Mark Serialization Support for Events

Issue gh-16276

Author: jzheaux

config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -54,6 +54,7 @@
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider;
 import org.springframework.core.type.filter.AssignableTypeFilter;
+import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.AuthorizationServiceException;
 import org.springframework.security.access.intercept.RunAsUserToken;
@@ -73,16 +74,33 @@
 import org.springframework.security.authentication.TestAuthentication;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
+import org.springframework.security.authentication.event.AuthenticationFailureCredentialsExpiredEvent;
+import org.springframework.security.authentication.event.AuthenticationFailureDisabledEvent;
+import org.springframework.security.authentication.event.AuthenticationFailureExpiredEvent;
+import org.springframework.security.authentication.event.AuthenticationFailureLockedEvent;
+import org.springframework.security.authentication.event.AuthenticationFailureProviderNotFoundEvent;
+import org.springframework.security.authentication.event.AuthenticationFailureProxyUntrustedEvent;
+import org.springframework.security.authentication.event.AuthenticationFailureServiceExceptionEvent;
+import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
+import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
+import org.springframework.security.authentication.event.LogoutSuccessEvent;
 import org.springframework.security.authentication.jaas.JaasAuthenticationToken;
+import org.springframework.security.authentication.jaas.event.JaasAuthenticationFailedEvent;
+import org.springframework.security.authentication.jaas.event.JaasAuthenticationSuccessEvent;
 import org.springframework.security.authentication.ott.InvalidOneTimeTokenException;
 import org.springframework.security.authentication.ott.OneTimeTokenAuthenticationToken;
 import org.springframework.security.authentication.password.CompromisedPasswordException;
 import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
 import org.springframework.security.cas.authentication.CasAuthenticationToken;
 import org.springframework.security.cas.authentication.CasServiceTicketAuthenticationToken;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextImpl;
+import org.springframework.security.core.session.AbstractSessionEvent;
 import org.springframework.security.core.session.ReactiveSessionInformation;
 import org.springframework.security.core.session.SessionInformation;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -163,13 +181,16 @@
 import org.springframework.security.web.authentication.rememberme.InvalidCookieException;
 import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationException;
 import org.springframework.security.web.authentication.session.SessionAuthenticationException;
+import org.springframework.security.web.authentication.session.SessionFixationProtectionEvent;
+import org.springframework.security.web.authentication.switchuser.AuthenticationSwitchUserEvent;
 import org.springframework.security.web.authentication.www.NonceExpiredException;
 import org.springframework.security.web.csrf.CsrfException;
 import org.springframework.security.web.csrf.DefaultCsrfToken;
 import org.springframework.security.web.csrf.InvalidCsrfTokenException;
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
 import org.springframework.security.web.firewall.RequestRejectedException;
 import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
+import org.springframework.security.web.session.HttpSessionCreatedEvent;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.fail;
@@ -200,6 +221,8 @@ class SpringSecurityCoreVersionSerializableTests {
 
 	static {
 		UserDetails user = TestAuthentication.user();
+		Authentication authentication = TestAuthentication.authenticated(user);
+		SecurityContext securityContext = new SecurityContextImpl(authentication);
 
