diff --git a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
index 2b037d1e1a3..1f6f2da4233 100644
--- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
+++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
@@ -196,6 +196,18 @@
import org.springframework.security.web.firewall.RequestRejectedException;
import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
import org.springframework.security.web.session.HttpSessionCreatedEvent;
+import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientInputs;
+import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
+import org.springframework.security.web.webauthn.api.Bytes;
+import org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput;
+import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput;
+import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialType;
+import org.springframework.security.web.webauthn.api.TestBytes;
+import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialRequestOptions;
+import org.springframework.security.web.webauthn.api.UserVerificationRequirement;
import org.springframework.util.ReflectionUtils;
import static org.assertj.core.api.Assertions.assertThat;
@@ -515,6 +527,39 @@ class SpringSecurityCoreVersionSerializableTests {
(r) -> new AuthenticationSwitchUserEvent(authentication, user));
generatorByClassName.put(HttpSessionCreatedEvent.class,
(r) -> new HttpSessionCreatedEvent(new MockHttpSession()));
+
+ // webauthn
+ CredProtectAuthenticationExtensionsClientInput.CredProtect credProtect = new CredProtectAuthenticationExtensionsClientInput.CredProtect(
+ CredProtectAuthenticationExtensionsClientInput.CredProtect.ProtectionPolicy.USER_VERIFICATION_OPTIONAL,
+ true);
+ Bytes id = TestBytes.get();
+ AuthenticationExtensionsClientInputs inputs = new ImmutableAuthenticationExtensionsClientInputs(
+ ImmutableAuthenticationExtensionsClientInput.credProps);
+ // @formatter:off
+ PublicKeyCredentialDescriptor descriptor = PublicKeyCredentialDescriptor.builder()
+ .id(id)
+ .type(PublicKeyCredentialType.PUBLIC_KEY)
+ .transports(Set.of(AuthenticatorTransport.USB))
+ .build();
+ // @formatter:on
+ generatorByClassName.put(AuthenticatorTransport.class, (a) -> AuthenticatorTransport.USB);
+ generatorByClassName.put(PublicKeyCredentialType.class, (k) -> PublicKeyCredentialType.PUBLIC_KEY);
+ generatorByClassName.put(UserVerificationRequirement.class, (r) -> UserVerificationRequirement.REQUIRED);
+ generatorByClassName.put(CredProtectAuthenticationExtensionsClientInput.CredProtect.class, (c) -> credProtect);
+ generatorByClassName.put(CredProtectAuthenticationExtensionsClientInput.class,
+ (c) -> new CredProtectAuthenticationExtensionsClientInput(credProtect));
+ generatorByClassName.put(ImmutableAuthenticationExtensionsClientInputs.class, (i) -> inputs);
+ generatorByClassName.put(ImmutableAuthenticationExtensionsClientInput.class,
+ (i) -> ImmutableAuthenticationExtensionsClientInput.credProps);
+ generatorByClassName.put(Bytes.class, (b) -> id);
+ generatorByClassName.put(PublicKeyCredentialDescriptor.class, (d) -> descriptor);
+ // @formatter:off
+ generatorByClassName.put(PublicKeyCredentialRequestOptions.class, (o) -> TestPublicKeyCredentialRequestOptions.create()
+ .extensions(inputs)
+ .allowCredentials(List.of(descriptor))
+ .build()
+ );
+ // @formatter:on
}
@ParameterizedTest
diff --git a/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.AuthenticatorTransport.serialized b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.AuthenticatorTransport.serialized
new file mode 100644
index 00000000000..183124aa4e6
Binary files /dev/null and b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.AuthenticatorTransport.serialized differ
diff --git a/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.Bytes.serialized b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.Bytes.serialized
new file mode 100644
index 00000000000..e45bced4323
Binary files /dev/null and b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.Bytes.serialized differ
diff --git a/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput$CredProtect.serialized b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput$CredProtect.serialized
new file mode 100644
index 00000000000..0222d302d6c
Binary files /dev/null and b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput$CredProtect.serialized differ
diff --git a/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput.serialized b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput.serialized
new file mode 100644
index 00000000000..0b0b44e588b
Binary files /dev/null and b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput.serialized differ
diff --git a/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput.serialized b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput.serialized
new file mode 100644
index 00000000000..604e609fcaa
Binary files /dev/null and b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput.serialized differ
diff --git a/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs.serialized b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs.serialized
new file mode 100644
index 00000000000..d5b3e16ebfd
Binary files /dev/null and b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs.serialized differ
diff --git a/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor.serialized b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor.serialized
new file mode 100644
index 00000000000..7de3d58f80b
Binary files /dev/null and b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor.serialized differ
diff --git a/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions.serialized b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions.serialized
new file mode 100644
index 00000000000..399fa412291
Binary files /dev/null and b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions.serialized differ
diff --git a/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialType.serialized b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialType.serialized
new file mode 100644
index 00000000000..efc9d8e3ee6
Binary files /dev/null and b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialType.serialized differ
diff --git a/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.UserVerificationRequirement.serialized b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.UserVerificationRequirement.serialized
new file mode 100644
index 00000000000..7fde55c0e17
Binary files /dev/null and b/config/src/test/resources/serialized/6.5.x/org.springframework.security.web.webauthn.api.UserVerificationRequirement.serialized differ
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInput.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInput.java
index f3fb229af1b..736a3b29609 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInput.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInput.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serializable;
+
/**
* A client extension
* input entry in the {@link AuthenticationExtensionsClientInputs}.
