Fix NotSerializableException in SerializationSamples

023-dev · 023-dev · commit 8095c2b58040 · 2026-02-05T03:13:43.000+09:00
Explicitly configure Instancio for OneTimeTokenAuthenticationToken in SerializationSamples.java.
This ensures that the generated test instances use a valid, serializable principal (null) instead of the default Object() which causes serialization failures.
diff --git a/config/src/test/java/org/springframework/security/SerializationSamples.java b/config/src/test/java/org/springframework/security/SerializationSamples.java
@@ -284,6 +284,13 @@ final class SerializationSamples {
 		Authentication authentication = TestAuthentication.authenticated(user);
 		SecurityContext securityContext = new SecurityContextImpl(authentication);
 
+		instancioByClassName.put(OneTimeTokenAuthenticationToken.class, () -> {
+			InstancioOfClassApi<?> instancio = Instancio.of(OneTimeTokenAuthenticationToken.class);
+			instancio.supply(Select.all(OneTimeTokenAuthenticationToken.class),
+					(r) -> applyDetails(new OneTimeTokenAuthenticationToken("token")));
+			return instancio;
+		});
+
 		// oauth2-core
 		generatorByClassName.put(DefaultOAuth2User.class, (r) -> TestOAuth2Users.create());
 		generatorByClassName.put(OAuth2AuthorizationRequest.class,
@@ -360,9 +367,10 @@ final class SerializationSamples {
 		generatorByClassName.put(ClientAuthorizationRequiredException.class,
 				(r) -> new ClientAuthorizationRequiredException("id"));
 		generatorByClassName
-			.put(OAuth2AuthorizedClientRefreshedEvent.class, (r) -> new OAuth2AuthorizedClientRefreshedEvent(
-					TestOAuth2AccessTokenResponses.accessTokenResponse().build(),
-					new OAuth2AuthorizedClient(clientRegistration, "principal", TestOAuth2AccessTokens.noScopes())));
+				.put(OAuth2AuthorizedClientRefreshedEvent.class, (r) -> new OAuth2AuthorizedClientRefreshedEvent(
+						TestOAuth2AccessTokenResponses.accessTokenResponse().build(),
+						new OAuth2AuthorizedClient(clientRegistration, "principal",
+								TestOAuth2AccessTokens.noScopes())));
 		generatorByClassName.put(OidcUserRefreshedEvent.class,
 				(r) -> new OidcUserRefreshedEvent(TestOAuth2AccessTokenResponses.accessTokenResponse().build(),
 						TestOidcUsers.create(), TestOidcUsers.create(), authentication));
@@ -410,28 +418,28 @@ final class SerializationSamples {
 				(r) -> applyDetails(new DPoPAuthenticationToken("token", "proof", "method", "uri")));
 		generatorByClassName.put(OAuth2ProtectedResourceMetadata.class,
 				(r) -> OAuth2ProtectedResourceMetadata.builder()
-					.resource("https://localhost/resource")
-					.authorizationServer("https://localhost/authorizationServer")
-					.scope("scope")
-					.bearerMethod("bearerMethod")
-					.resourceName("resourceName")
-					.tlsClientCertificateBoundAccessTokens(true)
-					.build());
+						.resource("https://localhost/resource")
+						.authorizationServer("https://localhost/authorizationServer")
+						.scope("scope")
+						.bearerMethod("bearerMethod")
+						.resourceName("resourceName")
+						.tlsClientCertificateBoundAccessTokens(true)
+						.build());
 
 		// oauth2-authorization-server
 		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 		OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
 		OAuth2AuthorizationRequest authorizationRequest = authorization
-			.getAttribute(OAuth2AuthorizationRequest.class.getName());
+				.getAttribute(OAuth2AuthorizationRequest.class.getName());
 		Authentication principal = authorization.getAttribute(Principal.class.getName());
 		generatorByClassName.put(RegisteredClient.class, (r) -> registeredClient);
