Merge branch 'fix-17729' into 7.0.x

2026-05-22 13:23:17 +00:00 · 2026-03-30 17:19:31 -06:00
parent 45758a5cec 52d98ab7af
commit 067f79dde5
4 changed files with 57 additions and 5 deletions
@@ -35,6 +35,7 @@ import org.springframework.security.web.FilterInvocation;
 */
@Deprecated
@NullUnmarked
@SuppressWarnings("serial")
 class WebExpressionConfigAttribute implements ConfigAttribute, EvaluationContextPostProcessor<FilterInvocation> {
 	private final Expression authorizeExpression;
@@ -33,10 +33,10 @@ import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import java.util.regex.Pattern;
 import java.util.stream.Stream;
 import org.apache.commons.lang3.ObjectUtils;
@@ -207,10 +207,7 @@ class SpringSecurityCoreVersionSerializableTests {
 			boolean hasSerialVersion = Stream.of(clazz.getDeclaredFields())
 				.map(Field::getName)
 				.anyMatch((n) -> n.equals("serialVersionUID"));
-			SuppressWarnings suppressWarnings = clazz.getAnnotation(SuppressWarnings.class);
+			if (!hasSerialVersion && !hasSuppressSerialInSource(clazz)) {
 			boolean hasSerialIgnore = suppressWarnings == null
 					|| Arrays.asList(suppressWarnings.value()).contains("Serial");
 			if (!hasSerialVersion && !hasSerialIgnore) {
 				classes.add(clazz);
 				continue;
 			}
@@ -249,6 +246,58 @@ class SpringSecurityCoreVersionSerializableTests {
 		return classes.stream();
 	}
 	private static boolean hasSuppressSerialInSource(Class<?> clazz) {
 		try {
 			Class<?> fileClass = clazz;
 			while (fileClass.getEnclosingClass() != null) {
 				fileClass = fileClass.getEnclosingClass();
 			}
 			var codeSource = fileClass.getProtectionDomain().getCodeSource();
 			if (codeSource == null) {
 				return false;
 			}
 			Path sourceFile = findSourceFile(Path.of(codeSource.getLocation().toURI()), fileClass);
 			if (sourceFile == null) {
 				return false;
 			}
 			return hasSuppressSerialAnnotation(Files.readAllLines(sourceFile), clazz.getSimpleName());
 		}
 		catch (Exception ex) {
 			return false;
 		}
 	}
 	private static Path findSourceFile(Path start, Class<?> clazz) {
 		String relativePath = clazz.getName().replace('.', '/') + ".java";
 		Path dir = start;
 		for (int i = 0; i < 10 && dir != null; i++) {
 			for (String sourceRoot : List.of("src/main/java", "src/test/java")) {
 				Path candidate = dir.resolve(sourceRoot).resolve(relativePath);
 				if (Files.exists(candidate)) {
 					return candidate;
 				}
 			}
 			dir = dir.getParent();
 		}
 		return null;
 	}
 	private static boolean hasSuppressSerialAnnotation(List<String> lines, String simpleClassName) {
 		Pattern classDeclaration = Pattern
 			.compile("\\b(?:class|interface|enum|record)\\s+" + Pattern.quote(simpleClassName) + "\\b");
 		for (int i = 0; i < lines.size(); i++) {
 			if (classDeclaration.matcher(lines.get(i)).find()) {
 				for (int j = Math.max(0, i - 5); j < i; j++) {
 					String line = lines.get(j);
 					if (line.contains("@SuppressWarnings") && line.contains("\"serial\"")) {
 						return true;
 					}
 				}
 			}
 		}
 		return false;
 	}
 	private static String getCurrentVersion() {
 		String version = System.getProperty("springSecurityVersion");
 		String[] parts = version.split("\\.");
@@ -266,6 +266,7 @@ public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilt
 	}
 	@SuppressWarnings("serial")
 	private static final class OAuth2AuthorizationRequestException extends AuthenticationException {
 		OAuth2AuthorizationRequestException(Throwable cause) {
@@ -185,6 +185,7 @@ public final class DPoPProofJwtDecoderFactory implements JwtDecoderFactory<DPoPP
 			return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
 		}
 		@SuppressWarnings("serial")
 		private static final class JtiCache extends LinkedHashMap<String, Long> {
 			private static final int MAX_SIZE = 1000;