Closes gh-12472

3 years ago · 79887fa213
2 changed files with 25 additions and 3 deletions
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/Saml2LogoutRequest.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/Saml2LogoutRequest.java
@ -1,5 +1,5 @@
				@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -60,7 +60,7 @@ public final class Saml2LogoutRequest implements Serializable {
				@@ -60,7 +60,7 @@ public final class Saml2LogoutRequest implements Serializable {

 	private final String relyingPartyRegistrationId;

-	private Function<Map<String, String>, String> encoder;
+	private transient Function<Map<String, String>, String> encoder;

 	private Saml2LogoutRequest(String location, Saml2MessageBinding binding, Map<String, String> parameters, String id,
 			String relyingPartyRegistrationId) {
--- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/HttpSessionLogoutRequestRepositoryTests.java
+++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/HttpSessionLogoutRequestRepositoryTests.java
@ -1,5 +1,5 @@
				@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,6 +16,11 @@
				@@ -16,6 +16,11 @@

 package org.springframework.security.saml2.provider.service.web.authentication.logout;

+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
 import java.util.HashMap;
 import java.util.Map;

@ -77,6 +82,23 @@ public class HttpSessionLogoutRequestRepositoryTests {
				@@ -77,6 +82,23 @@ public class HttpSessionLogoutRequestRepositoryTests {
 		assertThat(this.logoutRequestRepository.loadLogoutRequest(request)).isEqualTo(two);
 	}

+	@Test
+	void serializeAndDeserializeSaml2LogoutRequest() throws IOException, ClassNotFoundException {
+		Saml2LogoutRequest requestToSerialize = createLogoutRequest().relayState("state-serialized").build();
+		byte[] data;
+		try (ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+				ObjectOutputStream objectOutputStream = new ObjectOutputStream(outputStream)) {
+			objectOutputStream.writeObject(requestToSerialize);
+			data = outputStream.toByteArray();
+		}
+
+		try (ByteArrayInputStream inputStream = new ByteArrayInputStream(data);
+				ObjectInputStream objectInputStream = new ObjectInputStream(inputStream)) {
+			Saml2LogoutRequest deserializedRequest = (Saml2LogoutRequest) objectInputStream.readObject();
+			assertThat(requestToSerialize.getRelayState()).isEqualTo(deserializedRequest.getRelayState());
+		}
+	}
+
 	@Test
 	public void loadLogoutRequestWhenSavedAndStateParameterNullThenReturnNull() {
 		MockHttpServletRequest request = new MockHttpServletRequest();