Make WebAuthnAuthenticationRequestToken Serializable

Closes gh-16481

Signed-off-by: Max Batischev <[email protected]>

Author: franticticktick

config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java

@@ -212,21 +212,30 @@
 import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
 import org.springframework.security.web.session.HttpSessionCreatedEvent;
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientInputs;
+import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientOutputs;
+import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
 import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
 import org.springframework.security.web.webauthn.api.Bytes;
 import org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput;
+import org.springframework.security.web.webauthn.api.CredentialPropertiesOutput;
 import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput;
 import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs;
+import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs;
 import org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity;
+import org.springframework.security.web.webauthn.api.PublicKeyCredential;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialType;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialUserEntity;
+import org.springframework.security.web.webauthn.api.TestAuthenticationAssertionResponses;
 import org.springframework.security.web.webauthn.api.TestBytes;
+import org.springframework.security.web.webauthn.api.TestPublicKeyCredential;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialRequestOptions;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialUserEntity;
 import org.springframework.security.web.webauthn.api.UserVerificationRequirement;
 import org.springframework.security.web.webauthn.authentication.WebAuthnAuthentication;
+import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken;
+import org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest;
 import org.springframework.util.ReflectionUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -629,6 +638,26 @@ class SpringSecurityCoreVersionSerializableTests {
 				.allowCredentials(List.of(descriptor))
 				.build()
 		);
+
+		CredentialPropertiesOutput credentialOutput = new CredentialPropertiesOutput(false);
+		AuthenticationExtensionsClientOutputs outputs = new ImmutableAuthenticationExtensionsClientOutputs(credentialOutput);
+		AuthenticatorAssertionResponse response = TestAuthenticationAssertionResponses.createAuthenticatorAssertionResponse()
+				.build();
+		PublicKeyCredential<AuthenticatorAssertionResponse> credential = TestPublicKeyCredential.createPublicKeyCredential(
+				response, outputs)
+				.build();
+		RelyingPartyAuthenticationRequest authRequest = new RelyingPartyAuthenticationRequest(
+				TestPublicKeyCredentialRequestOptions.create().build(),
+				credential
+		);
+		WebAuthnAuthenticationRequestToken requestToken = new WebAuthnAuthenticationRequestToken(authRequest);
+		requestToken.setDetails(details);
+		generatorByClassName.put(CredentialPropertiesOutput.class, (o) -> credentialOutput);
+		generatorByClassName.put(ImmutableAuthenticationExtensionsClientOutputs.class, (o) -> outputs);
+		generatorByClassName.put(AuthenticatorAssertionResponse.class, (r) -> response);
+		generatorByClassName.put(RelyingPartyAuthenticationRequest.class, (r) -> authRequest);
+		generatorByClassName.put(PublicKeyCredential.class, (r) -> credential);
+		generatorByClassName.put(WebAuthnAuthenticationRequestToken.class, (r) -> requestToken);
 		// @formatter:on
 	}
 
@@ -643,8 +672,15 @@ void serializeCurrentVersionClasses(Class<?> clazz) throws Exception {
 			return;
 		}
 		Files.createFile(filePath);
-		Object instance = instancioWithDefaults(clazz).create();
-		assertThat(instance).isInstanceOf(clazz);
+		Object instance;
+		if (clazz.equals(PublicKeyCredential.class)) {
+			instance = instancioWithParameter((Class<PublicKeyCredential>) clazz).create();
+		}
+		else {
+			instance = instancioWithDefaults(clazz).create();
+		}
+		// Object instance = instancioWithDefaults(clazz).create();
+		// assertThat(instance).isInstanceOf(clazz);
 		try (FileOutputStream fileOutputStream = new FileOutputStream(file);
 				ObjectOutputStream objectOutputStream = new ObjectOutputStream(fileOutputStream)) {
 			objectOutputStream.writeObject(instance);
@@ -656,6 +692,14 @@ void serializeCurrentVersionClasses(Class<?> clazz) throws Exception {
 		}
 	}
 
+	private static InstancioApi<?> instancioWithParameter(Class<PublicKeyCredential> clazz) {
+		InstancioApi<?> instancio = Instancio.of(clazz).withTypeParameters(AuthenticatorAssertionResponse.class);
+		if (generatorByClassName.containsKey(clazz)) {
+			instancio.supply(Select.all(clazz), generatorByClassName.get(clazz));
+		}
+		return instancio;
+	}
+
 	@ParameterizedTest
 	@MethodSource("getFilesToDeserialize")
 	void shouldBeAbleToDeserializeClassFromPreviousVersion(Path filePath) {

config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse.serialized

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serializable;
+
 /**
  * A <a href="https://www.w3.org/TR/webauthn-3/#client-extension-output">client extension
  * output</a> entry in {@link AuthenticationExtensionsClientOutputs}.
@@ -24,7 +26,7 @@
  * @see AuthenticationExtensionsClientOutputs#getOutputs()
  * @see CredentialPropertiesOutput
  */
-public interface AuthenticationExtensionsClientOutput<T> {
+public interface AuthenticationExtensionsClientOutput<T> extends Serializable {
 
 	/**
 	 * Gets the <a href="https://www.w3.org/TR/webauthn-3/#extension-identifier">extension

config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredentialPropertiesOutput.serialized

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serializable;
 import java.util.List;
 
 /**
@@ -31,7 +32,7 @@
  * @since 6.4
  * @see PublicKeyCredential#getClientExtensionResults()
  */
-public interface AuthenticationExtensionsClientOutputs {
+public interface AuthenticationExtensionsClientOutputs extends Serializable {
 
 	/**
 	 * Gets all of the {@link AuthenticationExtensionsClientOutput}.

config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs.serialized

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+
 /**
  * The <a href=
  * "https://www.w3.org/TR/webauthn-3/#authenticatorassertionresponse">AuthenticatorAssertionResponse</a>
@@ -38,6 +40,9 @@
  */
 public final class AuthenticatorAssertionResponse extends AuthenticatorResponse {
 
+	@Serial
+	private static final long serialVersionUID = 324976481675434298L;
+
 	private final Bytes authenticatorData;
 
 	private final Bytes signature;