 		// oauth2-core
 		generatorByClassName.put(DefaultOAuth2User.class, (r) -> TestOAuth2Users.create());
@@ -375,6 +398,37 @@ class SpringSecurityCoreVersionSerializableTests {
 				(r) -> new UsernameNotFoundException("error", new RuntimeException()));
 		generatorByClassName.put(TestingAuthenticationToken.class,
 				(r) -> applyDetails(new TestingAuthenticationToken("username", "password")));
+		generatorByClassName.put(AuthenticationFailureBadCredentialsEvent.class,
+				(r) -> new AuthenticationFailureBadCredentialsEvent(authentication,
+						new BadCredentialsException("message")));
+		generatorByClassName.put(AuthenticationFailureCredentialsExpiredEvent.class,
+				(r) -> new AuthenticationFailureCredentialsExpiredEvent(authentication,
+						new CredentialsExpiredException("message")));
+		generatorByClassName.put(AuthenticationFailureDisabledEvent.class,
+				(r) -> new AuthenticationFailureDisabledEvent(authentication, new DisabledException("message")));
+		generatorByClassName.put(AuthenticationFailureExpiredEvent.class,
+				(r) -> new AuthenticationFailureExpiredEvent(authentication, new AccountExpiredException("message")));
+		generatorByClassName.put(AuthenticationFailureLockedEvent.class,
+				(r) -> new AuthenticationFailureLockedEvent(authentication, new LockedException("message")));
+		generatorByClassName.put(AuthenticationFailureProviderNotFoundEvent.class,
+				(r) -> new AuthenticationFailureProviderNotFoundEvent(authentication,
+						new ProviderNotFoundException("message")));
+		generatorByClassName.put(AuthenticationFailureProxyUntrustedEvent.class,
+				(r) -> new AuthenticationFailureProxyUntrustedEvent(authentication,
+						new AuthenticationServiceException("message")));
+		generatorByClassName.put(AuthenticationFailureServiceExceptionEvent.class,
+				(r) -> new AuthenticationFailureServiceExceptionEvent(authentication,
+						new AuthenticationServiceException("message")));
+		generatorByClassName.put(AuthenticationSuccessEvent.class,
+				(r) -> new AuthenticationSuccessEvent(authentication));
+		generatorByClassName.put(InteractiveAuthenticationSuccessEvent.class,
+				(r) -> new InteractiveAuthenticationSuccessEvent(authentication, Authentication.class));
+		generatorByClassName.put(LogoutSuccessEvent.class, (r) -> new LogoutSuccessEvent(authentication));
+		generatorByClassName.put(JaasAuthenticationFailedEvent.class,
+				(r) -> new JaasAuthenticationFailedEvent(authentication, new RuntimeException("message")));
+		generatorByClassName.put(JaasAuthenticationSuccessEvent.class,
+				(r) -> new JaasAuthenticationSuccessEvent(authentication));
+		generatorByClassName.put(AbstractSessionEvent.class, (r) -> new AbstractSessionEvent(securityContext));
 
 		// cas
 		generatorByClassName.put(CasServiceTicketAuthenticationToken.class, (r) -> {
@@ -448,6 +502,12 @@ class SpringSecurityCoreVersionSerializableTests {
 		generatorByClassName.put(RequestRejectedException.class, (r) -> new RequestRejectedException("message"));
 		generatorByClassName.put(ServerExchangeRejectedException.class,
 				(r) -> new ServerExchangeRejectedException("message"));
+		generatorByClassName.put(SessionFixationProtectionEvent.class,
+				(r) -> new SessionFixationProtectionEvent(authentication, "old", "new"));
+		generatorByClassName.put(AuthenticationSwitchUserEvent.class,
+				(r) -> new AuthenticationSwitchUserEvent(authentication, user));
+		generatorByClassName.put(HttpSessionCreatedEvent.class,
+				(r) -> new HttpSessionCreatedEvent(new MockHttpSession()));
 	}
 
 	@ParameterizedTest

config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent.serialized

@@ -32,6 +32,7 @@
  * instead.
  */
 @Deprecated
+@SuppressWarnings("serial")
 public class AuthenticationCredentialsNotFoundEvent extends AbstractAuthorizationEvent {
 
 	private final AuthenticationCredentialsNotFoundException credentialsNotFoundException;

config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureCredentialsExpiredEvent.serialized

@@ -39,6 +39,7 @@
  * instead
  */
 @Deprecated
+@SuppressWarnings("serial")
 public class AuthorizationFailureEvent extends AbstractAuthorizationEvent {
 
 	private final AccessDeniedException accessDeniedException;

config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureDisabledEvent.serialized

@@ -34,6 +34,7 @@
  * instead
  */
 @Deprecated
+@SuppressWarnings("serial")
 public class AuthorizedEvent extends AbstractAuthorizationEvent {
 
 	private final Authentication authentication;

config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureExpiredEvent.serialized

@@ -34,6 +34,7 @@
  * {@link AuthorizationGrantedEvent#getSource()} to deduce public invocations.
  */
 @Deprecated
+@SuppressWarnings("serial")
 public class PublicInvocationEvent extends AbstractAuthorizationEvent {
 
 	/**

config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureLockedEvent.serialized

