Make PublicKeyCredentialRequestOptions Serializable

config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java

@@ -196,6 +196,18 @@
 import org.springframework.security.web.firewall.RequestRejectedException;
 import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
 import org.springframework.security.web.session.HttpSessionCreatedEvent;
+import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientInputs;
+import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
+import org.springframework.security.web.webauthn.api.Bytes;
+import org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput;
+import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput;
+import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialType;
+import org.springframework.security.web.webauthn.api.TestBytes;
+import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialRequestOptions;
+import org.springframework.security.web.webauthn.api.UserVerificationRequirement;
 import org.springframework.util.ReflectionUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -515,6 +527,39 @@ class SpringSecurityCoreVersionSerializableTests {
 				(r) -> new AuthenticationSwitchUserEvent(authentication, user));
 		generatorByClassName.put(HttpSessionCreatedEvent.class,
 				(r) -> new HttpSessionCreatedEvent(new MockHttpSession()));
+
+		// webauthn
+		CredProtectAuthenticationExtensionsClientInput.CredProtect credProtect = new CredProtectAuthenticationExtensionsClientInput.CredProtect(
+				CredProtectAuthenticationExtensionsClientInput.CredProtect.ProtectionPolicy.USER_VERIFICATION_OPTIONAL,
+				true);
+		Bytes id = TestBytes.get();
+		AuthenticationExtensionsClientInputs inputs = new ImmutableAuthenticationExtensionsClientInputs(
+				ImmutableAuthenticationExtensionsClientInput.credProps);
+		// @formatter:off
+		PublicKeyCredentialDescriptor descriptor = PublicKeyCredentialDescriptor.builder()
+				.id(id)
+				.type(PublicKeyCredentialType.PUBLIC_KEY)
+				.transports(Set.of(AuthenticatorTransport.USB))
+				.build();
+		// @formatter:on
+		generatorByClassName.put(AuthenticatorTransport.class, (a) -> AuthenticatorTransport.USB);
+		generatorByClassName.put(PublicKeyCredentialType.class, (k) -> PublicKeyCredentialType.PUBLIC_KEY);
+		generatorByClassName.put(UserVerificationRequirement.class, (r) -> UserVerificationRequirement.REQUIRED);
+		generatorByClassName.put(CredProtectAuthenticationExtensionsClientInput.CredProtect.class, (c) -> credProtect);
+		generatorByClassName.put(CredProtectAuthenticationExtensionsClientInput.class,
+				(c) -> new CredProtectAuthenticationExtensionsClientInput(credProtect));
+		generatorByClassName.put(ImmutableAuthenticationExtensionsClientInputs.class, (i) -> inputs);
+		generatorByClassName.put(ImmutableAuthenticationExtensionsClientInput.class,
+				(i) -> ImmutableAuthenticationExtensionsClientInput.credProps);
+		generatorByClassName.put(Bytes.class, (b) -> id);
+		generatorByClassName.put(PublicKeyCredentialDescriptor.class, (d) -> descriptor);
+		// @formatter:off
+		generatorByClassName.put(PublicKeyCredentialRequestOptions.class, (o) -> TestPublicKeyCredentialRequestOptions.create()
+				.extensions(inputs)
+				.allowCredentials(List.of(descriptor))
+				.build()
+		);
+		// @formatter:on
 	}
 
 	@ParameterizedTest

web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInput.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serializable;
+
 /**
  * A <a href="https://www.w3.org/TR/webauthn-3/#client-extension-input">client extension
  * input</a> entry in the {@link AuthenticationExtensionsClientInputs}.
@@ -25,7 +27,7 @@
  * @since 6.4
  * @see ImmutableAuthenticationExtensionsClientInput
  */
-public interface AuthenticationExtensionsClientInput<T> {
+public interface AuthenticationExtensionsClientInput<T> extends Serializable {
 
 	/**
 	 * Gets the <a href="https://www.w3.org/TR/webauthn-3/#extension-identifier">extension

web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInputs.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serializable;
 import java.util.List;
 
 /**
@@ -31,7 +32,7 @@
  * @since 6.4
  * @see PublicKeyCredentialCreationOptions#getExtensions()
  */
-public interface AuthenticationExtensionsClientInputs {
+public interface AuthenticationExtensionsClientInputs extends Serializable {
 
