885858958297842864L;
+
 	public CompromisedPasswordException(String message) {
 		super(message);
 	}

core/src/main/java/org/springframework/security/authorization/AuthorizationDeniedException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authorization;
 
+import java.io.Serial;
+
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.util.Assert;
 
@@ -27,6 +29,9 @@ import org.springframework.util.Assert;
  */
 public class AuthorizationDeniedException extends AccessDeniedException implements AuthorizationResult {
 
+	@Serial
+	private static final long serialVersionUID = 3227305845919610459L;
+
 	private final AuthorizationResult result;
 
 	public AuthorizationDeniedException(String msg, AuthorizationResult authorizationResult) {

core/src/main/java/org/springframework/security/core/userdetails/UsernameNotFoundException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.core.userdetails;
 
+import java.io.Serial;
+
 import org.springframework.security.core.AuthenticationException;
 
 /**
@@ -26,6 +28,9 @@ import org.springframework.security.core.AuthenticationException;
  */
 public class UsernameNotFoundException extends AuthenticationException {
 
+	@Serial
+	private static final long serialVersionUID = 1410688585992297006L;
+
 	/**
 	 * Constructs a <code>UsernameNotFoundException</code> with the specified message.
 	 * @param msg the detail message.

crypto/src/main/java/org/springframework/security/crypto/codec/Base64.java

@@ -617,6 +617,7 @@ public final class Base64 {
 		return out;
 	}
 
+	@SuppressWarnings("serial")
 	static class InvalidBase64CharacterException extends IllegalArgumentException {
 
 		InvalidBase64CharacterException(String message) {

ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryAuthenticationException.java

@@ -40,6 +40,7 @@ import org.springframework.security.core.AuthenticationException;
  *
  * @author Rob Winch
  */
+@SuppressWarnings("serial")
 public final class ActiveDirectoryAuthenticationException extends AuthenticationException {
 
 	private final String dataCode;

ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.ldap.ppolicy;
 
+import java.io.Serial;
+
 /**
  * Generic exception raised by the ppolicy package.
  * <p>
@@ -27,6 +29,9 @@ package org.springframework.security.ldap.ppolicy;
  */
 public class PasswordPolicyException extends RuntimeException {
 
+	@Serial
+	private static final long serialVersionUID = 2586535034047453106L;
+
 	private final PasswordPolicyErrorStatus status;
 
 	public PasswordPolicyException(PasswordPolicyErrorStatus status) {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientAuthorizationException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.oauth2.client;
 
+import java.io.Serial;
+
 import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.util.Assert;
@@ -30,6 +32,9 @@ import org.springframework.util.Assert;
  */
 public class ClientAuthorizationException extends OAuth2AuthorizationException {
 
+	@Serial
+	private static final long serialVersionUID = 4710713969265443271L;
+
 	private final String clientRegistrationId;
 
 	/**

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientAuthorizationRequiredException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.oauth2.client;
 
+import java.io.Serial;
+
 import org.springframework.security.oauth2.core.OAuth2Error;
 
 /**
@@ -28,6 +30,9 @@ import org.springframework.security.oauth2.core.OAuth2Error;
  */
 public class ClientAuthorizationRequiredException extends ClientAuthorizationException {
 
+	@Serial
+	private static final long serialVersionUID = -5738646355203953667L;
+
 	private static final String CLIENT_AUTHORIZATION_REQUIRED_ERROR_CODE = "client_authorization_required";
 
 	/**

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/InvalidClientRegistrationIdException.java

@@ -20,6 +20,7 @@ package org.springframework.security.oauth2.client.web;
  * @author Steve Riesenberg
  * @since 5.8
  */
+@SuppressWarnings("serial")
 class InvalidClientRegistrationIdException extends IllegalArgumentException {
 
 	/**

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2AuthenticationException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.oauth2.core;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.util.Assert;
@@ -41,6 +43,9 @@ import org.springframework.util.Assert;
  */
 public class OAuth2AuthenticationException extends AuthenticationException {
 
+	@Serial
+	private static final long serialVersionUID = -7832130893085581438L;
+
 	private final OAuth2Error error;
 
 	/**

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2AuthorizationException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.oauth2.core;
 
+import java.io.Serial;
+
 import org.springframework.util.Assert;
 
 /**
@@ -26,6 +28,9 @@ import org.springframework.util.Assert;
  */
 public class OAuth2AuthorizationException extends RuntimeException {
 
+	@Serial
+	private static final long serialVersionUID = -5470222190376181102L;
+
 	private final OAuth2Error error;
 
 	/**

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/BadJwtException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.oauth2.jwt;
 
+import java.io.Serial;
+
 /**
  * An exception similar to
  * {@link org.springframework.security.authentication.BadCredentialsException} that
@@ -26,6 +28,9 @@ package org.springframework.security.oauth2.jwt;
  */
 public class BadJwtException extends JwtException {
 
+	@Serial
+	private static final long serialVersionUID = 7748429527132280501L;
+
 	public BadJwtException(String message) {
 		super(message);
 	}

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoderInitializationException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.oauth2.jwt;
 
