diff --git a/config/src/test/java/org/springframework/security/SerializationSamples.java b/config/src/test/java/org/springframework/security/SerializationSamples.java
index fe9f75cd50f..d4a17eef08f 100644
--- a/config/src/test/java/org/springframework/security/SerializationSamples.java
+++ b/config/src/test/java/org/springframework/security/SerializationSamples.java
@@ -207,12 +207,15 @@
import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
import org.springframework.security.web.session.HttpSessionCreatedEvent;
import org.springframework.security.web.session.HttpSessionIdChangedEvent;
+import org.springframework.security.web.webauthn.api.AttestationConveyancePreference;
import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientInputs;
import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientOutputs;
import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
import org.springframework.security.web.webauthn.api.AuthenticatorAttachment;
+import org.springframework.security.web.webauthn.api.AuthenticatorSelectionCriteria;
import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
import org.springframework.security.web.webauthn.api.Bytes;
+import org.springframework.security.web.webauthn.api.COSEAlgorithmIdentifier;
import org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput;
import org.springframework.security.web.webauthn.api.CredentialPropertiesOutput;
import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput;
@@ -220,12 +223,17 @@
import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs;
import org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity;
import org.springframework.security.web.webauthn.api.PublicKeyCredential;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialCreationOptions;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialParameters;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialRpEntity;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialType;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialUserEntity;
+import org.springframework.security.web.webauthn.api.ResidentKeyRequirement;
import org.springframework.security.web.webauthn.api.TestAuthenticationAssertionResponses;
import org.springframework.security.web.webauthn.api.TestBytes;
+import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialCreationOptions;
import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialRequestOptions;
import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialUserEntities;
import org.springframework.security.web.webauthn.api.TestPublicKeyCredentials;
@@ -233,6 +241,7 @@
import org.springframework.security.web.webauthn.authentication.WebAuthnAuthentication;
import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken;
import org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest;
+import org.springframework.security.web.webauthn.management.TestPublicKeyCredentialRpEntities;
import org.springframework.util.ReflectionUtils;
final class SerializationSamples {
@@ -668,6 +677,22 @@ final class SerializationSamples {
});
// @formatter:on
+ generatorByClassName.put(AttestationConveyancePreference.class,
+ (r) -> AttestationConveyancePreference.INDIRECT);
+ generatorByClassName.put(AuthenticatorSelectionCriteria.class,
+ (r) -> AuthenticatorSelectionCriteria.builder()
+ .userVerification(UserVerificationRequirement.REQUIRED)
+ .build());
+ generatorByClassName.put(COSEAlgorithmIdentifier.class, (r) -> COSEAlgorithmIdentifier.ES256);
+ generatorByClassName.put(PublicKeyCredentialParameters.class, (r) -> PublicKeyCredentialParameters.ES256);
+ generatorByClassName.put(PublicKeyCredentialRpEntity.class,
+ (r) -> TestPublicKeyCredentialRpEntities.createRpEntity().build());
+ generatorByClassName.put(ResidentKeyRequirement.class, (r) -> ResidentKeyRequirement.REQUIRED);
+ generatorByClassName.put(PublicKeyCredentialCreationOptions.class,
+ (r) -> TestPublicKeyCredentialCreationOptions.createPublicKeyCredentialCreationOptions()
+ .rp(TestPublicKeyCredentialRpEntities.createRpEntity().build())
+ .build());
+
generatorByClassName.put(CredentialPropertiesOutput.ExtensionOutput.class,
(r) -> new CredentialPropertiesOutput(true).getOutput());
diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.AttestationConveyancePreference.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.AttestationConveyancePreference.serialized
new file mode 100644
index 00000000000..f024863b395
Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.AttestationConveyancePreference.serialized differ
diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.AuthenticatorSelectionCriteria.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.AuthenticatorSelectionCriteria.serialized
new file mode 100644
index 00000000000..5562d8d6208
Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.AuthenticatorSelectionCriteria.serialized differ
diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.COSEAlgorithmIdentifier.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.COSEAlgorithmIdentifier.serialized
new file mode 100644
index 00000000000..cb13b5404fb
Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.COSEAlgorithmIdentifier.serialized differ
diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialCreationOptions.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialCreationOptions.serialized
new file mode 100644
index 00000000000..09395fe91a8
Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialCreationOptions.serialized differ
diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialParameters.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialParameters.serialized
new file mode 100644
index 00000000000..7b5272e3f27
Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialParameters.serialized differ
diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialRpEntity.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialRpEntity.serialized
new file mode 100644
index 00000000000..918ec859987
Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.PublicKeyCredentialRpEntity.serialized differ
diff --git a/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.ResidentKeyRequirement.serialized b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.ResidentKeyRequirement.serialized
new file mode 100644
index 00000000000..a03eb3ed6c9
Binary files /dev/null and b/config/src/test/resources/serialized/7.0.x/org.springframework.security.web.webauthn.api.ResidentKeyRequirement.serialized differ
diff --git a/web/src/main/resources/META-INF/spring/aot.factories b/web/src/main/resources/META-INF/spring/aot.factories
index 2a3c8ad7681..dcc4be6a067 100644
--- a/web/src/main/resources/META-INF/spring/aot.factories
+++ b/web/src/main/resources/META-INF/spring/aot.factories
@@ -1,4 +1,2 @@
org.springframework.aot.hint.RuntimeHintsRegistrar=\
-org.springframework.security.web.aot.hint.WebMvcSecurityRuntimeHints,\
-org.springframework.security.web.aot.hint.UserCredentialRuntimeHints,\
-org.springframework.security.web.aot.hint.PublicKeyCredentialUserEntityRuntimeHints
+org.springframework.security.web.aot.hint.WebMvcSecurityRuntimeHints
diff --git a/web/src/main/java/org/springframework/security/web/aot/hint/PublicKeyCredentialUserEntityRuntimeHints.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/aot/PublicKeyCredentialUserEntityRuntimeHints.java
similarity index 96%
rename from web/src/main/java/org/springframework/security/web/aot/hint/PublicKeyCredentialUserEntityRuntimeHints.java
rename to webauthn/src/main/java/org/springframework/security/web/webauthn/aot/PublicKeyCredentialUserEntityRuntimeHints.java
index c35cf5b81c6..f178c1f2ec9 100644
--- a/web/src/main/java/org/springframework/security/web/aot/hint/PublicKeyCredentialUserEntityRuntimeHints.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/aot/PublicKeyCredentialUserEntityRuntimeHints.java
@@ -14,7 +14,7 @@
* limitations under the License.
*/
-package org.springframework.security.web.aot.hint;
+package org.springframework.security.web.webauthn.aot;
import org.springframework.aot.hint.RuntimeHints;
import org.springframework.aot.hint.RuntimeHintsRegistrar;
diff --git a/web/src/main/java/org/springframework/security/web/aot/hint/UserCredentialRuntimeHints.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/aot/UserCredentialRuntimeHints.java
similarity index 96%
rename from web/src/main/java/org/springframework/security/web/aot/hint/UserCredentialRuntimeHints.java
rename to webauthn/src/main/java/org/springframework/security/web/webauthn/aot/UserCredentialRuntimeHints.java
index 96700568725..ade9a4f5d8a 100644
--- a/web/src/main/java/org/springframework/security/web/aot/hint/UserCredentialRuntimeHints.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/aot/UserCredentialRuntimeHints.java
@@ -14,7 +14,7 @@
* limitations under the License.