 		generatorByClassName.put(OAuth2Authorization.class, (r) -> authorization);
 		generatorByClassName.put(OAuth2Authorization.Token.class, (r) -> authorization.getAccessToken());
 		generatorByClassName.put(OAuth2AuthorizationConsent.class,
 				(r) -> OAuth2AuthorizationConsent.withId("registeredClientId", "principalName")
-					.scope("scope1")
-					.scope("scope2")
-					.build());
+						.scope("scope1")
+						.scope("scope2")
+						.build());
 		generatorByClassName.put(OAuth2AuthorizationCodeRequestAuthenticationToken.class, (r) -> {
 			OAuth2AuthorizationCodeRequestAuthenticationToken authenticationToken = new OAuth2AuthorizationCodeRequestAuthenticationToken(
 					"authorizationUri", "clientId", principal, "redirectUri", "state", authorizationRequest.getScopes(),
@@ -492,10 +500,10 @@ final class SerializationSamples {
 			return authenticationToken;
 		});
 		OAuth2ClientRegistration oauth2ClientRegistration = OAuth2ClientRegistration.builder()
-			.grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue())
-			.scope("scope1")
-			.redirectUri("https://localhost/oauth2/callback")
-			.build();
+				.grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue())
+				.scope("scope1")
+				.redirectUri("https://localhost/oauth2/callback")
+				.build();
 		generatorByClassName.put(OAuth2ClientRegistration.class, (r) -> oauth2ClientRegistration);
 		generatorByClassName.put(OAuth2ClientRegistrationAuthenticationToken.class, (r) -> {
 			OAuth2ClientRegistrationAuthenticationToken authenticationToken = new OAuth2ClientRegistrationAuthenticationToken(
@@ -504,10 +512,10 @@ final class SerializationSamples {
 			return authenticationToken;
 		});
 		OidcClientRegistration oidcClientRegistration = OidcClientRegistration.builder()
-			.grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue())
-			.scope("scope1")
-			.redirectUri("https://localhost/oauth2/callback")
-			.build();
+				.grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue())
+				.scope("scope1")
+				.redirectUri("https://localhost/oauth2/callback")
+				.build();
 		generatorByClassName.put(OidcClientRegistration.class, (r) -> oidcClientRegistration);
 		generatorByClassName.put(OidcClientRegistrationAuthenticationToken.class, (r) -> {
 			OidcClientRegistrationAuthenticationToken authenticationToken = new OidcClientRegistrationAuthenticationToken(
@@ -524,9 +532,9 @@ final class SerializationSamples {
 		});
 		generatorByClassName.put(OidcLogoutAuthenticationToken.class, (r) -> {
 			OidcIdToken idToken = OidcIdToken.withTokenValue("tokenValue")
-				.issuedAt(Instant.now())
-				.expiresAt(Instant.now().plusSeconds(60))
-				.build();
+					.issuedAt(Instant.now())
+					.expiresAt(Instant.now().plusSeconds(60))
+					.build();
 			OidcLogoutAuthenticationToken authenticationToken = new OidcLogoutAuthenticationToken(idToken, principal,
 					"sessionId", "clientId", "postLogoutRedirectUri", "state");
 			authenticationToken.setDetails(details);
@@ -548,21 +556,21 @@ final class SerializationSamples {
 		});
 		generatorByClassName.put(OAuth2AuthorizationServerMetadata.class,
 				(r) -> OAuth2AuthorizationServerMetadata.builder()
-					.issuer("https://localhost")
-					.authorizationEndpoint("https://localhost/oauth2/authorize")
-					.tokenEndpoint("https://localhost/oauth2/token")
-					.responseType("code")
-					.build());
+						.issuer("https://localhost")
+						.authorizationEndpoint("https://localhost/oauth2/authorize")
+						.tokenEndpoint("https://localhost/oauth2/token")
