From 34afa64c0cf4f774d85db90df73187ebca028f4a Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Mon, 5 May 2025 11:19:30 -0600
Subject: [PATCH 1/4] Add Current-Version Deserialization Test

We should test that serialized files from the current minor version
can be deserialized. This ensures that serializations remain
deserializable in patch releases.

Issue gh-3737
---
 ...gSecurityCoreVersionSerializableTests.java | 31 +++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
index c4b96ab290..e8ee65af0a 100644
--- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
+++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
@@ -690,7 +690,34 @@ class SpringSecurityCoreVersionSerializableTests {
 	}
 
 	@ParameterizedTest
-	@MethodSource("getFilesToDeserialize")
+	@MethodSource("getCurrentSerializedFiles")
+	void shouldBeAbleToDeserializeClassFromCurrentVersion(Path filePath) {
+		try (FileInputStream fileInputStream = new FileInputStream(filePath.toFile());
+				ObjectInputStream objectInputStream = new ObjectInputStream(fileInputStream)) {
+			Object obj = objectInputStream.readObject();
+			Class<?> clazz = Class.forName(filePath.getFileName().toString().replace(".serialized", ""));
+			assertThat(obj).isInstanceOf(clazz);
+		}
+		catch (IOException | ClassNotFoundException ex) {
+			fail("Could not deserialize " + filePath, ex);
+		}
+	}
+
+	static Stream<Path> getCurrentSerializedFiles() throws IOException {
+		assertThat(currentVersionFolder.toFile().exists())
+			.as("Make sure that the " + currentVersionFolder + " exists and is not empty")
+			.isTrue();
+		try (Stream<Path> files = Files.list(currentVersionFolder)) {
+			if (files.findFirst().isEmpty()) {
+				fail("Please make sure to run SpringSecurityCoreVersionSerializableTests#serializeCurrentVersionClasses for the "
+						+ getPreviousVersion() + " version");
+			}
+		}
+		return Files.list(currentVersionFolder);
+	}
+
+	@ParameterizedTest
+	@MethodSource("getPreviousSerializedFiles")
 	void shouldBeAbleToDeserializeClassFromPreviousVersion(Path filePath) {
 		try (FileInputStream fileInputStream = new FileInputStream(filePath.toFile());
 				ObjectInputStream objectInputStream = new ObjectInputStream(fileInputStream)) {
@@ -703,7 +730,7 @@ class SpringSecurityCoreVersionSerializableTests {
 		}
 	}
 
-	static Stream<Path> getFilesToDeserialize() throws IOException {
+	static Stream<Path> getPreviousSerializedFiles() throws IOException {
 		assertThat(previousVersionFolder.toFile().exists())
 			.as("Make sure that the " + previousVersionFolder + " exists and is not empty")
 			.isTrue();

From 65d53beff8c3c5a58883c18ef1907d7f4b029aff Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Mon, 5 May 2025 13:33:32 -0600
Subject: [PATCH 2/4] Polish Serialization Tests

- Error when public, non-ignored, serializable file is missing a sample
- Provide mechanism for creating an InstancioApi from scratch

Issue gh-17038
---
 ...gSecurityCoreVersionSerializableTests.java | 38 ++++++++++++++++++-
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
index e8ee65af0a..e053a6f730 100644
--- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
+++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security;
 
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
@@ -36,13 +38,17 @@ import java.util.Arrays;
 import java.util.Collection;
 import java.util.Date;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
+import java.util.UUID;
+import java.util.function.Supplier;
 import java.util.stream.Stream;
 
 import jakarta.servlet.http.Cookie;
+import org.apache.commons.lang3.ObjectUtils;
 import org.apereo.cas.client.validation.AssertionImpl;
 import org.instancio.Instancio;
 import org.instancio.InstancioApi;
@@ -63,6 +69,7 @@ import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.AuthorizationServiceException;
 import org.springframework.security.access.SecurityConfig;
+import org.springframework.security.access.hierarchicalroles.CycleInRoleHierarchyException;
 import org.springframework.security.access.intercept.RunAsUserToken;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.authentication.AccountExpiredException;
@@ -94,15 +101,19 @@ import org.springframework.security.authentication.event.LogoutSuccessEvent;
 import org.springframework.security.authentication.jaas.JaasAuthenticationToken;
 import org.springframework.security.authentication.jaas.event.JaasAuthenticationFailedEvent;
 import org.springframework.security.authentication.jaas.event.JaasAuthenticationSuccessEvent;
+import org.springframework.security.authentication.ott.DefaultOneTimeToken;
 import org.springframework.security.authentication.ott.InvalidOneTimeTokenException;
 import org.springframework.security.authentication.ott.OneTimeTokenAuthenticationToken;
 import org.springframework.security.authentication.password.CompromisedPasswordException;
 import org.springframework.security.authorization.AuthorityAuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationDeniedException;
+import org.springframework.security.authorization.event.AuthorizationEvent;
+import org.springframework.security.authorization.event.AuthorizationGrantedEvent;
 import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
 import org.springframework.security.cas.authentication.CasAuthenticationToken;
 import org.springframework.security.cas.authentication.CasServiceTicketAuthenticationToken;
+import org.springframework.security.config.annotation.AlreadyBuiltException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.SpringSecurityCoreVersion;
@@ -128,11 +139,14 @@ import org.springframework.security.oauth2.client.authentication.OAuth2Authoriza
 import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken;
 import org.springframework.security.oauth2.client.authentication.TestOAuth2AuthenticationTokens;
 import org.springframework.security.oauth2.client.authentication.TestOAuth2AuthorizationCodeAuthenticationTokens;
+import org.springframework.security.oauth2.client.event.OAuth2AuthorizedClientRefreshedEvent;
+import org.springframework.security.oauth2.client.oidc.authentication.event.OidcUserRefreshedEvent;
 import org.springframework.security.oauth2.client.oidc.authentication.logout.OidcLogoutToken;
 import org.springframework.security.oauth2.client.oidc.authentication.logout.TestOidcLogoutTokens;
 import org.springframework.security.oauth2.client.oidc.session.OidcSessionInformation;
 import org.springframework.security.oauth2.client.oidc.session.TestOidcSessionInformations;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistration.ClientSettings;
 import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
 import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
@@ -148,6 +162,7 @@ import org.springframework.security.oauth2.core.TestOAuth2AuthenticatedPrincipal
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse;
+import org.springframework.security.oauth2.core.endpoint.TestOAuth2AccessTokenResponses;
 import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationExchanges;
 import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationRequests;
 import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationResponses;
@@ -172,6 +187,7 @@ import org.springframework.security.oauth2.server.resource.BearerTokenErrors;
 import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken;
+import org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.introspection.BadOpaqueTokenException;
 import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionAuthenticatedPrincipal;
@@ -188,8 +204,10 @@ import org.springframework.security.saml2.provider.service.authentication.Saml2P
 import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest;
 import org.springframework.security.saml2.provider.service.authentication.TestSaml2AuthenticationTokens;
 import org.springframework.security.saml2.provider.service.authentication.TestSaml2Authentications;
+import org.springframework.security.saml2.provider.service.authentication.TestSaml2LogoutRequests;
 import org.springframework.security.saml2.provider.service.authentication.TestSaml2PostAuthenticationRequests;
 import org.springframework.security.saml2.provider.service.authentication.TestSaml2RedirectAuthenticationRequests;
+import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.AssertingPartyDetails;
 import org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations;
@@ -213,6 +231,7 @@ import org.springframework.security.web.savedrequest.DefaultSavedRequest;
 import org.springframework.security.web.savedrequest.SimpleSavedRequest;
 import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
 import org.springframework.security.web.session.HttpSessionCreatedEvent;
+import org.springframework.security.web.session.HttpSessionIdChangedEvent;
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientInputs;
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientOutputs;
 import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
@@ -234,7 +253,9 @@ import org.springframework.security.web.webauthn.api.TestAuthenticationAssertion
 import org.springframework.security.web.webauthn.api.TestBytes;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredential;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialRequestOptions;
+import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialUserEntities;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialUserEntity;
+import org.springframework.security.web.webauthn.api.TestPublicKeyCredentials;
 import org.springframework.security.web.webauthn.api.UserVerificationRequirement;
 import org.springframework.security.web.webauthn.authentication.WebAuthnAuthentication;
 import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken;
@@ -262,6 +283,8 @@ class SpringSecurityCoreVersionSerializableTests {
 