*/
-package org.springframework.security.web.aot.hint;
+package org.springframework.security.web.webauthn.aot;
import org.springframework.aot.hint.RuntimeHints;
import org.springframework.aot.hint.RuntimeHintsRegistrar;
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/api/AttestationConveyancePreference.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/api/AttestationConveyancePreference.java
index 41164faf491..23739e75247 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/api/AttestationConveyancePreference.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/api/AttestationConveyancePreference.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serial;
+import java.io.Serializable;
+
/**
* WebAuthn Relying
* Parties may use AuthenticatorAttachment
@@ -31,7 +34,10 @@
* @since 6.4
* @see PublicKeyCredentialCreationOptions#getAuthenticatorSelection()
*/
-public final class AuthenticatorSelectionCriteria {
+public final class AuthenticatorSelectionCriteria implements Serializable {
+
+ @Serial
+ private static final long serialVersionUID = -4273495550621636950L;
private final AuthenticatorAttachment authenticatorAttachment;
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/api/COSEAlgorithmIdentifier.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/api/COSEAlgorithmIdentifier.java
index 0cafd9309bd..7acae91188e 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/api/COSEAlgorithmIdentifier.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/api/COSEAlgorithmIdentifier.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serial;
+import java.io.Serializable;
+
/**
* COSEAlgorithmIdentifier is
@@ -25,7 +28,10 @@
* @since 6.4
* @see PublicKeyCredentialParameters#getAlg()
*/
-public final class COSEAlgorithmIdentifier {
+public final class COSEAlgorithmIdentifier implements Serializable {
+
+ @Serial
+ private static final long serialVersionUID = 2916227211464921463L;
public static final COSEAlgorithmIdentifier EdDSA = new COSEAlgorithmIdentifier(-8);
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialCreationOptions.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialCreationOptions.java
index 2bbdcb9b2b0..2dabd440784 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialCreationOptions.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialCreationOptions.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serial;
+import java.io.Serializable;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
@@ -32,7 +34,10 @@
* @author Rob Winch
* @since 6.4
*/
-public final class PublicKeyCredentialCreationOptions {
+public final class PublicKeyCredentialCreationOptions implements Serializable {
+
+ @Serial
+ private static final long serialVersionUID = -3447846076083501914L;
private final PublicKeyCredentialRpEntity rp;
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialParameters.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialParameters.java
index abb8c028330..6185b4e9983 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialParameters.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialParameters.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serial;
+import java.io.Serializable;
+
/**
* The PublicKeyCredentialParameters
@@ -25,7 +28,10 @@
* @since 6.4
* @see PublicKeyCredentialCreationOptions#getPubKeyCredParams()
*/
-public final class PublicKeyCredentialParameters {
+public final class PublicKeyCredentialParameters implements Serializable {
+
+ @Serial
+ private static final long serialVersionUID = -1526321508352408964L;
public static final PublicKeyCredentialParameters EdDSA = new PublicKeyCredentialParameters(
COSEAlgorithmIdentifier.EdDSA);
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRpEntity.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRpEntity.java
index d8e7de80141..a34ce5819b9 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRpEntity.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRpEntity.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serial;
+import java.io.Serializable;
+
/**
* The PublicKeyCredentialRpEntity
@@ -25,7 +28,10 @@
* @author Rob Winch
* @since 6.4
*/
-public final class PublicKeyCredentialRpEntity {
+public final class PublicKeyCredentialRpEntity implements Serializable {
+
+ @Serial
+ private static final long serialVersionUID = -7546038444920825700L;
private final String name;
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/api/ResidentKeyRequirement.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/api/ResidentKeyRequirement.java
index 082df8c675e..f308dc605b9 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/api/ResidentKeyRequirement.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/api/ResidentKeyRequirement.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
package org.springframework.security.web.webauthn.api;
+import java.io.Serial;
+import java.io.Serializable;
+
/**
* The ResidentKeyRequirement
@@ -24,7 +27,10 @@
* @author Rob Winch
* @since 6.4
*/
-public final class ResidentKeyRequirement {
+public final class ResidentKeyRequirement implements Serializable {
+
+ @Serial
+ private static final long serialVersionUID = -2771567035819540060L;
/**
* The