 	/**
 	 * Gets all of the {@link AuthenticationExtensionsClientInput}.

web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorTransport.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * <a href=
  * "https://www.w3.org/TR/webauthn-3/#enumdef-authenticatortransport">AuthenticatorTransport</a>
@@ -25,7 +28,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class AuthenticatorTransport {
+public final class AuthenticatorTransport implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -5617945441117386982L;
 
 	/**
 	 * <a href="https://www.w3.org/TR/webauthn-3/#dom-authenticatortransport-usb">usbc</a>

web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
 import java.security.SecureRandom;
 import java.util.Arrays;
 import java.util.Base64;
@@ -28,7 +30,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class Bytes {
+public final class Bytes implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -7420539646106189663L;
 
 	private static final SecureRandom RANDOM = new SecureRandom();
 

web/src/main/java/org/springframework/security/web/webauthn/api/CredProtectAuthenticationExtensionsClientInput.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * Implements <a href=
  * "https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#sctn-credProtect-extension">
@@ -27,6 +30,9 @@
 public class CredProtectAuthenticationExtensionsClientInput
 		implements AuthenticationExtensionsClientInput<CredProtectAuthenticationExtensionsClientInput.CredProtect> {
 
+	@Serial
+	private static final long serialVersionUID = -6418175591005843455L;
+
 	private final CredProtect input;
 
 	public CredProtectAuthenticationExtensionsClientInput(CredProtect input) {
@@ -43,7 +49,10 @@ public CredProtect getInput() {
 		return this.input;
 	}
 
-	public static class CredProtect {
+	public static class CredProtect implements Serializable {
+
+		@Serial
+		private static final long serialVersionUID = 109597301115842688L;
 
 		private final ProtectionPolicy credProtectionPolicy;
 

web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+
 /**
  * An immutable {@link AuthenticationExtensionsClientInput}.
  *
@@ -26,6 +28,9 @@
  */
 public class ImmutableAuthenticationExtensionsClientInput<T> implements AuthenticationExtensionsClientInput<T> {
 
+	@Serial
+	private static final long serialVersionUID = -1738152485672656808L;
+
 	/**
 	 * https://www.w3.org/TR/webauthn-3/#sctn-authenticator-credential-properties-extension
 	 */

web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
 import java.util.Arrays;
 import java.util.List;
 
@@ -27,6 +28,9 @@
  */
 public class ImmutableAuthenticationExtensionsClientInputs implements AuthenticationExtensionsClientInputs {
 
+	@Serial
+	private static final long serialVersionUID = 4277817521578485720L;
+
 	private final List<AuthenticationExtensionsClientInput> inputs;
 
 	public ImmutableAuthenticationExtensionsClientInputs(List<AuthenticationExtensionsClientInput> inputs) {

web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialDescriptor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
 import java.util.Set;
 
 /**
@@ -29,7 +31,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class PublicKeyCredentialDescriptor {
+public final class PublicKeyCredentialDescriptor implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = 8793385059692676240L;
 
 	private final PublicKeyCredentialType type;
 

web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialRequestOptions.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
 import java.time.Duration;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -32,7 +34,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class PublicKeyCredentialRequestOptions {
+public final class PublicKeyCredentialRequestOptions implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -2970057592835694354L;
 
 	private final Bytes challenge;
 

web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialType.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * The <a href=
  * "https://www.w3.org/TR/webauthn-3/#enum-credentialType">PublicKeyCredentialType</a>
@@ -24,7 +27,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class PublicKeyCredentialType {
+public final class PublicKeyCredentialType implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = 7025333122210061679L;
 
 	/**
 	 * The only credential type that currently exists.

web/src/main/java/org/springframework/security/web/webauthn/api/UserVerificationRequirement.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * <a href=
  * "https://www.w3.org/TR/webauthn-3/#enumdef-userverificationrequirement">UserVerificationRequirement</a>
@@ -24,7 +27,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class UserVerificationRequirement {
+public final class UserVerificationRequirement implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -2801001231345540040L;
 
 	/**
 	 * The <a href=