 	private static final Map<Class<?>, Generator<?>> generatorByClassName = new HashMap<>();
 
+	private static final Map<Class<?>, Supplier<InstancioApi<?>>> instancioByClassName = new HashMap<>();
+
 	static final long securitySerialVersionUid = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
 
 	static Path currentVersionFolder = Paths.get("src/test/resources/serialized/" + getCurrentVersion());
@@ -766,10 +789,18 @@ class SpringSecurityCoreVersionSerializableTests {
 					|| Arrays.asList(suppressWarnings.value()).contains("Serial");
 			if (!hasSerialVersion && !hasSerialIgnore) {
 				classes.add(clazz);
+				continue;
+			}
+			boolean isReachable = Modifier.isPublic(clazz.getModifiers());
+			boolean hasSampleSerialization = currentVersionFolder.resolve(clazz.getName() + ".serialized")
+				.toFile()
+				.exists();
+			if (hasSerialVersion && isReachable && !hasSampleSerialization) {
+				classes.add(clazz);
 			}
 		}
-		assertThat(classes)
-			.describedAs("Found Serializable classes that are either missing a serialVersionUID or a @SuppressWarnings")
+		assertThat(classes).describedAs(
+				"Found Serializable classes that are either missing a serialVersionUID or a @SuppressWarnings or a sample serialized file")
 			.isEmpty();
 	}
 
@@ -796,6 +827,9 @@ class SpringSecurityCoreVersionSerializableTests {
 	}
 
 	private static InstancioApi<?> instancioWithDefaults(Class<?> clazz) {
+		if (instancioByClassName.containsKey(clazz)) {
+			return instancioByClassName.get(clazz).get();
+		}
 		InstancioOfClassApi<?> instancio = Instancio.of(clazz);
 		ResolvableType[] generics = ResolvableType.forClass(clazz).getGenerics();
 		for (ResolvableType type : generics) {

From 39fdceab594e14897cef58dbf3feb790f1f56636 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Mon, 5 May 2025 13:36:21 -0600
Subject: [PATCH 3/4] Add Missing Serializable Samples

Issue gh-17038
---
 ...gSecurityCoreVersionSerializableTests.java |  80 ++++++++++++------
 ...s.CycleInRoleHierarchyException.serialized | Bin 0 -> 10740 bytes
 ...zation.event.AuthorizationEvent.serialized | Bin 0 -> 1603 bytes
 ...event.AuthorizationGrantedEvent.serialized | Bin 0 -> 1692 bytes
 ...nnotation.AlreadyBuiltException.serialized | Bin 0 -> 10715 bytes
 ...ssion.HttpSessionIdChangedEvent.serialized | Bin 0 -> 421 bytes
 ...ropertiesOutput$ExtensionOutput.serialized | Bin 0 -> 115 bytes
 7 files changed, 55 insertions(+), 25 deletions(-)
 create mode 100644 config/src/test/resources/serialized/6.4.x/org.springframework.security.access.hierarchicalroles.CycleInRoleHierarchyException.serialized
 create mode 100644 config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.event.AuthorizationEvent.serialized
 create mode 100644 config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.event.AuthorizationGrantedEvent.serialized
 create mode 100644 config/src/test/resources/serialized/6.4.x/org.springframework.security.config.annotation.AlreadyBuiltException.serialized
 create mode 100644 config/src/test/resources/serialized/6.4.x/org.springframework.security.web.session.HttpSessionIdChangedEvent.serialized
 create mode 100644 config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredentialPropertiesOutput$ExtensionOutput.serialized

diff --git a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
index e053a6f730..c9843c7ed6 100644
--- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
+++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
@@ -16,8 +16,6 @@
 
 package org.springframework.security;
 
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
@@ -38,7 +36,6 @@ import java.util.Arrays;
 import java.util.Collection;
 import java.util.Date;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
@@ -48,7 +45,6 @@ import java.util.function.Supplier;
 import java.util.stream.Stream;
 
