Implement Serial for PublicKeyCredentialCreationOptions

config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java

@@ -191,6 +191,26 @@
 import org.springframework.security.web.firewall.RequestRejectedException;
 import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
 import org.springframework.security.web.session.HttpSessionCreatedEvent;
+import org.springframework.security.web.webauthn.api.AttestationConveyancePreference;
+import org.springframework.security.web.webauthn.api.AuthenticatorAttachment;
+import org.springframework.security.web.webauthn.api.AuthenticatorSelectionCriteria;
+import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
+import org.springframework.security.web.webauthn.api.Bytes;
+import org.springframework.security.web.webauthn.api.COSEAlgorithmIdentifier;
+import org.springframework.security.web.webauthn.api.CredentialRecord;
+import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput;
+import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialCreationOptions;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialParameters;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialRpEntity;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialType;
+import org.springframework.security.web.webauthn.api.ResidentKeyRequirement;
+import org.springframework.security.web.webauthn.api.TestCredentialRecord;
+import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialCreationOptions;
+import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialUserEntity;
+import org.springframework.security.web.webauthn.api.UserVerificationRequirement;
+import org.springframework.security.web.webauthn.management.TestPublicKeyCredentialRpEntity;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.fail;
@@ -508,6 +528,41 @@ class SpringSecurityCoreVersionSerializableTests {
 				(r) -> new AuthenticationSwitchUserEvent(authentication, user));
 		generatorByClassName.put(HttpSessionCreatedEvent.class,
 				(r) -> new HttpSessionCreatedEvent(new MockHttpSession()));
+
+		// webauthn
+		generatorByClassName.put(PublicKeyCredentialCreationOptions.class, (r) -> {
+			CredentialRecord credentialRecord = TestCredentialRecord.userCredential().build();
+			PublicKeyCredentialDescriptor descriptor = PublicKeyCredentialDescriptor.builder()
+				.id(credentialRecord.getCredentialId())
+				.transports(credentialRecord.getTransports())
+				.build();
+			return TestPublicKeyCredentialCreationOptions.createPublicKeyCredentialCreationOptions()
+				.rp(TestPublicKeyCredentialRpEntity.createRpEntity().build())
+				.user(TestPublicKeyCredentialUserEntity.userEntity().build())
+				.excludeCredentials(List.of(descriptor))
+				.build();
+		});
+		generatorByClassName.put(PublicKeyCredentialRpEntity.class,
+				(r) -> TestPublicKeyCredentialRpEntity.createRpEntity().build());
+		generatorByClassName.put(Bytes.class, (r) -> Bytes.random());
+		generatorByClassName.put(AuthenticatorSelectionCriteria.class,
+				(r) -> AuthenticatorSelectionCriteria.builder().build());
+		generatorByClassName.put(AuthenticatorAttachment.class, (r) -> AuthenticatorAttachment.CROSS_PLATFORM);
+		generatorByClassName.put(ResidentKeyRequirement.class, (r) -> ResidentKeyRequirement.REQUIRED);
+		generatorByClassName.put(UserVerificationRequirement.class, (r) -> UserVerificationRequirement.REQUIRED);
+		generatorByClassName.put(AttestationConveyancePreference.class, (r) -> AttestationConveyancePreference.NONE);
+		generatorByClassName.put(PublicKeyCredentialParameters.class, (r) -> PublicKeyCredentialParameters.EdDSA);
+		generatorByClassName.put(COSEAlgorithmIdentifier.class, (r) -> COSEAlgorithmIdentifier.EdDSA);
+		generatorByClassName.put(ImmutableAuthenticationExtensionsClientInputs.class,
+				(r) -> new ImmutableAuthenticationExtensionsClientInputs(
+						ImmutableAuthenticationExtensionsClientInput.credProps));
+		generatorByClassName.put(PublicKeyCredentialDescriptor.class,
+				(r) -> PublicKeyCredentialDescriptor.builder()
+					.transports(AuthenticatorTransport.HYBRID)
+					.id(Bytes.fromBase64("ChfoCM8CJA_wwUGDdzdtuw"))
+					.build());
+		generatorByClassName.put(PublicKeyCredentialType.class, (r) -> PublicKeyCredentialType.PUBLIC_KEY);
+		generatorByClassName.put(AuthenticatorTransport.class, (r) -> AuthenticatorTransport.HYBRID);
 	}
 
 	@ParameterizedTest

web/src/main/java/org/springframework/security/web/webauthn/api/AttestationConveyancePreference.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * <a href="https://www.w3.org/TR/webauthn-3/#webauthn-relying-party">WebAuthn Relying
  * Parties</a> may use <a href=
@@ -26,7 +29,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class AttestationConveyancePreference {
+public final class AttestationConveyancePreference implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -4821525312099695991L;
 
 	/**
 	 * The <a href=

web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInput.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serializable;
+
 /**
  * A <a href="https://www.w3.org/TR/webauthn-3/#client-extension-input">client extension
  * input</a> entry in the {@link AuthenticationExtensionsClientInputs}.
@@ -25,7 +27,7 @@
  * @since 6.4
  * @see ImmutableAuthenticationExtensionsClientInput
  */
-public interface AuthenticationExtensionsClientInput<T> {
+public interface AuthenticationExtensionsClientInput<T> extends Serializable {
 
