Merge branch '6.4.x'

spring-projects · Jan 17, 2025 · c2a5709 · c2a5709
2 parents 9a3bbf8 + bbe4f87
commit c2a5709
Show file tree

Hide file tree

Showing 46 changed files with 175 additions and 10 deletions.
diff --git a/...rc/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java b/...rc/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -54,6 +54,7 @@
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider;
 import org.springframework.core.type.filter.AssignableTypeFilter;
+import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.AuthorizationServiceException;
 import org.springframework.security.access.intercept.RunAsUserToken;
@@ -73,16 +74,33 @@
 import org.springframework.security.authentication.TestAuthentication;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
+import org.springframework.security.authentication.event.AuthenticationFailureCredentialsExpiredEvent;
+import org.springframework.security.authentication.event.AuthenticationFailureDisabledEvent;
+import org.springframework.security.authentication.event.AuthenticationFailureExpiredEvent;
+import org.springframework.security.authentication.event.AuthenticationFailureLockedEvent;
+import org.springframework.security.authentication.event.AuthenticationFailureProviderNotFoundEvent;
+import org.springframework.security.authentication.event.AuthenticationFailureProxyUntrustedEvent;
+import org.springframework.security.authentication.event.AuthenticationFailureServiceExceptionEvent;
+import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
+import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
+import org.springframework.security.authentication.event.LogoutSuccessEvent;
 import org.springframework.security.authentication.jaas.JaasAuthenticationToken;
+import org.springframework.security.authentication.jaas.event.JaasAuthenticationFailedEvent;
+import org.springframework.security.authentication.jaas.event.JaasAuthenticationSuccessEvent;
 import org.springframework.security.authentication.ott.InvalidOneTimeTokenException;
 import org.springframework.security.authentication.ott.OneTimeTokenAuthenticationToken;
 import org.springframework.security.authentication.password.CompromisedPasswordException;
 import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
 import org.springframework.security.cas.authentication.CasAuthenticationToken;
 import org.springframework.security.cas.authentication.CasServiceTicketAuthenticationToken;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextImpl;
+import org.springframework.security.core.session.AbstractSessionEvent;
 import org.springframework.security.core.session.ReactiveSessionInformation;
 import org.springframework.security.core.session.SessionInformation;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -163,13 +181,16 @@
 import org.springframework.security.web.authentication.rememberme.InvalidCookieException;
 import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationException;
 import org.springframework.security.web.authentication.session.SessionAuthenticationException;
+import org.springframework.security.web.authentication.session.SessionFixationProtectionEvent;
+import org.springframework.security.web.authentication.switchuser.AuthenticationSwitchUserEvent;
 import org.springframework.security.web.authentication.www.NonceExpiredException;
 import org.springframework.security.web.csrf.CsrfException;
 import org.springframework.security.web.csrf.DefaultCsrfToken;
 import org.springframework.security.web.csrf.InvalidCsrfTokenException;
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
 import org.springframework.security.web.firewall.RequestRejectedException;
 import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
+import org.springframework.security.web.session.HttpSessionCreatedEvent;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.fail;
@@ -200,6 +221,8 @@ class SpringSecurityCoreVersionSerializableTests {
 
 	static {
 		UserDetails user = TestAuthentication.user();
+		Authentication authentication = TestAuthentication.authenticated(user);
+		SecurityContext securityContext = new SecurityContextImpl(authentication);
 
