SEC-1700: Add fixed serializationVersionUID values to security context, authentication tokens and related classes

cas/src/main/java/org/springframework/security/cas/authentication/CasAssertionAuthenticationToken.java

@@ -19,6 +19,7 @@ import java.util.ArrayList;
 import org.jasig.cas.client.validation.Assertion;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 
 /**
  * Temporary authentication object needed to load the user details service.
@@ -28,6 +29,8 @@ import org.springframework.security.core.GrantedAuthority;
  */
 public final class CasAssertionAuthenticationToken extends AbstractAuthenticationToken {
 
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     private final Assertion assertion;
 
     private final String ticket;

cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationToken.java

@@ -21,6 +21,7 @@ import java.util.Collection;
 import org.jasig.cas.client.validation.Assertion;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.userdetails.UserDetails;
 
 /**
@@ -30,9 +31,10 @@ import org.springframework.security.core.userdetails.UserDetails;
  * @author Scott Battaglia
  */
 public class CasAuthenticationToken extends AbstractAuthenticationToken implements Serializable {
-    //~ Instance fields ================================================================================================
 
-    private static final long serialVersionUID = 1L;
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
+    //~ Instance fields ================================================================================================
     private final Object credentials;
     private final Object principal;
     private final UserDetails userDetails;

core/src/main/java/org/springframework/security/access/intercept/RunAsUserToken.java

@@ -21,6 +21,7 @@ import java.util.Collection;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 
 
 /**
@@ -29,6 +30,9 @@ import org.springframework.security.core.GrantedAuthority;
  * @author Ben Alex
  */
 public class RunAsUserToken extends AbstractAuthenticationToken {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     //~ Instance fields ================================================================================================
 
     private final Class<? extends Authentication> originalAuthentication;

core/src/main/java/org/springframework/security/authentication/AuthenticationDetails.java

@@ -1,5 +1,7 @@
 package org.springframework.security.authentication;
 
+import org.springframework.security.core.SpringSecurityCoreVersion;
+
 import java.io.Serializable;
 
 /**
@@ -10,6 +12,9 @@ import java.io.Serializable;
 */
 @Deprecated
 public class AuthenticationDetails implements Serializable {
+
+   private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
    //~ Instance fields ================================================================================================
 
    private final String context;

core/src/main/java/org/springframework/security/authentication/RememberMeAuthenticationToken.java

@@ -18,6 +18,7 @@ package org.springframework.security.authentication;
 import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 
 
 /**
@@ -30,6 +31,9 @@ import org.springframework.security.core.GrantedAuthority;
  * @author Luke Taylor
  */
 public class RememberMeAuthenticationToken extends AbstractAuthenticationToken {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     //~ Instance fields ================================================================================================
 
     private final Object principal;

core/src/main/java/org/springframework/security/authentication/UsernamePasswordAuthenticationToken.java

@@ -18,6 +18,7 @@ package org.springframework.security.authentication;
 import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 
 
 /**
@@ -31,6 +32,9 @@ import org.springframework.security.core.GrantedAuthority;
  * @author Ben Alex
  */
 public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationToken {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     //~ Instance fields ================================================================================================
 
     private final Object principal;

core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationToken.java

@@ -20,6 +20,7 @@ import java.util.List;
 
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 
 import javax.security.auth.login.LoginContext;
 
@@ -30,6 +31,9 @@ import javax.security.auth.login.LoginContext;
  * @author Ray Krueger
  */
 public class JaasAuthenticationToken extends UsernamePasswordAuthenticationToken {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     //~ Instance fields ================================================================================================
 
     private final transient LoginContext loginContext;

core/src/main/java/org/springframework/security/authentication/jaas/JaasGrantedAuthority.java

@@ -16,6 +16,7 @@
 package org.springframework.security.authentication.jaas;
 
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 
 import java.security.Principal;
 
@@ -29,13 +30,12 @@ import java.security.Principal;
  * @see AuthorityGranter
  */
 public final class JaasGrantedAuthority implements GrantedAuthority {
-    //~ Instance fields ================================================================================================
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
 
     private final String role;
     private final Principal principal;
 
-    //~ Constructors ===================================================================================================
-
     public JaasGrantedAuthority(String role, Principal principal) {
         this.role = role;
         this.principal = principal;

core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationException.java

@@ -16,6 +16,7 @@
 package org.springframework.security.authentication.rcp;
 
 import org.springframework.core.NestedRuntimeException;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 
 /**
  * Thrown if a <code>RemoteAuthenticationManager</code> cannot validate the presented authentication request.
@@ -27,6 +28,9 @@ import org.springframework.core.NestedRuntimeException;
  * @author Ben Alex
  */
 public class RemoteAuthenticationException extends NestedRuntimeException {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     //~ Constructors ===================================================================================================
 