 	/**
 	 * Gets the <a href="https://www.w3.org/TR/webauthn-3/#extension-identifier">extension

web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticationExtensionsClientInputs.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serializable;
 import java.util.List;
 
 /**
@@ -31,7 +32,7 @@
  * @since 6.4
  * @see PublicKeyCredentialCreationOptions#getExtensions()
  */
-public interface AuthenticationExtensionsClientInputs {
+public interface AuthenticationExtensionsClientInputs extends Serializable {
 
 	/**
 	 * Gets all of the {@link AuthenticationExtensionsClientInput}.

web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttachment.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,14 +16,20 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * The <a href=
  * "https://www.w3.org/TR/webauthn-3/#enumdef-authenticatorattachment">AuthenticatorAttachment</a>.
  *
  * @author Rob Winch
  * @since 6.4
  */
-public final class AuthenticatorAttachment {
+public final class AuthenticatorAttachment implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = 9109555306146794233L;
 
 	/**
 	 * Indicates <a href=

web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorSelectionCriteria.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * <a href=
  * "https://www.w3.org/TR/webauthn-3/#dictdef-authenticatorselectioncriteria">AuthenticatorAttachment</a>
@@ -31,7 +34,10 @@
  * @since 6.4
  * @see PublicKeyCredentialCreationOptions#getAuthenticatorSelection()
  */
-public final class AuthenticatorSelectionCriteria {
+public final class AuthenticatorSelectionCriteria implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -4273495550621636950L;
 
 	private final AuthenticatorAttachment authenticatorAttachment;
 

web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorTransport.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * <a href=
  * "https://www.w3.org/TR/webauthn-3/#enumdef-authenticatortransport">AuthenticatorTransport</a>
@@ -25,7 +28,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class AuthenticatorTransport {
+public final class AuthenticatorTransport implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = 3061229853243652081L;
 
 	/**
 	 * <a href="https://www.w3.org/TR/webauthn-3/#dom-authenticatortransport-usb">usbc</a>

web/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
 import java.security.SecureRandom;
 import java.util.Arrays;
 import java.util.Base64;
@@ -28,7 +30,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class Bytes {
+public final class Bytes implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = 3152044557472942954L;
 
 	private static final SecureRandom RANDOM = new SecureRandom();
 

web/src/main/java/org/springframework/security/web/webauthn/api/COSEAlgorithmIdentifier.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * <a href=
  * "https://www.w3.org/TR/webauthn-3/#sctn-alg-identifier">COSEAlgorithmIdentifier</a> is
@@ -25,7 +28,10 @@
  * @since 6.4
  * @see PublicKeyCredentialParameters#getAlg()
  */
-public final class COSEAlgorithmIdentifier {
+public final class COSEAlgorithmIdentifier implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = 2916227211464921463L;
 
 	public static final COSEAlgorithmIdentifier EdDSA = new COSEAlgorithmIdentifier(-8);
 

web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInput.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+
 /**
  * An immutable {@link AuthenticationExtensionsClientInput}.
  *
@@ -26,6 +28,9 @@
  */
 public class ImmutableAuthenticationExtensionsClientInput<T> implements AuthenticationExtensionsClientInput<T> {
 
+	@Serial
+	private static final long serialVersionUID = 7418261700160525896L;
+
 	/**
 	 * https://www.w3.org/TR/webauthn-3/#sctn-authenticator-credential-properties-extension
 	 */

web/src/main/java/org/springframework/security/web/webauthn/api/ImmutableAuthenticationExtensionsClientInputs.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
 import java.util.Arrays;
 import java.util.List;
 
@@ -27,6 +28,9 @@
  */
 public class ImmutableAuthenticationExtensionsClientInputs implements AuthenticationExtensionsClientInputs {
 
+	@Serial
+	private static final long serialVersionUID = -3891660830369199585L;
+
 	private final List<AuthenticationExtensionsClientInput> inputs;
 
 	public ImmutableAuthenticationExtensionsClientInputs(List<AuthenticationExtensionsClientInput> inputs) {

web/src/main/java/org/springframework/security/web/webauthn/api/ImmutablePublicKeyCredentialUserEntity.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+
 /**
  * <a href=
  * "https://www.w3.org/TR/webauthn-3/#dictdef-publickeycredentialuserentity">PublicKeyCredentialUserEntity</a>
@@ -28,6 +30,9 @@
  */
 public final class ImmutablePublicKeyCredentialUserEntity implements PublicKeyCredentialUserEntity {
 
+	@Serial
+	private static final long serialVersionUID = -6887789205332948120L;
+
 	/**
 	 * When inherited by PublicKeyCredentialUserEntity, it is a human-palatable identifier
 	 * for a user account. It is intended only for display, i.e., aiding the user in

web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredentialCreationOptions.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.Serial;
+import java.io.Serializable;
 import java.time.Duration;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -32,7 +34,10 @@
  * @author Rob Winch
  * @since 6.4
  */
-public final class PublicKeyCredentialCreationOptions {
+public final class PublicKeyCredentialCreationOptions implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = -3447846076083501914L;
 
 	private final PublicKeyCredentialRpEntity rp;