+						.responseType("code")
+						.build());
 		generatorByClassName.put(OidcProviderConfiguration.class,
 				(r) -> OidcProviderConfiguration.builder()
-					.issuer("https://localhost")
-					.authorizationEndpoint("https://localhost/oauth2/authorize")
-					.tokenEndpoint("https://localhost/oauth2/token")
-					.jwkSetUrl("https://localhost/oauth2/jwks")
-					.responseType("code")
-					.subjectType("subjectType")
-					.idTokenSigningAlgorithm("RS256")
-					.build());
+						.issuer("https://localhost")
+						.authorizationEndpoint("https://localhost/oauth2/authorize")
+						.tokenEndpoint("https://localhost/oauth2/token")
+						.jwkSetUrl("https://localhost/oauth2/jwks")
+						.responseType("code")
+						.subjectType("subjectType")
+						.idTokenSigningAlgorithm("RS256")
+						.build());
 		generatorByClassName.put(OAuth2TokenType.class, (r) -> OAuth2TokenType.ACCESS_TOKEN);
 		generatorByClassName.put(OAuth2TokenFormat.class, (r) -> OAuth2TokenFormat.SELF_CONTAINED);
 		generatorByClassName.put(AuthorizationServerSettings.class,
@@ -597,8 +605,7 @@ final class SerializationSamples {
 			token.setDetails(details);
 			return token;
 		});
-		generatorByClassName.put(OneTimeTokenAuthenticationToken.class,
-				(r) -> applyDetails(new OneTimeTokenAuthenticationToken("token")));
+
 		generatorByClassName.put(OneTimeTokenAuthentication.class,
 				(r) -> applyDetails(new OneTimeTokenAuthentication("username", authentication.getAuthorities())));
 		generatorByClassName.put(AccessDeniedException.class,
@@ -722,10 +729,10 @@ final class SerializationSamples {
 		Saml2Authentication saml2 = TestSaml2Authentications.authentication();
 		generatorByClassName.put(Saml2Authentication.class, (r) -> applyDetails(saml2));
 		Saml2ResponseAssertionAccessor assertion = Saml2ResponseAssertion.withResponseValue("response")
-			.nameId("name")
-			.sessionIndexes(List.of("id"))
-			.attributes(Map.of("key", List.of("value")))
-			.build();
+				.nameId("name")
+				.sessionIndexes(List.of("id"))
+				.attributes(Map.of("key", List.of("value")))
+				.build();
 		generatorByClassName.put(Saml2ResponseAssertion.class, (r) -> assertion);
 		generatorByClassName.put(Saml2AssertionAuthentication.class, (r) -> applyDetails(
 				new Saml2AssertionAuthentication(assertion, authentication.getAuthorities(), "id")));
@@ -746,9 +753,9 @@ final class SerializationSamples {
 		generatorByClassName.put(Saml2LogoutRequest.class, (r) -> TestSaml2LogoutRequests.create());
 		generatorByClassName.put(OpenSamlAssertingPartyDetails.class,
 				(r) -> OpenSamlAssertingPartyDetails
-					.withEntityDescriptor(
-							TestOpenSamlObjects.entityDescriptor(TestRelyingPartyRegistrations.full().build()))
-					.build());
+						.withEntityDescriptor(
+								TestOpenSamlObjects.entityDescriptor(TestRelyingPartyRegistrations.full().build()))
+						.build());
 
 		// web
 		generatorByClassName.put(AnonymousAuthenticationToken.class, (r) -> {
@@ -867,8 +874,8 @@ final class SerializationSamples {
 				(r) -> TestPublicKeyCredentialUserEntities.userEntity().id(TestBytes.get()).build());
 		generatorByClassName.put(WebAuthnAuthentication.class, (r) -> {
 			PublicKeyCredentialUserEntity userEntity = TestPublicKeyCredentialUserEntities.userEntity()
-				.id(TestBytes.get())
-				.build();
+					.id(TestBytes.get())
+					.build();
 			List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER");
 			WebAuthnAuthentication webAuthnAuthentication = new WebAuthnAuthentication(userEntity, authorities);
 			webAuthnAuthentication.setDetails(details);