 		// oauth2-core
 		generatorByClassName.put(DefaultOAuth2User.class, (r) -> TestOAuth2Users.create());
@@ -375,6 +398,37 @@ class SpringSecurityCoreVersionSerializableTests {
 				(r) -> new UsernameNotFoundException("error", new RuntimeException()));
 		generatorByClassName.put(TestingAuthenticationToken.class,
 				(r) -> applyDetails(new TestingAuthenticationToken("username", "password")));
+		generatorByClassName.put(AuthenticationFailureBadCredentialsEvent.class,
+				(r) -> new AuthenticationFailureBadCredentialsEvent(authentication,
+						new BadCredentialsException("message")));
+		generatorByClassName.put(AuthenticationFailureCredentialsExpiredEvent.class,
+				(r) -> new AuthenticationFailureCredentialsExpiredEvent(authentication,
+						new CredentialsExpiredException("message")));
+		generatorByClassName.put(AuthenticationFailureDisabledEvent.class,
+				(r) -> new AuthenticationFailureDisabledEvent(authentication, new DisabledException("message")));
+		generatorByClassName.put(AuthenticationFailureExpiredEvent.class,
+				(r) -> new AuthenticationFailureExpiredEvent(authentication, new AccountExpiredException("message")));
+		generatorByClassName.put(AuthenticationFailureLockedEvent.class,
+				(r) -> new AuthenticationFailureLockedEvent(authentication, new LockedException("message")));
+		generatorByClassName.put(AuthenticationFailureProviderNotFoundEvent.class,
+				(r) -> new AuthenticationFailureProviderNotFoundEvent(authentication,
+						new ProviderNotFoundException("message")));
+		generatorByClassName.put(AuthenticationFailureProxyUntrustedEvent.class,
+				(r) -> new AuthenticationFailureProxyUntrustedEvent(authentication,
+						new AuthenticationServiceException("message")));
+		generatorByClassName.put(AuthenticationFailureServiceExceptionEvent.class,
+				(r) -> new AuthenticationFailureServiceExceptionEvent(authentication,
+						new AuthenticationServiceException("message")));
+		generatorByClassName.put(AuthenticationSuccessEvent.class,
+				(r) -> new AuthenticationSuccessEvent(authentication));
+		generatorByClassName.put(InteractiveAuthenticationSuccessEvent.class,
+				(r) -> new InteractiveAuthenticationSuccessEvent(authentication, Authentication.class));
+		generatorByClassName.put(LogoutSuccessEvent.class, (r) -> new LogoutSuccessEvent(authentication));
+		generatorByClassName.put(JaasAuthenticationFailedEvent.class,
+				(r) -> new JaasAuthenticationFailedEvent(authentication, new RuntimeException("message")));
+		generatorByClassName.put(JaasAuthenticationSuccessEvent.class,
+				(r) -> new JaasAuthenticationSuccessEvent(authentication));
+		generatorByClassName.put(AbstractSessionEvent.class, (r) -> new AbstractSessionEvent(securityContext));
 
 		// cas
 		generatorByClassName.put(CasServiceTicketAuthenticationToken.class, (r) -> {
@@ -448,6 +502,12 @@ class SpringSecurityCoreVersionSerializableTests {
 		generatorByClassName.put(RequestRejectedException.class, (r) -> new RequestRejectedException("message"));
 		generatorByClassName.put(ServerExchangeRejectedException.class,
 				(r) -> new ServerExchangeRejectedException("message"));
+		generatorByClassName.put(SessionFixationProtectionEvent.class,
+				(r) -> new SessionFixationProtectionEvent(authentication, "old", "new"));
+		generatorByClassName.put(AuthenticationSwitchUserEvent.class,
+				(r) -> new AuthenticationSwitchUserEvent(authentication, user));
+		generatorByClassName.put(HttpSessionCreatedEvent.class,
+				(r) -> new HttpSessionCreatedEvent(new MockHttpSession()));
 	}
 