 import jakarta.servlet.http.Cookie;
-import org.apache.commons.lang3.ObjectUtils;
 import org.apereo.cas.client.validation.AssertionImpl;
 import org.instancio.Instancio;
 import org.instancio.InstancioApi;
@@ -139,14 +135,11 @@ import org.springframework.security.oauth2.client.authentication.OAuth2Authoriza
 import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken;
 import org.springframework.security.oauth2.client.authentication.TestOAuth2AuthenticationTokens;
 import org.springframework.security.oauth2.client.authentication.TestOAuth2AuthorizationCodeAuthenticationTokens;
-import org.springframework.security.oauth2.client.event.OAuth2AuthorizedClientRefreshedEvent;
-import org.springframework.security.oauth2.client.oidc.authentication.event.OidcUserRefreshedEvent;
 import org.springframework.security.oauth2.client.oidc.authentication.logout.OidcLogoutToken;
 import org.springframework.security.oauth2.client.oidc.authentication.logout.TestOidcLogoutTokens;
 import org.springframework.security.oauth2.client.oidc.session.OidcSessionInformation;
 import org.springframework.security.oauth2.client.oidc.session.TestOidcSessionInformations;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
-import org.springframework.security.oauth2.client.registration.ClientRegistration.ClientSettings;
 import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
 import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
@@ -162,7 +155,6 @@ import org.springframework.security.oauth2.core.TestOAuth2AuthenticatedPrincipal
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse;
-import org.springframework.security.oauth2.core.endpoint.TestOAuth2AccessTokenResponses;
 import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationExchanges;
 import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationRequests;
 import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationResponses;
@@ -187,7 +179,6 @@ import org.springframework.security.oauth2.server.resource.BearerTokenErrors;
 import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken;
-import org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.introspection.BadOpaqueTokenException;
 import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionAuthenticatedPrincipal;
@@ -253,9 +244,7 @@ import org.springframework.security.web.webauthn.api.TestAuthenticationAssertion
 import org.springframework.security.web.webauthn.api.TestBytes;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredential;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialRequestOptions;
-import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialUserEntities;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialUserEntity;
-import org.springframework.security.web.webauthn.api.TestPublicKeyCredentials;
 import org.springframework.security.web.webauthn.api.UserVerificationRequirement;
 import org.springframework.security.web.webauthn.authentication.WebAuthnAuthentication;
 import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken;
@@ -417,6 +406,9 @@ class SpringSecurityCoreVersionSerializableTests {
 		generatorByClassName.put(OAuth2IntrospectionException.class,
 				(r) -> new OAuth2IntrospectionException("message", new RuntimeException()));
 
+		// config
+		generatorByClassName.put(AlreadyBuiltException.class, (r) -> new AlreadyBuiltException("message"));
+
 		// core
 		generatorByClassName.put(RunAsUserToken.class, (r) -> {
 			RunAsUserToken token = new RunAsUserToken("key", user, "creds", user.getAuthorities(),
@@ -508,6 +500,20 @@ class SpringSecurityCoreVersionSerializableTests {
 		generatorByClassName.put(AuthorizationDecision.class, (r) -> new AuthorizationDecision(true));
 		generatorByClassName.put(AuthorityAuthorizationDecision.class,
 				(r) -> new AuthorityAuthorizationDecision(true, AuthorityUtils.createAuthorityList("ROLE_USER")));
+		generatorByClassName.put(CycleInRoleHierarchyException.class, (r) -> new CycleInRoleHierarchyException());
+		generatorByClassName.put(AuthorizationEvent.class,
+				(r) -> new AuthorizationEvent(new SerializableSupplier<>(authentication), "source",
+						new AuthorizationDecision(true)));
+		generatorByClassName.put(AuthorizationGrantedEvent.class,
+				(r) -> new AuthorizationGrantedEvent<>(new SerializableSupplier<>(authentication), "source",
+						new AuthorizationDecision(true)));
+		instancioByClassName.put(AuthorizationGrantedEvent.class, () -> {
+			InstancioOfClassApi<?> instancio = Instancio.of(AuthorizationGrantedEvent.class);
+			instancio.withTypeParameters(String.class);
+			instancio.supply(Select.all(AuthorizationGrantedEvent.class),
+					generatorByClassName.get(AuthorizationGrantedEvent.class));
+			return instancio;
+		});
 
 		// cas
 		generatorByClassName.put(CasServiceTicketAuthenticationToken.class, (r) -> {
@@ -561,6 +567,7 @@ class SpringSecurityCoreVersionSerializableTests {
 			token.setDetails(details);
 			return token;
 		});
+		generatorByClassName.put(Saml2LogoutRequest.class, (r) -> TestSaml2LogoutRequests.create());
 
 		// web
 		generatorByClassName.put(AnonymousAuthenticationToken.class, (r) -> {
@@ -616,20 +623,8 @@ class SpringSecurityCoreVersionSerializableTests {
 			request.addPreferredLocale(Locale.ENGLISH);
 			return new SimpleSavedRequest(new DefaultSavedRequest(request, new PortResolverImpl(), "continue"));
 		});
-
-		// webauthn
-		generatorByClassName.put(Bytes.class, (r) -> TestBytes.get());
-		generatorByClassName.put(ImmutablePublicKeyCredentialUserEntity.class,
-				(r) -> TestPublicKeyCredentialUserEntity.userEntity().id(TestBytes.get()).build());
-		generatorByClassName.put(WebAuthnAuthentication.class, (r) -> {
-			PublicKeyCredentialUserEntity userEntity = TestPublicKeyCredentialUserEntity.userEntity()
-				.id(TestBytes.get())
-				.build();
-			List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER");
-			WebAuthnAuthentication webAuthnAuthentication = new WebAuthnAuthentication(userEntity, authorities);
-			webAuthnAuthentication.setDetails(details);
-			return webAuthnAuthentication;
-		});
+		generatorByClassName.put(HttpSessionIdChangedEvent.class,
+				(r) -> new HttpSessionIdChangedEvent(new MockHttpSession(), "1"));
 
 		// webauthn
 		CredProtectAuthenticationExtensionsClientInput.CredProtect credProtect = new CredProtectAuthenticationExtensionsClientInput.CredProtect(
@@ -686,6 +681,25 @@ class SpringSecurityCoreVersionSerializableTests {
 		generatorByClassName.put(WebAuthnAuthenticationRequestToken.class, (r) -> requestToken);
 		generatorByClassName.put(AuthenticatorAttachment.class, (r) -> AuthenticatorAttachment.PLATFORM);
 		// @formatter:on
+		generatorByClassName.put(ImmutablePublicKeyCredentialUserEntity.class,
+				(r) -> TestPublicKeyCredentialUserEntity.userEntity().id(TestBytes.get()).build());
+		generatorByClassName.put(WebAuthnAuthentication.class, (r) -> {
+			PublicKeyCredentialUserEntity userEntity = TestPublicKeyCredentialUserEntity.userEntity()
+				.id(TestBytes.get())
+				.build();
+			List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER");
+			WebAuthnAuthentication webAuthnAuthentication = new WebAuthnAuthentication(userEntity, authorities);
+			webAuthnAuthentication.setDetails(details);
+			return webAuthnAuthentication;
+		});
+		// @formatter:on
+		generatorByClassName.put(CredentialPropertiesOutput.ExtensionOutput.class,
+				(r) -> new CredentialPropertiesOutput(true).getOutput());
+
+		// One-Time Token
+		DefaultOneTimeToken oneTimeToken = new DefaultOneTimeToken(UUID.randomUUID().toString(), "user",
+				Instant.now().plusSeconds(300));
+		generatorByClassName.put(DefaultOneTimeToken.class, (t) -> oneTimeToken);
 	}
 