@@ -25,7 +27,7 @@
* @since 6.4
* @see ImmutableAuthenticationExtensionsClientInput
*/
-public interface AuthenticationExtensionsClientInput {
+public interface AuthenticationExtensionsClientInput extends Serializable {
/**
* Gets the extension
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInputs.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInputs.java
index 44a26a41c12..3befaa601fc 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInputs.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInputs.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serializable;
import java.util.List;
/**
@@ -31,7 +32,7 @@
* @since 6.4
* @see PublicKeyCredentialCreationOptions#getExtensions()
*/
-public interface AuthenticationExtensionsClientInputs {
+public interface AuthenticationExtensionsClientInputs extends Serializable {
/**
* Gets all of the {@link AuthenticationExtensionsClientInput}.
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorTransport.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorTransport.java
index 33e9d2123cb..0974d295697 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorTransport.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorTransport.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serial;
+import java.io.Serializable;
+
/**
* AuthenticatorTransport
@@ -25,7 +28,10 @@
* @author Rob Winch
* @since 6.4
*/
-public final class AuthenticatorTransport {
+public final class AuthenticatorTransport implements Serializable {
+
+ @Serial
+ private static final long serialVersionUID = -5617945441117386982L;
/**
* usbc
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java b/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java
index 6fbcc3596c6..7a2c769ad40 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serial;
+import java.io.Serializable;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;
@@ -28,7 +30,10 @@
* @author Rob Winch
* @since 6.4
*/
-public final class Bytes {
+public final class Bytes implements Serializable {
+
+ @Serial
+ private static final long serialVersionUID = -7420539646106189663L;
private static final SecureRandom RANDOM = new SecureRandom();
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java b/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java
index 22372717595..e28da6d7897 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serial;
+import java.io.Serializable;
+
/**
* Implements
@@ -27,6 +30,9 @@
public class CredProtectAuthenticationExtensionsClientInput
implements AuthenticationExtensionsClientInput {
+ @Serial
+ private static final long serialVersionUID = -6418175591005843455L;
+
private final CredProtect input;
public CredProtectAuthenticationExtensionsClientInput(CredProtect input) {
@@ -43,7 +49,10 @@ public CredProtect getInput() {
return this.input;
}
- public static class CredProtect {
+ public static class CredProtect implements Serializable {
+
+ @Serial
+ private static final long serialVersionUID = 109597301115842688L;
private final ProtectionPolicy credProtectionPolicy;
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java
index eb656c3cdfb..ad479b4a017 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serial;
+
/**
* An immutable {@link AuthenticationExtensionsClientInput}.
*
@@ -26,6 +28,9 @@
*/
public class ImmutableAuthenticationExtensionsClientInput implements AuthenticationExtensionsClientInput {
+ @Serial
+ private static final long serialVersionUID = -1738152485672656808L;
+
/**
* https://www.w3.org/TR/webauthn-3/#sctn-authenticator-credential-properties-extension
*/
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java
index cef29f378a5..f9c43608b18 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serial;
import java.util.Arrays;
import java.util.List;
@@ -27,6 +28,9 @@
*/
public class ImmutableAuthenticationExtensionsClientInputs implements AuthenticationExtensionsClientInputs {
+ @Serial
+ private static final long serialVersionUID = 4277817521578485720L;
+
private final List inputs;
public ImmutableAuthenticationExtensionsClientInputs(List inputs) {
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialDescriptor.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialDescriptor.java
index ad454814b0f..6fbe5250ac1 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialDescriptor.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialDescriptor.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serial;
+import java.io.Serializable;
import java.util.Set;
/**
@@ -29,7 +31,10 @@
* @author Rob Winch
* @since 6.4
*/
-public final class PublicKeyCredentialDescriptor {
+public final class PublicKeyCredentialDescriptor implements Serializable {
+
+ @Serial
+ private static final long serialVersionUID = 8793385059692676240L;
private final PublicKeyCredentialType type;
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRequestOptions.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRequestOptions.java
index b0cf592009c..9cadc1cb29f 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRequestOptions.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRequestOptions.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serial;
+import java.io.Serializable;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Collections;
@@ -32,7 +34,10 @@
* @author Rob Winch
* @since 6.4
*/
-public final class PublicKeyCredentialRequestOptions {
+public final class PublicKeyCredentialRequestOptions implements Serializable {
+
+ @Serial
+ private static final long serialVersionUID = -2970057592835694354L;
private final Bytes challenge;
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialType.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialType.java
index 57f1c6ec463..99087a5d291 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialType.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialType.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serial;
+import java.io.Serializable;
+
/**
* The PublicKeyCredentialType
@@ -24,7 +27,10 @@
* @author Rob Winch
* @since 6.4
*/
-public final class PublicKeyCredentialType {
+public final class PublicKeyCredentialType implements Serializable {
+
+ @Serial
+ private static final long serialVersionUID = 7025333122210061679L;
/**
* The only credential type that currently exists.
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/UserVerificationRequirement.java b/web/src/main/java/org/springframework/security/web/webauthn/api/UserVerificationRequirement.java
index adc915015b5..dcbabead87b 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/UserVerificationRequirement.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/UserVerificationRequirement.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serial;
+import java.io.Serializable;
+
/**
* UserVerificationRequirement
@@ -24,7 +27,10 @@
* @author Rob Winch
* @since 6.4
*/
-public final class UserVerificationRequirement {
+public final class UserVerificationRequirement implements Serializable {
+
+ @Serial
+ private static final long serialVersionUID = -2801001231345540040L;
/**
* The