 	@ParameterizedTest

diff --git a/...amework.security.authentication.event.AuthenticationFailureBadCredentialsEvent.serialized b/...amework.security.authentication.event.AuthenticationFailureBadCredentialsEvent.serialized
diff --git a/...ork.security.authentication.event.AuthenticationFailureCredentialsExpiredEvent.serialized b/...ork.security.authentication.event.AuthenticationFailureCredentialsExpiredEvent.serialized
diff --git a/...ringframework.security.authentication.event.AuthenticationFailureDisabledEvent.serialized b/...ringframework.security.authentication.event.AuthenticationFailureDisabledEvent.serialized
diff --git a/...pringframework.security.authentication.event.AuthenticationFailureExpiredEvent.serialized b/...pringframework.security.authentication.event.AuthenticationFailureExpiredEvent.serialized
diff --git a/...springframework.security.authentication.event.AuthenticationFailureLockedEvent.serialized b/...springframework.security.authentication.event.AuthenticationFailureLockedEvent.serialized
diff --git a/...ework.security.authentication.event.AuthenticationFailureProviderNotFoundEvent.serialized b/...ework.security.authentication.event.AuthenticationFailureProviderNotFoundEvent.serialized
diff --git a/...amework.security.authentication.event.AuthenticationFailureProxyUntrustedEvent.serialized b/...amework.security.authentication.event.AuthenticationFailureProxyUntrustedEvent.serialized
diff --git a/...ework.security.authentication.event.AuthenticationFailureServiceExceptionEvent.serialized b/...ework.security.authentication.event.AuthenticationFailureServiceExceptionEvent.serialized
diff --git a/...x/org.springframework.security.authentication.event.AuthenticationSuccessEvent.serialized b/...x/org.springframework.security.authentication.event.AuthenticationSuccessEvent.serialized
diff --git a/...gframework.security.authentication.event.InteractiveAuthenticationSuccessEvent.serialized b/...gframework.security.authentication.event.InteractiveAuthenticationSuccessEvent.serialized
diff --git a/...zed/6.4.x/org.springframework.security.authentication.event.LogoutSuccessEvent.serialized b/...zed/6.4.x/org.springframework.security.authentication.event.LogoutSuccessEvent.serialized
diff --git a/...ringframework.security.authentication.jaas.event.JaasAuthenticationFailedEvent.serialized b/...ringframework.security.authentication.jaas.event.JaasAuthenticationFailedEvent.serialized
diff --git a/...ingframework.security.authentication.jaas.event.JaasAuthenticationSuccessEvent.serialized b/...ingframework.security.authentication.jaas.event.JaasAuthenticationSuccessEvent.serialized
diff --git a/...erialized/6.4.x/org.springframework.security.core.session.AbstractSessionEvent.serialized b/...erialized/6.4.x/org.springframework.security.core.session.AbstractSessionEvent.serialized
diff --git a/...ngframework.security.web.authentication.session.SessionFixationProtectionEvent.serialized b/...ngframework.security.web.authentication.session.SessionFixationProtectionEvent.serialized
diff --git a/...framework.security.web.authentication.switchuser.AuthenticationSwitchUserEvent.serialized b/...framework.security.web.authentication.switchuser.AuthenticationSwitchUserEvent.serialized
diff --git a/...ialized/6.4.x/org.springframework.security.web.session.HttpSessionCreatedEvent.serialized b/...ialized/6.4.x/org.springframework.security.web.session.HttpSessionCreatedEvent.serialized
diff --git a/...ava/org/springframework/security/access/event/AuthenticationCredentialsNotFoundEvent.java b/...ava/org/springframework/security/access/event/AuthenticationCredentialsNotFoundEvent.java
@@ -32,6 +32,7 @@
  * instead.
  */
 @Deprecated
+@SuppressWarnings("serial")
 public class AuthenticationCredentialsNotFoundEvent extends AbstractAuthorizationEvent {
 
 	private final AuthenticationCredentialsNotFoundException credentialsNotFoundException;

diff --git a/core/src/main/java/org/springframework/security/access/event/AuthorizationFailureEvent.java b/core/src/main/java/org/springframework/security/access/event/AuthorizationFailureEvent.java
@@ -39,6 +39,7 @@
  * instead
  */
 @Deprecated
+@SuppressWarnings("serial")
 public class AuthorizationFailureEvent extends AbstractAuthorizationEvent {
 
 	private final AccessDeniedException accessDeniedException;

diff --git a/core/src/main/java/org/springframework/security/access/event/AuthorizedEvent.java b/core/src/main/java/org/springframework/security/access/event/AuthorizedEvent.java
@@ -34,6 +34,7 @@
  * instead
  */
 @Deprecated
+@SuppressWarnings("serial")
 public class AuthorizedEvent extends AbstractAuthorizationEvent {
 
 	private final Authentication authentication;

diff --git a/core/src/main/java/org/springframework/security/access/event/PublicInvocationEvent.java b/core/src/main/java/org/springframework/security/access/event/PublicInvocationEvent.java
@@ -34,6 +34,7 @@
  * {@link AuthorizationGrantedEvent#getSource()} to deduce public invocations.
  */
 @Deprecated
+@SuppressWarnings("serial")
 public class PublicInvocationEvent extends AbstractAuthorizationEvent {
 
 	/**

diff --git a/...ringframework/security/authentication/event/AuthenticationFailureBadCredentialsEvent.java b/...ringframework/security/authentication/event/AuthenticationFailureBadCredentialsEvent.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureBadCredentialsEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = -5245144711561130379L;
+
 	public AuthenticationFailureBadCredentialsEvent(Authentication authentication, AuthenticationException exception) {
 		super(authentication, exception);
 	}

diff --git a/...framework/security/authentication/event/AuthenticationFailureCredentialsExpiredEvent.java b/...framework/security/authentication/event/AuthenticationFailureCredentialsExpiredEvent.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureCredentialsExpiredEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = -7595086332769705203L;
+
 	public AuthenticationFailureCredentialsExpiredEvent(Authentication authentication,
 			AuthenticationException exception) {
 		super(authentication, exception);