 	@ParameterizedTest
@@ -862,4 +876,20 @@ class SpringSecurityCoreVersionSerializableTests {
 		return String.join(".", parts);
 	}
 
+	@SuppressWarnings("serial")
+	private static final class SerializableSupplier<T> implements Supplier<T>, Serializable {
+
+		private final T value;
+
+		SerializableSupplier(T value) {
+			this.value = value;
+		}
+
+		@Override
+		public T get() {
+			return this.value;
+		}
+
+	}
+
 }
diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.hierarchicalroles.CycleInRoleHierarchyException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.access.hierarchicalroles.CycleInRoleHierarchyException.serialized
new file mode 100644
index 0000000000000000000000000000000000000000..43d7d327459fd83c9d89098ee53f0a9643b66db0
GIT binary patch
literal 10740
zcmeHNU2Gjk6`t!Pj$`sqQs=jE(oIr`x^dz(KXux~wVlMN;{;zPkhT=9_l~dE-n+Zm
zo$L6979`q&Kva|>`cR>YAE62f1gM1u^_5geeSwEQ@Bl)ns1g#qAn||{!Z|auv$H?<
z`kIC(;)n6<%$ak}eCN!WIWzaie<LfRkd*zfYDPimc-869s?qCyIA=!Gu7?h5n3iqR
zC^Bap8d{+}<JguP`Yw&kp@!|!QEvi1&dJWk$bwA+=J?(_D-Qqt18e_t9fT}|WZSGY
zZ<(&;Rn3XI$DA5fgs*?D^KAE#=l>!IKb{aOir?Pe_1Lz79ly>|OwNS<b!*C{@4x%-
z{u9@4zPF4lA0sPls~%BCHjg2%gDCW%q8u0_Ybumkj(Y(nWmSQ0qefR|2*SWqq&s4k
zJvSLzHc;IEREi|-7;$NhdJI@@it0fS0z+C+T1Skm7sKkzaSx6;5gS+tu8}X0E=EQa
zSuev$c)e4UtKI8Q_gcL+BHQbD&`Em{?A{ptMsI~qJD!6O@2-cjY69A_(m7VG<IE>d
zp1i&11VR@OLVf_&-kw058(^)v_1eCpe|WKjbUjWwr~R;Iu~E|PIvyRb*QRJVM%LM`
z6-8sdRiWWHI1A2b#TZ#zq0oWo4Pn1*?V5I6s!?^<D4X#ssTRLdPtmNY@s=wzj9`+S
z(Lzunr1VclmRUi-$k~?uTIP;imhL;`hg7mE)6lV8=LUMrB#jtY=wSQACc*|bb*<V|
z#WKJ@m}48qj|Kss>}t@E96@c@GIAUhbUdK(Y{!QhqoHTHW|exdh?pOmH7Byov+?IJ
zwSC^sNKd{|O74=QsV?!nl=xT^i8Gd0aREv5azw*2c&Y2qiV|@t^l@$bAtMj8CXhO8
zgaxBUPtd6DGF_XaQk#?il{V*uu8iz1)J1knO;&*>c?F)A3hZm5fYSYpWrG7VvMJNT
zxg(RU`n;axY_ZsdMK2>8s={`3+^^6pmRr}Y((y8<XQY`Lqp@p@cvV<hphl)ePI65w
zB`blvrZh6JwwICBc1SHoFHX%;J7tuc8B+XwP@mmwhJcYRg4cxaGr@0EdayohkPidT
zX@d1g82X{I=?48%PVYY3_bNP;S?(DK$rn9NqzmEUWi3jI=ea(sn@)a9>U4h-odyGE
zv=+F4maHjzAJW;pr4Z@I+7U)Ng;b5G<2^;R4r}XSpMW*SBMcp?haqeYGVt(-NTYZ#
zxdVR?#vYoj%q6iQq|+`~E)EK`a)F1+LB9L?;b9oi>3H-0obogX>f``4A1dTCOkG-q
z80A&djKutRx9V1)3^1~a?-o-Q?x>xIj+uRCzle7rz2i7Y-;!)6@f3tWMm{Dg2|L8;
z6c(pd%<Q<sVT4eOCY!Cp)@BB-#c=O2ZNFCYy~xBJ)SM6i!Jcp#J|TE-%CtzYS}jl#
zvSZ9KI-iu1`V&dB^}vDHY*M}sO}YTP25zmU7(EJj+km0(!EqwnB*m=^Fo@EME-4N}
z6KzOJWbj3X$0t7=nz0<ufK~5QxCs*?Ms_71*%1oqCv<JT)5g3R^>DW}C*f%3*V)K|
zY=C)Zo8-J#@m&qo)n$E)%fjLk7N3F*P0`_=i+gY0GSB2jZBLDwq_AiqxaCJy`A9~d
zYzt{HH9wwu)e&xK)CSR<qoENy(>%0DI<SM~La^AQT3|KhMoK(3%Y%VGeZ_a=;x+no
zY(6V>J^fL2MLt&<Stlhrd<JP*BBnEOv=^(YsjoNpCqqq~RuU={KaNGp%TCMLJ=)gn
z;&r72NS`m}{SfDkg~bUNS!?488T7bXNl3(HzBfaRp98ubo>m0Bb~Q(EWif)^a{@;A
zIj0ca3XSa0!KG}X+Y86V+OX<iWM{K3=~7!$22O~L<N9<)r80vF@G5}HxQ6Ko9P&~*
zoT+l6A>YNF2Ty@L`9`VBN)a2?=7UJTuW*{dnggd};fsl?x}smpkmIMP6AUj#5J$3s
zB~BF&X{ghr70tofP5+eB+b*G&vz)-}A#&!a+b~imd;vD<>0(jK&EXX_2ZpseBQ02`
z?D$nak`ZltYRir|8`!7upPWpm75a5AwIhiWDN1NVtrNOY7M<}oax>nTM^Wck$qc~H
zlpj362^jgz63twObQBzzT9x=d0xv7j@FHmYA*6uw4yN>G+q5yJQGKfBr1rWGrJ7fk
zsHX0I#xR|>Ad4Dqcvj7^bzPBrJ%`QjxKJ#(zvKyC;slKFjIf>96mPC5TaQk=_==G`
zZ@QCXl2eT@27XrmI`+MkB+JqtjQ-dS@aXzB93Btw!y`Z5MGOpAGtc<ph-J@Q3?f5S
zjf>N;JHv*jTB6u0csUhtm)6gf$o>|v-<M+#d?=jEZF<QGC|+wA{l+0i?#s2SDe@Cd
zmie1)GCyn_LMUFvqL9%oek1hl)<kb}qHiJ*4=?{?PIpaQ=T(5|!NdlGVQ4k*BFs>=
zGF(W&X$$W}U{hDk(!A>-3qWs}pf%X-;qZkJWNgv#FA%an5hDF4XHerD#08EsBP%7}
z0(PZMZJPGjT`_H2_HT!1*`LxdXuw7SZmk9OK<!H`CdA_VMS$D}#=CR)4o(5kmd)aI
z1c^enNgA=s_JanT^ZX*_|KP6uQ|$T~Eb!~06~LixsQC!;DyXwJr%n<XlCXhHUxE8w
zIuG|VkUf;?wK^o_kf9f7LVl82WWOvT`fEzvu9$NHX~!h!xhJP*&Mk2$4-Y>qU;@sF
zt#2rzqLmM;4Ew)}#rLpiVnyr{Kx6IaSY(z`Nw)^}zga*82Ef)|V8NqNAy7+36WRT$
zKpfzRt?yv*(Qtwt0hufkYwsG-J+qK|?n@STUreO3CnxmN)QR{2wrEGI9D&G;uvwh%
zu{Ix{wot^P$M|gGf*cw;2a%s(^XIX67K`U}f|s#{E1Br<MV(+#9kQteGW?Rxp=Ig-
zr@j>*Lev#+i2P8g4iw0V2gh8PMQ}c$G=C9mUxsu_B(j69tBdC`HZ#NjPm~d+KQ9eb
zr2gO@n)!@Pq`L@@@II`4MF;8xw!pI@fA`E>k+-_xX_f`U%~P{3mG-2<&rzws$PzQ%
zoD})owY|8bSophAxOUm5?nPXy?%6YNfe-Je)D*92BG-q@?2GVg1;}Y-a?#tOw^;Cx
zxL_>qKv5!COTi*8bXyQSf_*$*2oCv-ICViRQul-(<fYdgHlyxHX{F4QWc8ASu}e5d
zG6-uaE#oWlz5?T=@soEEV-i$&Vac=<<8(QmWoZ@EO5HgP4swFxo2{${@uO9uL{IWm
z6*uPf03gV-5c{v;B&(qXkKU#gILY%GgR8&DWZ(~wMv8YP<wfT&!>iLJ`RIf<9sI#g
zJ&qglf)q9b)k&lHN{JC;k?~wx$dC9#Q52=w#OoX<VB-O`v>uBMjC6}1-WYv-%1Myu
z8JH#i!OmTtrIflnVt$}2bqeJ1JN?DwmFtkpD~J?+jO=LA6Wg)W6HDxXr_q0d#NxNn
zad-@ym#;wa!>D-A+}W&4g1=Ji=Y8mjnXHFg;IQvN0Cr;kKoQXaBqEPu@mMn=cn`&{
z$FUeHBtiokFg^a*DFJojUx!qjD6p74qrG$v%O<#)hs+Ug=^?JgjdE&T@wga66tacS
z33rx~fyG|Eb2n&kOj{^<4Tj*wlP-vLAb#o-3x)T`=AFu(DREDOxbc?az*QC+v4p{j
z6~L8{5r4yaP2Qf=?+LaRjfv$a?>+Hb`$l{thXuIMIBXhx=uwVP53IAKOa7Dx0sIXp
zeL_>ZMKHmi%fS|ej{j+1HTvNyBl(neS{Bw-Tt*2mWUR0h324&8u&(6ADqNXdfD1DC
zS(_*BzwrlFy2Yz}vJdlNP$U}!Dsrk-CqD7>t7Pe|fFb`mpz;|xd-!3XTQLW@gQ^`^
zz`@A2!ggh?6f8GD;1e3~tp%1F5u>$1{9TiHsOO<uxNIza|Kdc_M9bm1KpprInsXc)
zT=gYf^`%oWsJQcvAd+w_dqhIehSF#G&LkA$79*RpO))AZby<$G&U0C)0!Ek85F^X+
oN)*%y$*$y<N$yk-BqC#^7BGI>dgEr#TPNRm{g03zEd&ey0VmWb^8f$<

