Implement Serializable for WebAuthnAuthentication

Closes gh-16273 Closes gh-16285 Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
11 months ago · e557c7227b
8 changed files with 42 additions and 6 deletions
--- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
+++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
@ -191,6 +191,12 @@ import org.springframework.security.web.csrf.MissingCsrfTokenException;
				@@ -191,6 +191,12 @@ import org.springframework.security.web.csrf.MissingCsrfTokenException;
 import org.springframework.security.web.firewall.RequestRejectedException;
 import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
 import org.springframework.security.web.session.HttpSessionCreatedEvent;
+import org.springframework.security.web.webauthn.api.Bytes;
+import org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialUserEntity;
+import org.springframework.security.web.webauthn.api.TestBytes;
+import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialUserEntity;
+import org.springframework.security.web.webauthn.authentication.WebAuthnAuthentication;

 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.fail;
@ -508,6 +514,20 @@ class SpringSecurityCoreVersionSerializableTests {
				@@ -508,6 +514,20 @@ class SpringSecurityCoreVersionSerializableTests {
 				(r) -> new AuthenticationSwitchUserEvent(authentication, user));
 		generatorByClassName.put(HttpSessionCreatedEvent.class,
 				(r) -> new HttpSessionCreatedEvent(new MockHttpSession()));
+
+		// webauthn
+		generatorByClassName.put(Bytes.class, (r) -> TestBytes.get());
+		generatorByClassName.put(ImmutablePublicKeyCredentialUserEntity.class,
+				(r) -> TestPublicKeyCredentialUserEntity.userEntity().id(TestBytes.get()).build());
+		generatorByClassName.put(WebAuthnAuthentication.class, (r) -> {
+			PublicKeyCredentialUserEntity userEntity = TestPublicKeyCredentialUserEntity.userEntity()
+				.id(TestBytes.get())
+				.build();
+			List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER");
+			WebAuthnAuthentication webAuthnAuthentication = new WebAuthnAuthentication(userEntity, authorities);
+			webAuthnAuthentication.setDetails(details);
+			return webAuthnAuthentication;
+		});
 	}

 	@ParameterizedTest
--- a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.Bytes.serialized
+++ b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.Bytes.serialized
--- a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity.serialized
+++ b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity.serialized
--- a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.authentication.WebAuthnAuthentication.serialized
+++ b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.authentication.WebAuthnAuthentication.serialized
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java
@ -1,5 +1,5 @@
				@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,6 +16,8 @@
				@@ -16,6 +16,8 @@

 package org.springframework.security.web.webauthn.api;

+import java.io.Serial;
+import java.io.Serializable;
 import java.security.SecureRandom;
 import java.util.Arrays;
 import java.util.Base64;
@ -28,7 +30,10 @@ import org.springframework.util.Assert;
				@@ -28,7 +30,10 @@ import org.springframework.util.Assert;
 * @author Rob Winch
 * @since 6.4
 */
-public final class Bytes {
+public final class Bytes implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -3278138671365709777L;

 	private static final SecureRandom RANDOM = new SecureRandom();

--- a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutablePublicKeyCredentialUserEntity.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutablePublicKeyCredentialUserEntity.java
@ -1,5 +1,5 @@
				@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,6 +16,8 @@
				@@ -16,6 +16,8 @@

 package org.springframework.security.web.webauthn.api;

+import java.io.Serial;
+
 /**
 * <a href=
 * "https://www.w3.org/TR/webauthn-3/#dictdef-publickeycredentialuserentity">PublicKeyCredentialUserEntity</a>
@ -28,6 +30,9 @@ package org.springframework.security.web.webauthn.api;
				@@ -28,6 +30,9 @@ package org.springframework.security.web.webauthn.api;
 */
 public final class ImmutablePublicKeyCredentialUserEntity implements PublicKeyCredentialUserEntity {

+	@Serial
+	private static final long serialVersionUID = -3438693960347279759L;
+
 	/**
 	 * When inherited by PublicKeyCredentialUserEntity, it is a human-palatable identifier
 	 * for a user account. It is intended only for display, i.e., aiding the user in
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialUserEntity.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialUserEntity.java
@ -1,5 +1,5 @@
				@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,6 +16,8 @@
				@@ -16,6 +16,8 @@

 package org.springframework.security.web.webauthn.api;

+import java.io.Serializable;
+
 /**
 * <a href=
 * "https://www.w3.org/TR/webauthn-3/#dictdef-publickeycredentialuserentity">PublicKeyCredentialUserEntity</a>
@ -27,7 +29,7 @@ package org.springframework.security.web.webauthn.api;
				@@ -27,7 +29,7 @@ package org.springframework.security.web.webauthn.api;
 * @since 6.4
 * @see org.springframework.security.web.webauthn.management.WebAuthnRelyingPartyOperations#authenticate(org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest)
 */
-public interface PublicKeyCredentialUserEntity {
+public interface PublicKeyCredentialUserEntity extends Serializable {

 	/**
 	 * The <a href=
--- a/web/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthentication.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthentication.java
@ -1,5 +1,5 @@
				@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,6 +16,7 @@
				@@ -16,6 +16,7 @@

 package org.springframework.security.web.webauthn.authentication;

+import java.io.Serial;
 import java.util.Collection;

 import org.springframework.security.authentication.AbstractAuthenticationToken;
@ -33,6 +34,9 @@ import org.springframework.util.Assert;
				@@ -33,6 +34,9 @@ import org.springframework.util.Assert;
 */
 public class WebAuthnAuthentication extends AbstractAuthenticationToken {

+	@Serial
+	private static final long serialVersionUID = -4879907158750659197L;
+
 	private final PublicKeyCredentialUserEntity principal;

 	public WebAuthnAuthentication(PublicKeyCredentialUserEntity principal,