     /**

core/src/main/java/org/springframework/security/core/SpringSecurityCoreVersion.java

@@ -12,13 +12,20 @@ import org.springframework.core.SpringVersion;
 public class SpringSecurityCoreVersion {
     private static final Log logger = LogFactory.getLog(SpringSecurityCoreVersion.class);
 
+    /**
+     * Global Serialization value for Spring Security classes.
+     *
+     * N.B. Classes are not intended to be serializable between different versions.
+     * See SEC-1709 for why we still need a serial version.
+     */
+    public static final long SERIAL_VERSION_UID = 310L;
+
     static {
         // Check Spring Compatibility
         String springVersion = SpringVersion.getVersion();
         String version = getVersion();
 
         if (springVersion != null) {
-            // TODO: Generate version class and information dynamically from a template in the build file
             logger.info("You are running with Spring Security Core " + version);
             if (!springVersion.startsWith("3")) {
                 logger.error("Spring Major version '3' expected, but you are running with version: "

core/src/main/java/org/springframework/security/core/authority/GrantedAuthoritiesContainerImpl.java

@@ -3,10 +3,14 @@ package org.springframework.security.core.authority;
 import java.util.*;
 
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.Assert;
 
 @Deprecated
 public class GrantedAuthoritiesContainerImpl implements MutableGrantedAuthoritiesContainer {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     private List<GrantedAuthority> authorities;
 
     public void setGrantedAuthorities(Collection<? extends GrantedAuthority> newAuthorities) {

core/src/main/java/org/springframework/security/core/authority/GrantedAuthorityImpl.java

@@ -17,6 +17,7 @@ package org.springframework.security.core.authority;
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.Assert;
 
 
@@ -31,6 +32,9 @@ import org.springframework.util.Assert;
  */
 @Deprecated
 public class GrantedAuthorityImpl implements GrantedAuthority {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     //~ Instance fields ================================================================================================
 
     private final String role;

core/src/main/java/org/springframework/security/core/authority/SimpleGrantedAuthority.java

@@ -1,6 +1,7 @@
 package org.springframework.security.core.authority;
 
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.Assert;
 
 /**
@@ -13,6 +14,9 @@ import org.springframework.util.Assert;
  * @author Luke Taylor
  */
 public final class SimpleGrantedAuthority implements GrantedAuthority {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     private final String role;
 
     public SimpleGrantedAuthority(String role) {

core/src/main/java/org/springframework/security/core/context/SecurityContextImpl.java

@@ -16,6 +16,7 @@
 package org.springframework.security.core.context;
 
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 
 
 /**
@@ -26,6 +27,9 @@ import org.springframework.security.core.Authentication;
  * @author Ben Alex
  */
 public class SecurityContextImpl implements SecurityContext {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     //~ Instance fields ================================================================================================
 
     private Authentication authentication;

core/src/main/java/org/springframework/security/core/session/SessionInformation.java

@@ -15,6 +15,7 @@
 
 package org.springframework.security.core.session;
 
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.Assert;
 
 import java.util.Date;
@@ -35,6 +36,9 @@ import java.io.Serializable;
  * @author Ben Alex
  */
 public class SessionInformation implements Serializable {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     //~ Instance fields ================================================================================================
 
     private Date lastRequest;

core/src/main/java/org/springframework/security/core/userdetails/User.java

@@ -25,6 +25,7 @@ import java.util.TreeSet;
 
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.CredentialsContainer;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.Assert;
 
 /**
@@ -43,6 +44,9 @@ import org.springframework.util.Assert;
  * @author Luke Taylor
  */
 public class User implements UserDetails, CredentialsContainer {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     //~ Instance fields ================================================================================================
     private String password;
     private final String username;
@@ -149,6 +153,8 @@ public class User implements UserDetails, CredentialsContainer {
     }
 
     private static class AuthorityComparator implements Comparator<GrantedAuthority>, Serializable {
+        private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
         public int compare(GrantedAuthority g1, GrantedAuthority g2) {
             // Neither should ever be null as each entry is checked before adding it to the set.
             // If the authority is null, it is a custom authority and should precede others.

core/src/main/java/org/springframework/security/provisioning/MutableUser.java

@@ -3,6 +3,7 @@ package org.springframework.security.provisioning;
 import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.userdetails.UserDetails;
 