literal 0
HcmV?d00001

diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.event.AuthorizationEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.event.AuthorizationEvent.serialized
new file mode 100644
index 0000000000000000000000000000000000000000..568c4a3ac20bce16fcb82e8b004f27231125c6e3
GIT binary patch
literal 1603
zcmb7EJ7^S96urCIWV3{PHKIbS60wjOv@}gVu8T4xA+syGis9|-%leY}<;|O95=o3A
z_yHp*iXs+TiP~yuYatez+9I{4v9VF`zS&)7Him>uG4L+;bM86ky?2|?>~R=%ct!DC
z&g{xGCl+0B_^jel!{<yaD#RC89nO}BV2-WOd1?z~I3CN&(9Mf~Tdv>xIG2Q^1|6~n
zgUkqv1oUY$WS*$LV5U0l+lFkV>b~omjPgMZS~&H5QwSK+5R1A6i(1E`HegX3P)vp$
z1_KVqw_C?>Y(WD=E@xI@g}6(%eoWoTec4Dt;v8fIv#2MC<zky&30aYll`wO>G(!!c
z-Or32w3c5d0Rk5w@#N*N%q!&Z@^(Y(xD`DlSFcfueADxkdq{##IU^>LTQX@LM|=J8
zNS&el(%}zp*V->2NDZ3jiRn`TJylLkVpr5Ew!y$fB;z|GX;eljc$C{H`2_Jil)Wq|
zjfBfPv($$0OPZmwZ3d@hnLtc$4ptzoK}POoFqfEN0GZ3}1;KF16Py@go5|~Mj;+|a
zaz_%HiqIZIPRkm!$us&=Fr*C*#0)m-m?kQP?4q;MWhw}(feqXQ5_B{YHcIvS3%2Ey
z*))?<Xv`CTItNa?|GCx`lAba#BA_caM&^We+r3>h=FkYNe!lYiNZ2%CNXFVi)%HbQ
zhB+sTvU_mjTi>%!<V6!C&O*v#OH^785(_E$$4y3dB-%im)o(A}W1U&9NpqawMF@44
z<Sj<(qP0@oF}FBN7xGy^X9>tmj%(Sef}WiWB<>zpy6xod5PbAlO@+{J(a3ZWx`|;p
zzAeTaI~%wR-BpCHD5g2atPJ(Wd>2nmQ(NlwpC3A7Lg`eX5nA1v#U=Lrc$ToF^}{nd
z13%nnAkraHt<fCVZ?*5?*9Xs63-T3^^_^JR9aZKzrI_{o>BOVQo3}4D$+rSC&g`A5
zet9iIp++6cC7cL{NBm*isuv`N-atUdHQRCA<@%}uQgTZiJ+$NK+EuDO@wJiF(`jlj
X`B1H&+OS&5T|na&Azi7u2wD3Fm7qFw