diff --git a/...org/springframework/security/authentication/event/AuthenticationFailureDisabledEvent.java b/...org/springframework/security/authentication/event/AuthenticationFailureDisabledEvent.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureDisabledEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = 8037552364666766279L;
+
 	public AuthenticationFailureDisabledEvent(Authentication authentication, AuthenticationException exception) {
 		super(authentication, exception);
 	}

diff --git a/.../org/springframework/security/authentication/event/AuthenticationFailureExpiredEvent.java b/.../org/springframework/security/authentication/event/AuthenticationFailureExpiredEvent.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureExpiredEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = -8437264795214121718L;
+
 	public AuthenticationFailureExpiredEvent(Authentication authentication, AuthenticationException exception) {
 		super(authentication, exception);
 	}

diff --git a/...a/org/springframework/security/authentication/event/AuthenticationFailureLockedEvent.java b/...a/org/springframework/security/authentication/event/AuthenticationFailureLockedEvent.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureLockedEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = -5126110096093568463L;
+
 	public AuthenticationFailureLockedEvent(Authentication authentication, AuthenticationException exception) {
 		super(authentication, exception);
 	}

diff --git a/...ngframework/security/authentication/event/AuthenticationFailureProviderNotFoundEvent.java b/...ngframework/security/authentication/event/AuthenticationFailureProviderNotFoundEvent.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureProviderNotFoundEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = 9122219669183263487L;
+
 	public AuthenticationFailureProviderNotFoundEvent(Authentication authentication,
 			AuthenticationException exception) {
 		super(authentication, exception);

diff --git a/...ringframework/security/authentication/event/AuthenticationFailureProxyUntrustedEvent.java b/...ringframework/security/authentication/event/AuthenticationFailureProxyUntrustedEvent.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureProxyUntrustedEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = 1801476426012753252L;
+
 	public AuthenticationFailureProxyUntrustedEvent(Authentication authentication, AuthenticationException exception) {
 		super(authentication, exception);
 	}

diff --git a/...ngframework/security/authentication/event/AuthenticationFailureServiceExceptionEvent.java b/...ngframework/security/authentication/event/AuthenticationFailureServiceExceptionEvent.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureServiceExceptionEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = 5580062757249390756L;
+
 	public AuthenticationFailureServiceExceptionEvent(Authentication authentication,
 			AuthenticationException exception) {
 		super(authentication, exception);

diff --git a/...in/java/org/springframework/security/authentication/event/AuthenticationSuccessEvent.java b/...in/java/org/springframework/security/authentication/event/AuthenticationSuccessEvent.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 
 /**
@@ -25,6 +27,9 @@
  */
 public class AuthenticationSuccessEvent extends AbstractAuthenticationEvent {
 
+	@Serial
+	private static final long serialVersionUID = 2537206344128673963L;
+
 	public AuthenticationSuccessEvent(Authentication authentication) {
 		super(authentication);
 	}

diff --git a/.../springframework/security/authentication/event/InteractiveAuthenticationSuccessEvent.java b/.../springframework/security/authentication/event/InteractiveAuthenticationSuccessEvent.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.util.Assert;
 
@@ -34,6 +36,9 @@
  */
 public class InteractiveAuthenticationSuccessEvent extends AbstractAuthenticationEvent {
 
+	@Serial
+	private static final long serialVersionUID = -1990271553478571709L;
+
 	private final Class<?> generatedBy;
 
 	public InteractiveAuthenticationSuccessEvent(Authentication authentication, Class<?> generatedBy) {

diff --git a/core/src/main/java/org/springframework/security/authentication/event/LogoutSuccessEvent.java b/core/src/main/java/org/springframework/security/authentication/event/LogoutSuccessEvent.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 
 /**
@@ -26,6 +28,9 @@
  */
 public class LogoutSuccessEvent extends AbstractAuthenticationEvent {
 
+	@Serial
+	private static final long serialVersionUID = 5112491795571632311L;
+
 	public LogoutSuccessEvent(Authentication authentication) {
 		super(authentication);
 	}

diff --git a/...org/springframework/security/authentication/jaas/event/JaasAuthenticationFailedEvent.java b/...org/springframework/security/authentication/jaas/event/JaasAuthenticationFailedEvent.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.jaas.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 
 /**
@@ -26,6 +28,9 @@
  */
 public class JaasAuthenticationFailedEvent extends JaasAuthenticationEvent {
 
+	@Serial
+	private static final long serialVersionUID = -240510538971925002L;
+
 	private final Exception exception;
 
 	public JaasAuthenticationFailedEvent(Authentication auth, Exception exception) {