 /**
@@ -11,6 +12,9 @@ import org.springframework.security.core.userdetails.UserDetails;
  * @since 3.1
  */
 class MutableUser implements MutableUserDetails {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     private String password;
     private final UserDetails delegate;
 

core/src/main/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocation.java

@@ -15,6 +15,7 @@
 
 package org.springframework.security.remoting.rmi;
 
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 
@@ -43,7 +44,8 @@ import java.lang.reflect.InvocationTargetException;
  * @author Ben Alex
  */
 public class ContextPropagatingRemoteInvocation extends RemoteInvocation {
-    //~ Static fields/initializers =====================================================================================
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
 
     private static final Log logger = LogFactory.getLog(ContextPropagatingRemoteInvocation.class);
 

ldap/src/main/java/org/springframework/security/ldap/userdetails/InetOrgPerson.java

@@ -16,6 +16,7 @@ package org.springframework.security.ldap.userdetails;
 
 import org.springframework.ldap.core.DirContextAdapter;
 import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 
 
 /**
@@ -28,6 +29,9 @@ import org.springframework.ldap.core.DirContextOperations;
  * @author Luke
  */
 public class InetOrgPerson extends Person {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     private String carLicense;
     // Person.cn
     private String destinationIndicator;

ldap/src/main/java/org/springframework/security/ldap/userdetails/LdapUserDetailsImpl.java

@@ -24,6 +24,7 @@ import javax.naming.Name;
 
 import org.springframework.ldap.core.DirContextOperations;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.ldap.ppolicy.PasswordPolicyData;
 import org.springframework.util.Assert;
@@ -46,6 +47,8 @@ import org.springframework.util.Assert;
  */
 public class LdapUserDetailsImpl implements LdapUserDetails, PasswordPolicyData {
 
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     //~ Instance fields ================================================================================================
 
     private String dn;

ldap/src/main/java/org/springframework/security/ldap/userdetails/Person.java

@@ -15,6 +15,7 @@
 package org.springframework.security.ldap.userdetails;
 
 
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.Assert;
 
 import org.springframework.ldap.core.DirContextAdapter;
@@ -33,6 +34,9 @@ import java.util.Arrays;
  * @since 2.0
  */
 public class Person extends LdapUserDetailsImpl {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     private String sn;
     private String description;
     private String telephoneNumber;

openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationToken.java

@@ -20,6 +20,7 @@ import java.util.List;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 
 /**
  * OpenID Authentication Token
@@ -27,6 +28,9 @@ import org.springframework.security.core.GrantedAuthority;
  * @author Robin Bramley
  */
 public class OpenIDAuthenticationToken extends AbstractAuthenticationToken {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     //~ Instance fields ================================================================================================
 
     private final OpenIDAuthenticationStatus status;

web/src/main/java/org/springframework/security/web/authentication/WebAuthenticationDetails.java

@@ -15,6 +15,8 @@
 
 package org.springframework.security.web.authentication;
 
+import org.springframework.security.core.SpringSecurityCoreVersion;
+
 import java.io.Serializable;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
@@ -27,6 +29,9 @@ import javax.servlet.http.HttpSession;
  * @author Luke Taylor
  */
 public class WebAuthenticationDetails implements Serializable {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     //~ Instance fields ================================================================================================
 
     private final String remoteAddress;

web/src/main/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedAuthenticationToken.java

@@ -4,6 +4,7 @@ import java.util.Collection;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 
 
 /**
@@ -14,6 +15,9 @@ import org.springframework.security.core.GrantedAuthority;
  * @since 2.0
  */
 public class PreAuthenticatedAuthenticationToken extends AbstractAuthenticationToken {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     private final Object principal;
     private final Object credentials;
 

web/src/main/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails.java

@@ -1,6 +1,7 @@
 package org.springframework.security.web.authentication.preauth;
 
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.authority.GrantedAuthoritiesContainer;
 import org.springframework.security.web.authentication.WebAuthenticationDetails;
 
@@ -18,6 +19,8 @@ import java.util.*;
 public class PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails extends WebAuthenticationDetails implements
         GrantedAuthoritiesContainer {
 
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     private final List<GrantedAuthority> authorities;
 
     public PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails(HttpServletRequest request,

web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserGrantedAuthority.java

@@ -17,6 +17,7 @@ package org.springframework.security.web.authentication.switchuser;
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 
 
 /**
@@ -30,6 +31,9 @@ import org.springframework.security.core.GrantedAuthority;
  * @see org.springframework.security.web.authentication.switchuser.SwitchUserFilter
  */
 public final class SwitchUserGrantedAuthority implements GrantedAuthority {
+
+    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
     //~ Instance fields ================================================================================================
     private final String role;
     private final Authentication source;