literal 0
HcmV?d00001

diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.event.AuthorizationGrantedEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.authorization.event.AuthorizationGrantedEvent.serialized
new file mode 100644
index 0000000000000000000000000000000000000000..6d3ca9608f9cacaa523776a846715debb31b4d0c
GIT binary patch
literal 1692
zcmbtVO-vI}5T2GIG{~Q%L{0Dn#)H{LkCGUEtc_#?gtkV}Kwh^Ge6ZbJ-oAx`0nwPC
zCSsz|Xp9GMMvXT;di7vDC}&JKD;F<bG;wCzx-Ak2aSu)2?7W$8zVGYo>rJS2B@Ebd
zQga<CtjP(<@_f#g)0)c-PYN}!F;88wrC4A}*p|j;xuvw;%2-k|OYvNS-mK)pUt_1o
z*24e=3H|?9*splw;_rRe?!2D~Ls*9<0)uUY;iFN|p--_{7Wb4e;}f1`5XN}Qa~xA}
z*{#Dq$z9J>3VL+J65ldpygX#QYRGuicq4v=ZXD<McH<Z}4qre@sAmzDk2`zw+xV^I
zr;RX#1|X_Lp1X?W9V`<g$QnV`{LG>36gQN9H#&GQzxaZfa{xk*p8trxL2)i`*R+gV
zOZlp$N?IY`{5+Q~l91w3FcVeFnmmoI-OkELnW6N;;difA8!sS89cpKp>2U=IikzCv
znv55*br&2&GPEO-YGt&H%cX^08fLDGe##N0fpBSinp@yMVbfQ(!H_&h3Cwh7U<vAV
zh|+9^aG2=_kh$bu5cFnUC7GeN>Ad#x*pijZHHD#O6dEg#^PCP1bVkD~fwVz;g~9r5
z(?q3^U36Amjw>cgU<*zN2|5}G8>G6O87pt+#DpLzbm6LB&0QzneqU|zNspKqQP5J+
zhH`wn?OrZubEprNKaTx8;uj4W#MpjcwYH#2uas<_su!+*>3H&iJ*$DxIf%Gofs^GR
zG#8;?oTP6@q7AfJc`e|ANQt~-^3oO{wu!v?KwY#}MB3&SXQdSF8+4X}=*W<s7|)~<
zBL%|U=8)S??he62kCjyL{T8&W8--S87`A7rLEB0c9D(i{g_a<u+r~77VimrtOs(S<
z>Gh8vnk$4#afL>xcS;r~>@hqOEV90TMrYuI^K=C|1gce=1M4k!-2Z&<>2ij)0NroF
zo2|jkwB#JK)*lZ)c(}Q8sfKn1W}MwSSDk-_>bLU_lT6t%;1A0dy+9b+3ksU9TDI*h
vmPb_(p((L-&yKB2f2Gp5qtvo^I>QY?i)!uEM!ufi1~l#{)J+z@CCJ(zGiF^1