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureBadCredentialsEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = -5245144711561130379L;
+
 	public AuthenticationFailureBadCredentialsEvent(Authentication authentication, AuthenticationException exception) {
 		super(authentication, exception);
 	}

config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureProviderNotFoundEvent.serialized

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureCredentialsExpiredEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = -7595086332769705203L;
+
 	public AuthenticationFailureCredentialsExpiredEvent(Authentication authentication,
 			AuthenticationException exception) {
 		super(authentication, exception);

config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureProxyUntrustedEvent.serialized

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureDisabledEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = 8037552364666766279L;
+
 	public AuthenticationFailureDisabledEvent(Authentication authentication, AuthenticationException exception) {
 		super(authentication, exception);
 	}

config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationFailureServiceExceptionEvent.serialized

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureExpiredEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = -8437264795214121718L;
+
 	public AuthenticationFailureExpiredEvent(Authentication authentication, AuthenticationException exception) {
 		super(authentication, exception);
 	}

config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.AuthenticationSuccessEvent.serialized

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureLockedEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = -5126110096093568463L;
+
 	public AuthenticationFailureLockedEvent(Authentication authentication, AuthenticationException exception) {
 		super(authentication, exception);
 	}

config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent.serialized

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureProviderNotFoundEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = 9122219669183263487L;
+
 	public AuthenticationFailureProviderNotFoundEvent(Authentication authentication,
 			AuthenticationException exception) {
 		super(authentication, exception);

config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.event.LogoutSuccessEvent.serialized

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureProxyUntrustedEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = 1801476426012753252L;
+
 	public AuthenticationFailureProxyUntrustedEvent(Authentication authentication, AuthenticationException exception) {
 		super(authentication, exception);
 	}

config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.jaas.event.JaasAuthenticationFailedEvent.serialized

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
@@ -27,6 +29,9 @@
  */
 public class AuthenticationFailureServiceExceptionEvent extends AbstractAuthenticationFailureEvent {
 
+	@Serial
+	private static final long serialVersionUID = 5580062757249390756L;
+
 	public AuthenticationFailureServiceExceptionEvent(Authentication authentication,
 			AuthenticationException exception) {
 		super(authentication, exception);

config/src/test/resources/serialized/6.4.x/org.springframework.security.authentication.jaas.event.JaasAuthenticationSuccessEvent.serialized

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 
 /**
@@ -25,6 +27,9 @@
  */
 public class AuthenticationSuccessEvent extends AbstractAuthenticationEvent {
 
+	@Serial
+	private static final long serialVersionUID = 2537206344128673963L;
+
 	public AuthenticationSuccessEvent(Authentication authentication) {
 		super(authentication);
 	}

config/src/test/resources/serialized/6.4.x/org.springframework.security.core.session.AbstractSessionEvent.serialized

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.util.Assert;
 
@@ -34,6 +36,9 @@
  */
 public class InteractiveAuthenticationSuccessEvent extends AbstractAuthenticationEvent {
 
+	@Serial
+	private static final long serialVersionUID = -1990271553478571709L;
+
 	private final Class<?> generatedBy;
 
 	public InteractiveAuthenticationSuccessEvent(Authentication authentication, Class<?> generatedBy) {

config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.session.SessionFixationProtectionEvent.serialized

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 
 /**
@@ -26,6 +28,9 @@
  */
 public class LogoutSuccessEvent extends AbstractAuthenticationEvent {
 
+	@Serial
+	private static final long serialVersionUID = 5112491795571632311L;
+
 	public LogoutSuccessEvent(Authentication authentication) {
 		super(authentication);
 	}

config/src/test/resources/serialized/6.4.x/org.springframework.security.web.authentication.switchuser.AuthenticationSwitchUserEvent.serialized

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication.jaas.event;
 
+import java.io.Serial;
+
 import org.springframework.security.core.Authentication;
 
 /**
@@ -26,6 +28,9 @@
  */
 public class JaasAuthenticationFailedEvent extends JaasAuthenticationEvent {
 
+	@Serial
+	private static final long serialVersionUID = -240510538971925002L;
+
 	private final Exception exception;
 
 	public JaasAuthenticationFailedEvent(Authentication auth, Exception exception) {