Support Serialization for Authorization Components

Closes gh-16544

config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java

@@ -95,6 +95,9 @@ import org.springframework.security.authentication.jaas.event.JaasAuthentication
 import org.springframework.security.authentication.ott.InvalidOneTimeTokenException;
 import org.springframework.security.authentication.ott.OneTimeTokenAuthenticationToken;
 import org.springframework.security.authentication.password.CompromisedPasswordException;
+import org.springframework.security.authorization.AuthorityAuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
 import org.springframework.security.cas.authentication.CasAuthenticationToken;
 import org.springframework.security.cas.authentication.CasServiceTicketAuthenticationToken;
@@ -454,6 +457,11 @@ class SpringSecurityCoreVersionSerializableTests {
 		generatorByClassName.put(AbstractSessionEvent.class, (r) -> new AbstractSessionEvent(securityContext));
 		generatorByClassName.put(SecurityConfig.class, (r) -> new SecurityConfig("value"));
 		generatorByClassName.put(TransientSecurityContext.class, (r) -> new TransientSecurityContext(authentication));
+		generatorByClassName.put(AuthorizationDeniedException.class,
+				(r) -> new AuthorizationDeniedException("message", new AuthorizationDecision(false)));
+		generatorByClassName.put(AuthorizationDecision.class, (r) -> new AuthorizationDecision(true));
+		generatorByClassName.put(AuthorityAuthorizationDecision.class,
+				(r) -> new AuthorityAuthorizationDecision(true, AuthorityUtils.createAuthorityList("ROLE_USER")));
 
 		// cas
 		generatorByClassName.put(CasServiceTicketAuthenticationToken.class, (r) -> {

core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationDecision.java

@@ -16,6 +16,7 @@
 
 package org.springframework.security.authorization;
 
+import java.io.Serial;
 import java.util.Collection;
 
 import org.springframework.security.core.GrantedAuthority;
@@ -28,6 +29,9 @@ import org.springframework.security.core.GrantedAuthority;
  */
 public class AuthorityAuthorizationDecision extends AuthorizationDecision {
 
+	@Serial
+	private static final long serialVersionUID = -8338309042331376592L;
+
 	private final Collection<GrantedAuthority> authorities;
 
 	public AuthorityAuthorizationDecision(boolean granted, Collection<GrantedAuthority> authorities) {

core/src/main/java/org/springframework/security/authorization/AuthorizationDecision.java

@@ -16,12 +16,17 @@
 
 package org.springframework.security.authorization;
 
+import java.io.Serial;
+
 /**
  * @author Rob Winch
  * @since 5.0
  */
 public class AuthorizationDecision implements AuthorizationResult {
 
+	@Serial
+	private static final long serialVersionUID = -3226018324649244416L;
+
 	private final boolean granted;
 
 	public AuthorizationDecision(boolean granted) {

core/src/main/java/org/springframework/security/authorization/AuthorizationManagers.java

@@ -145,6 +145,7 @@ public final class AuthorizationManagers {
 	private AuthorizationManagers() {
 	}
 
+	@SuppressWarnings("serial")
 	private static final class CompositeAuthorizationDecision extends AuthorizationDecision {
 
 		private final List<AuthorizationResult> results;
@@ -161,6 +162,7 @@ public final class AuthorizationManagers {
 
 	}
 
+	@SuppressWarnings("serial")
 	private static final class NotAuthorizationDecision extends AuthorizationDecision {
 
 		private final AuthorizationResult result;

core/src/main/java/org/springframework/security/authorization/AuthorizationResult.java

@@ -16,13 +16,15 @@
 
 package org.springframework.security.authorization;
 
+import java.io.Serializable;
+
 /**
  * Represents an authorization result
  *
  * @author Marcus da Coregio
  * @since 6.3
  */
-public interface AuthorizationResult {
+public interface AuthorizationResult extends Serializable {
 
 	/**
 	 * @return whether the access has been granted

core/src/main/java/org/springframework/security/authorization/ExpressionAuthorizationDecision.java

@@ -24,6 +24,7 @@ import org.springframework.expression.Expression;
  * @author Marcus Da Coregio
  * @since 5.8
  */
+@SuppressWarnings("serial")
 public class ExpressionAuthorizationDecision extends AuthorizationDecision {
 
 	private final Expression expression;