literal 0
HcmV?d00001

diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.config.annotation.AlreadyBuiltException.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.config.annotation.AlreadyBuiltException.serialized
new file mode 100644
index 0000000000000000000000000000000000000000..d3344aeda54a287d2730736f895487bb3cf89a2f
GIT binary patch
literal 10715
zcmeGiTWlRib?hXL6Po6M)1-0QH0dUxL|r>^p0%6A^&@d{;>g!dp)XkP9bd1#cXzWp
z*Rdm>N<nH7q6HDu2vvLp5aRLEpadku52=v)10Vh11H=z0LgJ_VA%$?x%<Sy!<6d8r
z@I`+1?#`S!=gc{0&TH;Z|3OwoAsO_;iWvo=<5i|Zt4c5W;hY&!yB0cZ(X@SU+Nqe9
z=lRTHj_;ZMZb+^2;&U~}WkU-#4RG}5$3L>Kb&R~;O2|S;cFbDymg!nv#T;>6TCv;`
zET#(j_6w7@uMU57T0n10pvP+-bE*m8JD+Vkwf5lUzY4&QCx8mo@9*q5zO8rrZ*ve6
zGogRcnsVs}?;YBE?BdP$SCEyXWR-2zBFf0-QN-1SEOsf#-choyOqu1lXJ`~z6@c5M
z!Ic=wsP`qZHe!}NHxXJkKs^3Z3M8Hwa%q)%3{ZANwIB!qAuTJeBStoeWi{rwU87FK
zdKZEV<cnktBde=|dM%8R3sHg$CDj;t>+mQ0`tIyHhMNxvA=f~ior#cg3#>J_uI@Sf
zr?0k>_UB03v>#S2HbU0Ajz`bds#7!^CF^b1ilR~9D%0>RSOfCZHcB2YQ<%X058%8U
zZJ%~rszI%-Qa0n4QzL%4mV#MV<s;{57=hhzL<>O+AuVq+vcd`iMou*}$P%~IlC;kO
zKco^>iH45lI+sxA6EtEV<F4j`O%xkw#kHzaWy=5!GsiX#9tr}!*>%7nIf&e@XXGd{
z=y(9**^UoyjE0`&nicBN&|-dQR-MQ;PsN{u)b{x}BU|!=l5)FTO?8UTONz(qP@J*6
zvI~+lCnFk`z|LHUmKBL}p>KmJ`5_}uHU^M9Yyy*4tH)_nbD7S~VaZM3f5pvd!7C#>
z3we>#l9M&SNuGhrl7T&S7*M<qTQ(RlBORF$jvbL~)A#ivM~jaq@UfGTjTNCgde$$~
z^OjrFwbJ?~hi9Z78zZr440#neTEIqTL~e3jOeIT!TvZ(H#<x9;JY<8{Wpr$6mf9($
z+{}RD=TrLbW-|bcY!$f1eV++@BhrHPW&L~^SWX>T4~3y0DxGfBKjrowf!I-YFgjT7
zFgVpQj|1sMxO-WTl;VAE$nvIx-;z8%UWcdtz!|9qE=WthDSaQ%(Og#&;V1eKBW;4J
z2Gsh#0@{FY8^P1V8RH&?4%EUBoV#>9+#}K`Ufg>3?%jWb8+&@TJeT-}kWRaxIrA*|
zm3exG`^kP=98baXWA&z_I9EH~ygx^~8Ck<!{FH@(tZn}hv)k+uP72}xIm5$9FY??6
z(_#^R9mmIs1aKelxWACcL5eY(fwM2-b7!MzC2(#&8Ir9>f#lXCKE*N-R2cb~c&U#A
zoN()1+y*$|F0_H!n&&Vxa4m+x43d><)%PM3gQ__$Bo5{`37-%RIx-_tt`7+j3EHs|
z(cSk+N<9gs*;?R$vo|R}*d|?oFvOE0v3dkFWb-TuGK}m{ti}MnGA-+rV!t-t1f_%q
zKed>D`QgBf<#-0T5vR=cmH;ubBl*a#P?8?gx%plb`)1U`@NG^&w&vF$50nG2@9dD=
z_Zl81kzJkEw>d3*OyFY@BBX-DAdbO2ubEeKt2$GwCMb9T@Rs?N6~2;@7n_nasG8@u
zUS)`D8o5Df&e70_jcFc6Bpm3$a>4uTQX_DLax0}gHp@)IpFZz9Wx=V@t;^;W$?M5`
z<rVR~!pM3_(cwEt(-J{~ky2B%Vk=ksj4e<N&~jpRNPZk2DJwfEclYc)Q7p#&G{=n(
z9$>~9dDzAi((iG$=JaSTA`g#20vMO|>w0)uVf!4uakZoX&MyV<M-IRUPn?9$%6O78
zjqK3Dqimwt3v<A?K{dh1WA&z_Nj;iUZ~|-`)weSundwgiuN<iKYgn;B)@aT+kk5wp
zjAKJ~tIDJSA8I-qScSuyAC$bT7QQhh=?|2gTzsoSx-D!mVO3}JjSM(`hC0CDQUI|h
z>s{tnG3!H~Cah=<l0p4bZm&~{TJCZj%aI5IySr!{)>#z7Mm~91zL49)x6~dM@NJQi
z2B=ede4VdkL<>(%=@EAWIRyU5&9qseU-MECNu;<)p$WE*Eo;Z$%<XtnUWz)#a%KU3
zrtIKJ4#3E#m#O9w)VE;3(9Jll89FLnIBh?KnsVO3D&K4xHkN5ro2ojgSofi1^ZYW|
z)XmQrq|+9ZWrK^JRdsBgSH!-Ulg%GEQG9%(7=RB$KE+GSW_(i|T#>f!op$gOBO`Bm
zlFKB=T2-;et?jL(`j+-!^u%U>iR}$Y9{2I&k*9YN1I1O%VLu$Q?3uA3GSsUvHVx4k
z0-hR)Vy#$^at90vXL3_=3()V$p$9w^Qhl4Aa{`Ke5~Ii1&&VUWaka(o79oGPN#qBN
z{kWW$e}#x{aX0dIW1t%x=sO5>1t0%oO!tjk+h;&bpGb7jABNT<_QnkLR)P)(WLwx|
zfuOF2rFu6&6@b<-POA{@A^F1HXB6G~FCelvAtLQ4r%>ZG_ysO!=*UUD1?XBjnpEwP
z`=Z*W^xq87ioc}Apb0h-;?_nW25Mj8Frh4dSR{};fOuz4zWq}mXv=2tIf6nVJ0z9Z
zZu`L^B$9p+@_%yEeix^%!vVh-S^*?=1NB#sE5Od~96O0;NZbY@y#g&?Iu8vWs2)o6
zLJg{XDESLGAwSC;vR@Se{XNBQdyKgNv~>db+?C@qXO_5>yN4eaAOT~<(Vr-wqLUA&
z4Ck-m;|KVtqeYw&g2uOB;3IRCT6AsT{EY%2Pymkp5+B?f6$)zE(nNH>E+7YT#L?g2
z<KE;15do1b;cM?3&;zxQ2j)wbHec*aWiuzV(^N*h4@Y=S`zF4<l>-o!5e|#|9^Wp-
z*%p#mcHx2;zMx|e^$8At2_Ij^$5(U!&KhSj;o-6lup|%JQUXbQO~=r%bbzFC)ra79
z#kC?&Dpf*(n7DJyxmgs>Q#j2z=bL;3$|+IE_Pef5{`(3p+2Q}Elu;13mnT$&{@Vj-
z=1V$J?xJ{v_2JvsbwM4&5h&^SMQWx+-l)S<uL_3FQ@trw_N3fTd{H>G%t|*$Mc$uv
z7Ecrte^2gSYqqJrh-=k6dj=Z#a3M=gaXlw$eQ0KnL8l99T3K8?(O|ZiFn1N`6<Su{
zV<qyD5{qc)HUM}AmuMLB6>+LTEK2tTAJnB69X6viVN1M7R##K#yM%Ehi;!fB%eY0}
zU7)<Q{A4d;R0<VtSTZBUa+*}TT!(Btoa3O20~B|*vK+)WRS6SYlKZK6FwX}Ff_xr)
z{{`G+CA8oc-LwKHxvyi;`io2k_5fw1xMxyU^!y~;I-Qf3PT1+-H-PH4-H;7Z2nK4B
zMsZ7t5o3w<oLi`m_(f3^rP0La95-NNg4)u7kIjs%#ok5~8QtB=ND$~%*d_1k-{)OQ
zsw*Sr2Rc(HfFAGZFHNshgIZpRNXd_p?R92iJ+^el6vbsL+KagH#J6YhkttPD*P=LI
zbU#V<@r-`}=LhQn!6hb64ddffArMO404eYrN+|^={*Or6i2{q+Gurj!pd5mBI+T0Z
zS_fwo4@zTbkJrT;M<QFf{taNFWj8+d=#x8vgCm-C=Q$YgfvE*yyy6c(F;TcQtUsxg
zkRtaokUQIu9O!ppF{aR8wgTwm81Xk8vgE=@{j1>7qBSx7<dTNKjr(1ozX@-%;nXZF
z9xx5Q^e~rDCmfDsO8%h-1^7EybWCHqfd{~U#X;OaYkh&g8a>c|NIs>WR)jTA*TQQV
zEi8uusuYN9m)%h4bDV*$7W_TU6HROUo0U$h!Z(Ytx1|RjiC4$1o@g|Q_wu~|E3Fk|
zh^{2@hI03C6Xcf7er}*DYzlEOvaN7jX-mZz<mM6({FEm6#so`?5u;VOa&zG#3J(YO
zx58v&>U)<4k}6sWmsu)HM`liQ(V)X<If0Lpu~0Ew4xuC=mwHBupb4f=@o*v-;~FEI
zvqP~|S`O;8#J|0e1$03zgN&@iJ|=*~f2rg}iVQCxhsYSJ28_2zFWua7z3)fw{F(n1
GaN$2FnHRbM