+import java.io.Serial;
+
 /**
  * An exception thrown when a {@link JwtDecoder} or {@link ReactiveJwtDecoder}'s lazy
  * initialization fails.
@@ -25,6 +27,9 @@ package org.springframework.security.oauth2.jwt;
  */
 public class JwtDecoderInitializationException extends RuntimeException {
 
+	@Serial
+	private static final long serialVersionUID = 2786360018315628982L;
+
 	public JwtDecoderInitializationException(String message, Throwable cause) {
 		super(message, cause);
 	}

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtEncodingException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.oauth2.jwt;
 
+import java.io.Serial;
+
 /**
  * This exception is thrown when an error occurs while attempting to encode a JSON Web
  * Token (JWT).
@@ -25,6 +27,9 @@ package org.springframework.security.oauth2.jwt;
  */
 public class JwtEncodingException extends JwtException {
 
+	@Serial
+	private static final long serialVersionUID = 6581840872589902213L;
+
 	/**
 	 * Constructs a {@code JwtEncodingException} using the provided parameters.
 	 * @param message the detail message

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.oauth2.jwt;
 
+import java.io.Serial;
+
 /**
  * Base exception for all JSON Web Token (JWT) related errors.
  *
@@ -24,6 +26,9 @@ package org.springframework.security.oauth2.jwt;
  */
 public class JwtException extends RuntimeException {
 
+	@Serial
+	private static final long serialVersionUID = -3070197880233583797L;
+
 	/**
 	 * Constructs a {@code JwtException} using the provided parameters.
 	 * @param message the detail message

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtValidationException.java

@@ -16,6 +16,7 @@
 
 package org.springframework.security.oauth2.jwt;
 
+import java.io.Serial;
 import java.util.ArrayList;
 import java.util.Collection;
 
@@ -31,6 +32,9 @@ import org.springframework.util.Assert;
  */
 public class JwtValidationException extends BadJwtException {
 
+	@Serial
+	private static final long serialVersionUID = 134652048447295615L;
+
 	private final Collection<OAuth2Error> errors;
 
 	/**

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/InvalidBearerTokenException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.oauth2.server.resource;
 
+import java.io.Serial;
+
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 
 /**
@@ -26,6 +28,9 @@ import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
  */
 public class InvalidBearerTokenException extends OAuth2AuthenticationException {
 
+	@Serial
+	private static final long serialVersionUID = 6904689954809100280L;
+
 	/**
 	 * Construct an instance of {@link InvalidBearerTokenException} given the provided
 	 * description.

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/BadOpaqueTokenException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.oauth2.server.resource.introspection;
 
+import java.io.Serial;
+
 /**
  * An exception similar to
  * {@link org.springframework.security.authentication.BadCredentialsException} that
@@ -26,6 +28,9 @@ package org.springframework.security.oauth2.server.resource.introspection;
  */
 public class BadOpaqueTokenException extends OAuth2IntrospectionException {
 
+	@Serial
+	private static final long serialVersionUID = -6937847463454551076L;
+
 	public BadOpaqueTokenException(String message) {
 		super(message);
 	}

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/OAuth2IntrospectionException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.oauth2.server.resource.introspection;
 
+import java.io.Serial;
+
 /**
  * Base exception for all OAuth 2.0 Introspection related errors
  *
@@ -24,6 +26,9 @@ package org.springframework.security.oauth2.server.resource.introspection;
  */
 public class OAuth2IntrospectionException extends RuntimeException {
 
+	@Serial
+	private static final long serialVersionUID = -7327790383594166793L;
+
 	public OAuth2IntrospectionException(String message) {
 		super(message);
 	}

web/src/main/java/org/springframework/security/web/firewall/RequestRejectedException.java

@@ -16,11 +16,16 @@
 
 package org.springframework.security.web.firewall;
 
+import java.io.Serial;
+
 /**
  * @author Luke Taylor
  */
 public class RequestRejectedException extends RuntimeException {
 
+	@Serial
+	private static final long serialVersionUID = 7226768874760909859L;
+
 	public RequestRejectedException(String message) {
 		super(message);
 	}

web/src/main/java/org/springframework/security/web/server/authentication/SwitchUserWebFilter.java

@@ -353,6 +353,7 @@ public class SwitchUserWebFilter implements WebFilter {
 		this.switchUserMatcher = switchUserMatcher;
 	}
 
+	@SuppressWarnings("serial")
 	private static class SwitchUserAuthenticationException extends RuntimeException {
 
 		SwitchUserAuthenticationException(AuthenticationException exception) {

web/src/main/java/org/springframework/security/web/server/firewall/ServerExchangeRejectedException.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.server.firewall;
 
+import java.io.Serial;
+
 /**
  * Thrown when a {@link org.springframework.web.server.ServerWebExchange} is rejected.
  *
@@ -24,6 +26,9 @@ package org.springframework.security.web.server.firewall;
  */
 public class ServerExchangeRejectedException extends RuntimeException {
 
+	@Serial
+	private static final long serialVersionUID = 904984955691607748L;
+
 	public ServerExchangeRejectedException(String message) {
 		super(message);
 	}