Merge branch '6.4.x'

config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java

@@ -39,11 +39,13 @@ import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
+import jakarta.servlet.http.Cookie;
 import org.apache.commons.lang3.ObjectUtils;
 import org.apereo.cas.client.validation.AssertionImpl;
 import org.instancio.Instancio;
@@ -58,9 +60,11 @@ import org.junit.jupiter.params.provider.MethodSource;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider;
 import org.springframework.core.type.filter.AssignableTypeFilter;
+import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.AuthorizationServiceException;
+import org.springframework.security.access.SecurityConfig;
 import org.springframework.security.access.intercept.RunAsUserToken;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.authentication.AccountExpiredException;
@@ -104,13 +108,16 @@ import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextImpl;
+import org.springframework.security.core.context.TransientSecurityContext;
 import org.springframework.security.core.session.AbstractSessionEvent;
 import org.springframework.security.core.session.ReactiveSessionInformation;
 import org.springframework.security.core.session.SessionInformation;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.ldap.ppolicy.PasswordPolicyControl;
 import org.springframework.security.ldap.ppolicy.PasswordPolicyErrorStatus;
 import org.springframework.security.ldap.ppolicy.PasswordPolicyException;
+import org.springframework.security.ldap.ppolicy.PasswordPolicyResponseControl;
 import org.springframework.security.ldap.userdetails.LdapAuthority;
 import org.springframework.security.oauth2.client.ClientAuthorizationException;
 import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException;
@@ -179,6 +186,7 @@ import org.springframework.security.saml2.provider.service.authentication.Saml2R
 import org.springframework.security.saml2.provider.service.authentication.TestSaml2Authentications;
 import org.springframework.security.saml2.provider.service.authentication.TestSaml2PostAuthenticationRequests;
 import org.springframework.security.saml2.provider.service.authentication.TestSaml2RedirectAuthenticationRequests;
+import org.springframework.security.web.PortResolverImpl;
 import org.springframework.security.web.authentication.WebAuthenticationDetails;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException;
@@ -194,6 +202,8 @@ import org.springframework.security.web.csrf.DefaultCsrfToken;
 import org.springframework.security.web.csrf.InvalidCsrfTokenException;
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
 import org.springframework.security.web.firewall.RequestRejectedException;
+import org.springframework.security.web.savedrequest.DefaultSavedRequest;
+import org.springframework.security.web.savedrequest.SimpleSavedRequest;
 import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
 import org.springframework.security.web.session.HttpSessionCreatedEvent;
 import org.springframework.security.web.webauthn.api.Bytes;
@@ -442,6 +452,8 @@ class SpringSecurityCoreVersionSerializableTests {
 		generatorByClassName.put(JaasAuthenticationSuccessEvent.class,
 				(r) -> new JaasAuthenticationSuccessEvent(authentication));
 		generatorByClassName.put(AbstractSessionEvent.class, (r) -> new AbstractSessionEvent(securityContext));
+		generatorByClassName.put(SecurityConfig.class, (r) -> new SecurityConfig("value"));
+		generatorByClassName.put(TransientSecurityContext.class, (r) -> new TransientSecurityContext(authentication));
 
 		// cas
 		generatorByClassName.put(CasServiceTicketAuthenticationToken.class, (r) -> {
@@ -466,6 +478,11 @@ class SpringSecurityCoreVersionSerializableTests {
 				(r) -> new LdapAuthority("USER", "username", Map.of("attribute", List.of("value1", "value2"))));
 		generatorByClassName.put(PasswordPolicyException.class,
 				(r) -> new PasswordPolicyException(PasswordPolicyErrorStatus.INSUFFICIENT_PASSWORD_QUALITY));
+		generatorByClassName.put(PasswordPolicyControl.class, (r) -> new PasswordPolicyControl(true));
+		generatorByClassName.put(PasswordPolicyResponseControl.class, (r) -> {
+			byte[] encodedResponse = { 0x30, 0x05, (byte) 0xA0, 0x03, (byte) 0xA0, 0x1, 0x21 };
+			return new PasswordPolicyResponseControl(encodedResponse);
+		});
 
 		// saml2-service-provider
 		generatorByClassName.put(Saml2AuthenticationException.class,
@@ -521,6 +538,20 @@ class SpringSecurityCoreVersionSerializableTests {
 				(r) -> new AuthenticationSwitchUserEvent(authentication, user));
 		generatorByClassName.put(HttpSessionCreatedEvent.class,
 				(r) -> new HttpSessionCreatedEvent(new MockHttpSession()));
+		generatorByClassName.put(SimpleSavedRequest.class, (r) -> {
+			MockHttpServletRequest request = new MockHttpServletRequest("GET", "/uri");
+			request.setQueryString("query=string");
+			request.setScheme("https");
+			request.setServerName("localhost");
+			request.setServerPort(80);
+			request.setRequestURI("/uri");
+			request.setCookies(new Cookie("name", "value"));
+			request.addHeader("header", "value");
+			request.addParameter("parameter", "value");
+			request.setPathInfo("/path");
+			request.addPreferredLocale(Locale.ENGLISH);
+			return new SimpleSavedRequest(new DefaultSavedRequest(request, new PortResolverImpl(), "continue"));
+		});
 