literal 0
HcmV?d00001

diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.session.HttpSessionIdChangedEvent.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.session.HttpSessionIdChangedEvent.serialized
new file mode 100644
index 0000000000000000000000000000000000000000..01791e9a4b5944ec1aa4436ef1d18589002f4700
GIT binary patch
literal 421
zcmZ4UmVvdnh`}kpC|$3(peQphJ*_A)H?=&!C|j>MHMz7Xv!qh5JT(c(DK5^;&(rfL
zDJcksusu_pGZORCQ&U{aQu9hSbjc=d7P@N9#K7dkz>}9+4p&veAmo#kSeB@t15~Xa
zTmrJi8mJ~eCk3vikfDx&v7(5<9<M`^^NUj9E`jSsc16Y~rn*I)K986f7=WhP5pSAf
zQgKO9VsZ)8RIry8bozcjVqL%qF-!-WVafS<C8-r9dX5DJIho0cCBPs8YfWl-9pB-8
z_8}7kqZb2bNoH<paY<rs0nkmNprFtzEy>K$1FQ5;%1TWx@#*FClgO=I0kW!qfq`+_
O!cQC@N*EXoK^Oq<r<?o$

literal 0
HcmV?d00001

diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredentialPropertiesOutput$ExtensionOutput.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.CredentialPropertiesOutput$ExtensionOutput.serialized
new file mode 100644
index 0000000000000000000000000000000000000000..2ff01fc9d19abc205bb2927323a61a932205a7f8
GIT binary patch
literal 115
zcmZ4UmVvdnh#?}sC|$3(peQphJ*_A)H?=&!C|j>MHMz7Xv!qh5JT(b~6H7}n^7Il5
zGWDE`Qd3g%N-`630*dkrQj1D5Q;YpeOA1O$R9q`cQuB&4^Yb8ldwY#P-vrHsnHU(O
L7?_H(D+(9^Dt9X>

literal 0
HcmV?d00001


From c3c2bcd6b7240fee6d5bc9c90be2c9023badcc75 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Mon, 5 May 2025 12:19:55 -0600
Subject: [PATCH 4/4] Ignore Serialization in Test Components

Since we don't need to ensure the serializability of test components
across versions, we can ignore missing version UIDs when those
test components aren't about testing Java serialization.

Issue gh-17038
---
 .../SpringSecurityCoreVersionSerializableTests.java    | 10 ++--------
 .../config/annotation/method/configuration/Authz.java  |  1 +
 .../access/annotation/BusinessServiceImpl.java         |  5 +----
 .../ExpressionProtectedBusinessServiceImpl.java        |  5 +----
 .../access/annotation/Jsr250BusinessServiceImpl.java   |  5 +----
 5 files changed, 6 insertions(+), 20 deletions(-)

diff --git a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
index c9843c7ed6..2712617475 100644
--- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
+++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
@@ -740,17 +740,11 @@ class SpringSecurityCoreVersionSerializableTests {
 		}
 	}
 
-	static Stream<Path> getCurrentSerializedFiles() throws IOException {
+	static Stream<Path> getCurrentSerializedFiles() throws Exception {
 		assertThat(currentVersionFolder.toFile().exists())
 			.as("Make sure that the " + currentVersionFolder + " exists and is not empty")
 			.isTrue();
-		try (Stream<Path> files = Files.list(currentVersionFolder)) {
-			if (files.findFirst().isEmpty()) {
-				fail("Please make sure to run SpringSecurityCoreVersionSerializableTests#serializeCurrentVersionClasses for the "
-						+ getPreviousVersion() + " version");
-			}
-		}
-		return Files.list(currentVersionFolder);
+		return getClassesToSerialize().map((clazz) -> currentVersionFolder.resolve(clazz.getName() + ".serialized"));
 	}
 
 	@ParameterizedTest
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/Authz.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/Authz.java
index 145f344d12..5b6c784c7f 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/Authz.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/Authz.java
@@ -55,6 +55,7 @@ public class Authz {
 		return Mono.just(checkResult(result));
 	}
 
+	@SuppressWarnings("serial")
 	public static class AuthzResult extends AuthorizationDecision {
 
 		public AuthzResult(boolean granted) {
diff --git a/core/src/test/java/org/springframework/security/access/annotation/BusinessServiceImpl.java b/core/src/test/java/org/springframework/security/access/annotation/BusinessServiceImpl.java
index 587e795f5a..1bcf1ba84d 100644
--- a/core/src/test/java/org/springframework/security/access/annotation/BusinessServiceImpl.java
+++ b/core/src/test/java/org/springframework/security/access/annotation/BusinessServiceImpl.java
@@ -16,18 +16,15 @@
 
 package org.springframework.security.access.annotation;
 
-import java.io.Serial;
 import java.util.ArrayList;
 import java.util.List;
 
 /**
  * @author Joe Scalise
  */
+@SuppressWarnings("serial")
 public class BusinessServiceImpl<E extends Entity> implements BusinessService {
 
-	@Serial
-	private static final long serialVersionUID = -4249394090237180795L;
-
 	@Override
 	@Secured({ "ROLE_USER" })
 	public void someUserMethod1() {
diff --git a/core/src/test/java/org/springframework/security/access/annotation/ExpressionProtectedBusinessServiceImpl.java b/core/src/test/java/org/springframework/security/access/annotation/ExpressionProtectedBusinessServiceImpl.java
index 1ca226709b..1c6fd2a84e 100644
--- a/core/src/test/java/org/springframework/security/access/annotation/ExpressionProtectedBusinessServiceImpl.java
+++ b/core/src/test/java/org/springframework/security/access/annotation/ExpressionProtectedBusinessServiceImpl.java
@@ -16,7 +16,6 @@
 
 package org.springframework.security.access.annotation;
 
-import java.io.Serial;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -24,11 +23,9 @@ import org.springframework.security.access.prepost.PostFilter;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.access.prepost.PreFilter;
 
+@SuppressWarnings("serial")
 public class ExpressionProtectedBusinessServiceImpl implements BusinessService {
 
-	@Serial
-	private static final long serialVersionUID = -3320014879907436606L;
-
 	@Override
 	public void someAdminMethod() {
 	}
diff --git a/core/src/test/java/org/springframework/security/access/annotation/Jsr250BusinessServiceImpl.java b/core/src/test/java/org/springframework/security/access/annotation/Jsr250BusinessServiceImpl.java
index 6d9f34ac61..4eba9445a6 100644
--- a/core/src/test/java/org/springframework/security/access/annotation/Jsr250BusinessServiceImpl.java
+++ b/core/src/test/java/org/springframework/security/access/annotation/Jsr250BusinessServiceImpl.java
@@ -16,7 +16,6 @@
 
 package org.springframework.security.access.annotation;
 
-import java.io.Serial;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -27,11 +26,9 @@ import jakarta.annotation.security.RolesAllowed;
  * @author Luke Taylor
  */
 @PermitAll
+@SuppressWarnings("serial")
 public class Jsr250BusinessServiceImpl implements BusinessService {
 
-	@Serial
-	private static final long serialVersionUID = -7550211450382764339L;
-
 	@Override
 	@RolesAllowed("ROLE_USER")
 	public void someUserMethod1() {