diff --git a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java index cc53b8e159..7f4d78f41b 100644 --- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java +++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java @@ -212,21 +212,30 @@ import org.springframework.security.web.server.firewall.ServerExchangeRejectedException; import org.springframework.security.web.session.HttpSessionCreatedEvent; import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientInputs; +import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientOutputs; +import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse; import org.springframework.security.web.webauthn.api.AuthenticatorTransport; import org.springframework.security.web.webauthn.api.Bytes; import org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput; +import org.springframework.security.web.webauthn.api.CredentialPropertiesOutput; import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput; import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs; +import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs; import org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity; +import org.springframework.security.web.webauthn.api.PublicKeyCredential; import org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor; import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions; import org.springframework.security.web.webauthn.api.PublicKeyCredentialType; import org.springframework.security.web.webauthn.api.PublicKeyCredentialUserEntity; +import org.springframework.security.web.webauthn.api.TestAuthenticationAssertionResponses; import org.springframework.security.web.webauthn.api.TestBytes; +import org.springframework.security.web.webauthn.api.TestPublicKeyCredential; import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialRequestOptions; import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialUserEntity; import org.springframework.security.web.webauthn.api.UserVerificationRequirement; import org.springframework.security.web.webauthn.authentication.WebAuthnAuthentication; +import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken; +import org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest; import org.springframework.util.ReflectionUtils; import static org.assertj.core.api.Assertions.assertThat; @@ -629,6 +638,26 @@ class SpringSecurityCoreVersionSerializableTests { .allowCredentials(List.of(descriptor)) .build() ); + + CredentialPropertiesOutput credentialOutput = new CredentialPropertiesOutput(false); + AuthenticationExtensionsClientOutputs outputs = new ImmutableAuthenticationExtensionsClientOutputs(credentialOutput); + AuthenticatorAssertionResponse response = TestAuthenticationAssertionResponses.createAuthenticatorAssertionResponse() + .build(); + PublicKeyCredential credential = TestPublicKeyCredential.createPublicKeyCredential( + response, outputs) + .build(); + RelyingPartyAuthenticationRequest authRequest = new RelyingPartyAuthenticationRequest( + TestPublicKeyCredentialRequestOptions.create().build(), + credential + ); + WebAuthnAuthenticationRequestToken requestToken = new WebAuthnAuthenticationRequestToken(authRequest); + requestToken.setDetails(details); + generatorByClassName.put(CredentialPropertiesOutput.class, (o) -> credentialOutput); + generatorByClassName.put(ImmutableAuthenticationExtensionsClientOutputs.class, (o) -> outputs); + generatorByClassName.put(AuthenticatorAssertionResponse.class, (r) -> response); + generatorByClassName.put(RelyingPartyAuthenticationRequest.class, (r) -> authRequest); + generatorByClassName.put(PublicKeyCredential.class, (r) -> credential); + generatorByClassName.put(WebAuthnAuthenticationRequestToken.class, (r) -> requestToken); // @formatter:on } diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse.serialized new file mode 100644 index 0000000000..64a8173e8e Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredentialPropertiesOutput.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredentialPropertiesOutput.serialized new file mode 100644 index 0000000000..78ddecc042 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredentialPropertiesOutput.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs.serialized new file mode 100644 index 0000000000..e35a639cca Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredential.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredential.serialized new file mode 100644 index 0000000000..6b2e6a8cc3 Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredential.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken.serialized new file mode 100644 index 0000000000..5945cd459a Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken.serialized differ diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest.serialized new file mode 100644 index 0000000000..34f07eca8f Binary files /dev/null and b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest.serialized differ diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutput.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutput.java index c635acf2d0..5eadabcaf8 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutput.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutput.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serializable; + /** * A client extension * output entry in {@link AuthenticationExtensionsClientOutputs}. @@ -24,7 +26,7 @@ * @see AuthenticationExtensionsClientOutputs#getOutputs() * @see CredentialPropertiesOutput */ -public interface AuthenticationExtensionsClientOutput { +public interface AuthenticationExtensionsClientOutput extends Serializable { /** * Gets the extension diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutputs.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutputs.java index 54038e9588..8f1adccf05 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutputs.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientOutputs.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serializable; import java.util.List; /** @@ -31,7 +32,7 @@ * @since 6.4 * @see PublicKeyCredential#getClientExtensionResults() */ -public interface AuthenticationExtensionsClientOutputs { +public interface AuthenticationExtensionsClientOutputs extends Serializable { /** * Gets all of the {@link AuthenticationExtensionsClientOutput}. diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAssertionResponse.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAssertionResponse.java index 5d4609951f..045384128f 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAssertionResponse.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAssertionResponse.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; + /** * The AuthenticatorAssertionResponse @@ -38,6 +40,9 @@ */ public final class AuthenticatorAssertionResponse extends AuthenticatorResponse { + @Serial + private static final long serialVersionUID = 324976481675434298L; + private final Bytes authenticatorData; private final Bytes signature; diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorResponse.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorResponse.java index 29f34751cd..522f2d0874 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorResponse.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorResponse.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serializable; + /** * The AuthenticatorResponse @@ -26,7 +28,7 @@ * @author Rob Winch * @since 6.4 */ -public abstract class AuthenticatorResponse { +public abstract class AuthenticatorResponse implements Serializable { private final Bytes clientDataJSON; diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/CredentialPropertiesOutput.java b/web/src/main/java/org/springframework/security/web/webauthn/api/CredentialPropertiesOutput.java index 193fe6cbb4..45deb043b5 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/CredentialPropertiesOutput.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/CredentialPropertiesOutput.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,9 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; +import java.io.Serializable; + /** * CredentialPropertiesOutput @@ -27,6 +30,9 @@ public class CredentialPropertiesOutput implements AuthenticationExtensionsClientOutput { + @Serial + private static final long serialVersionUID = -3201699313968303331L; + /** * The extension id. */ @@ -59,7 +65,10 @@ public ExtensionOutput getOutput() { * @since 6.4 * @see #getOutput() */ - public static final class ExtensionOutput { + public static final class ExtensionOutput implements Serializable { + + @Serial + private static final long serialVersionUID = 4557406414847424019L; private final boolean rk; diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientOutputs.java b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientOutputs.java index b1b74d48bf..2e35bf4cfe 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientOutputs.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientOutputs.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; import java.util.Arrays; import java.util.List; @@ -26,6 +27,9 @@ */ public class ImmutableAuthenticationExtensionsClientOutputs implements AuthenticationExtensionsClientOutputs { + @Serial + private static final long serialVersionUID = -4656390173585180393L; + private final List> outputs; public ImmutableAuthenticationExtensionsClientOutputs(List> outputs) { diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredential.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredential.java index ac04b22f0f..541801b819 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredential.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredential.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,9 @@ package org.springframework.security.web.webauthn.api; +import java.io.Serial; +import java.io.Serializable; + /** * PublicKeyCredential * contains the attributes that are returned to the caller when a new credential is @@ -24,7 +27,10 @@ * @author Rob Winch * @since 6.4 */ -public final class PublicKeyCredential { +public final class PublicKeyCredential implements Serializable { + + @Serial + private static final long serialVersionUID = -1864035469276082606L; private final String id; @@ -34,7 +40,7 @@ public final class PublicKeyCredential { private final R response; - private final AuthenticatorAttachment authenticatorAttachment; + private final transient AuthenticatorAttachment authenticatorAttachment; private final AuthenticationExtensionsClientOutputs clientExtensionResults; diff --git a/web/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationRequestToken.java b/web/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationRequestToken.java index a885ed7549..7b851b74c2 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationRequestToken.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationRequestToken.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.security.web.webauthn.authentication; +import java.io.Serial; + import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest; @@ -30,6 +32,9 @@ */ public class WebAuthnAuthenticationRequestToken extends AbstractAuthenticationToken { + @Serial + private static final long serialVersionUID = -1682693433877522403L; + private final RelyingPartyAuthenticationRequest webAuthnRequest; /** diff --git a/web/src/main/java/org/springframework/security/web/webauthn/management/RelyingPartyAuthenticationRequest.java b/web/src/main/java/org/springframework/security/web/webauthn/management/RelyingPartyAuthenticationRequest.java index 1dd1a66c84..62565d7f5c 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/management/RelyingPartyAuthenticationRequest.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/management/RelyingPartyAuthenticationRequest.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,9 @@ package org.springframework.security.web.webauthn.management; +import java.io.Serial; +import java.io.Serializable; + import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse; import org.springframework.security.web.webauthn.api.PublicKeyCredential; import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions; @@ -29,7 +32,10 @@ * @since 6.4 * @see WebAuthnRelyingPartyOperations#authenticate(RelyingPartyAuthenticationRequest) */ -public class RelyingPartyAuthenticationRequest { +public class RelyingPartyAuthenticationRequest implements Serializable { + + @Serial + private static final long serialVersionUID = -928083091875202086L; private final PublicKeyCredentialRequestOptions requestOptions; diff --git a/web/src/test/java/org/springframework/security/web/webauthn/api/TestAuthenticationAssertionResponses.java b/web/src/test/java/org/springframework/security/web/webauthn/api/TestAuthenticationAssertionResponses.java new file mode 100644 index 0000000000..a81b0d06ab --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/webauthn/api/TestAuthenticationAssertionResponses.java @@ -0,0 +1,37 @@ +/* + * Copyright 2002-2025 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.webauthn.api; + +/** + * @author Max Batischev + */ +public final class TestAuthenticationAssertionResponses { + + public static AuthenticatorAssertionResponse.AuthenticatorAssertionResponseBuilder createAuthenticatorAssertionResponse() { + return AuthenticatorAssertionResponse.builder() + .authenticatorData(Bytes.fromBase64("SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MdAAAAAA")) + .clientDataJSON(Bytes.fromBase64( + "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiaDB2Z3dHUWpvQ3pBekRVc216UHBrLUpWSUpSUmduMEw0S1ZTWU5SY0VaYyIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MCIsImNyb3NzT3JpZ2luIjpmYWxzZX0")) + .signature(Bytes.fromBase64( + "MEUCIAdfzPAn3voyXynwa0IXk1S0envMY5KP3NEe9aj4B2BuAiEAm_KJhQoWXdvfhbzwACU3NM4ltQe7_Il46qFUwtpuTdg")) + .userHandle(Bytes.fromBase64("oWJtkJ6vJ_m5b84LB4_K7QKTCTEwLIjCh4tFMCGHO4w")); + } + + private TestAuthenticationAssertionResponses() { + } + +} diff --git a/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredential.java b/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredential.java index f2f919b3da..5ae19ac23c 100644 --- a/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredential.java +++ b/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredential.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -38,6 +38,17 @@ public static PublicKeyCredential.PublicKeyCre .clientExtensionResults(clientExtensionResults); } + public static PublicKeyCredential.PublicKeyCredentialBuilder createPublicKeyCredential( + R response, AuthenticationExtensionsClientOutputs outputs) { + return PublicKeyCredential.builder() + .id("AX6nVVERrH6opMafUGn3Z9EyNEy6cftfBKV_2YxYl1jdW8CSJxMKGXFV3bnrKTiMSJeInkG7C6B2lPt8E5i3KaM") + .rawId(Bytes + .fromBase64("AX6nVVERrH6opMafUGn3Z9EyNEy6cftfBKV_2YxYl1jdW8CSJxMKGXFV3bnrKTiMSJeInkG7C6B2lPt8E5i3KaM")) + .response(response) + .type(PublicKeyCredentialType.PUBLIC_KEY) + .clientExtensionResults(outputs); + } + private TestPublicKeyCredential() { }