 		// webauthn
 		generatorByClassName.put(Bytes.class, (r) -> TestBytes.get());

core/src/main/java/org/springframework/security/access/SecurityConfig.java

@@ -16,6 +16,7 @@
 
 package org.springframework.security.access;
 
+import java.io.Serial;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -29,6 +30,9 @@ import org.springframework.util.StringUtils;
  */
 public class SecurityConfig implements ConfigAttribute {
 
+	@Serial
+	private static final long serialVersionUID = -7138084564199804304L;
+
 	private final String attrib;
 
 	public SecurityConfig(String config) {

core/src/main/java/org/springframework/security/access/annotation/Jsr250SecurityConfig.java

@@ -30,6 +30,7 @@ import org.springframework.security.authorization.method.AuthorizationManagerBef
  * @deprecated Use {@link AuthorizationManagerBeforeMethodInterceptor#jsr250()} instead
  */
 @Deprecated
+@SuppressWarnings("serial")
 public class Jsr250SecurityConfig extends SecurityConfig {
 
 	public static final Jsr250SecurityConfig PERMIT_ALL_ATTRIBUTE = new Jsr250SecurityConfig(PermitAll.class.getName());

core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java

@@ -28,6 +28,7 @@ import org.springframework.security.access.prepost.PostInvocationAttribute;
  * instead
  */
 @Deprecated
+@SuppressWarnings("serial")
 class PostInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute
 		implements PostInvocationAttribute {
 

core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java

@@ -28,6 +28,7 @@ import org.springframework.security.access.prepost.PreInvocationAttribute;
  * instead
  */
 @Deprecated
+@SuppressWarnings("serial")
 class PreInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute
 		implements PreInvocationAttribute {
 

core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java

@@ -54,6 +54,7 @@ import org.springframework.util.CollectionUtils;
  * @deprecated Use {@link EnableMethodSecurity} or publish interceptors directly
  */
 @Deprecated
+@SuppressWarnings("serial")
 public class MethodSecurityMetadataSourceAdvisor extends AbstractPointcutAdvisor implements BeanFactoryAware {
 
 	private transient MethodSecurityMetadataSource attributeSource;

core/src/main/java/org/springframework/security/core/ComparableVersion.java

@@ -405,6 +405,7 @@ class ComparableVersion implements Comparable<ComparableVersion> {
 	 * Represents a version list item. This class is used both for the global item list
 	 * and for sub-lists (which start with '-(number)' in the version specification).
 	 */
+	@SuppressWarnings("serial")
 	private static class ListItem extends ArrayList<Item> implements Item {
 
 		@Override

core/src/main/java/org/springframework/security/core/context/TransientSecurityContext.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.core.context;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.Transient;
 
@@ -30,6 +32,9 @@ import org.springframework.security.core.Transient;
 @Transient
 public class TransientSecurityContext extends SecurityContextImpl {
 
+	@Serial
+	private static final long serialVersionUID = -7925492364422193347L;
+
 	public TransientSecurityContext() {
 	}
 

ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControl.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.ldap.ppolicy;
 
+import java.io.Serial;
+
 import javax.naming.ldap.Control;
 
 /**
@@ -37,6 +39,9 @@ public class PasswordPolicyControl implements Control {
 	 */
 	public static final String OID = "1.3.6.1.4.1.42.2.27.8.5.1";
 
+	@Serial
+	private static final long serialVersionUID = 2843242715616817932L;
+
 	private final boolean critical;
 
 	/**

ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyResponseControl.java

@@ -19,6 +19,7 @@ package org.springframework.security.ldap.ppolicy;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.Serial;
 
 import netscape.ldap.ber.stream.BERChoice;
 import netscape.ldap.ber.stream.BERElement;
@@ -53,6 +54,9 @@ public class PasswordPolicyResponseControl extends PasswordPolicyControl {
 
 	private static final Log logger = LogFactory.getLog(PasswordPolicyResponseControl.class);
 
+	@Serial
+	private static final long serialVersionUID = -4592657167939234499L;
+
 	private final byte[] encodedValue;
 
 	private PasswordPolicyErrorStatus errorStatus;

web/src/main/java/org/springframework/security/web/savedrequest/SimpleSavedRequest.java

@@ -16,6 +16,7 @@
 
 package org.springframework.security.web.savedrequest;
 
+import java.io.Serial;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
@@ -35,6 +36,9 @@ import org.springframework.util.Assert;
  */
 public class SimpleSavedRequest implements SavedRequest {
 
+	@Serial
+	private static final long serialVersionUID = 807650604272166969L;
+
 	private String redirectUrl;
 
 	private List<Cookie> cookies = new ArrayList<>();