From 61a9d972c29ebf9ab6f93058c82871c2673eaf3f Mon Sep 17 00:00:00 2001
From: Max Batischev <mblancer@mail.ru>
Date: Thu, 20 Feb 2025 15:17:13 +0300
Subject: [PATCH] Make DefaultOneTimeToken Serializable

Closes gh-16617

Signed-off-by: Max Batischev <mblancer@mail.ru>
---
 ...pringSecurityCoreVersionSerializableTests.java |   7 +++++++
 ...hentication.ott.DefaultOneTimeToken.serialized | Bin 0 -> 258 bytes
 .../authentication/ott/DefaultOneTimeToken.java   |   6 +++++-
 .../security/authentication/ott/OneTimeToken.java |   5 +++--
 4 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100644 config/src/test/resources/serialized/6.5.x/org.springframework.security.authentication.ott.DefaultOneTimeToken.serialized

diff --git a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
index 21f5961ed19..91dcddd9909 100644
--- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
+++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
@@ -43,6 +43,7 @@
 import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
+import java.util.UUID;
 import java.util.stream.Stream;
 
 import jakarta.servlet.http.Cookie;
@@ -98,6 +99,7 @@
 import org.springframework.security.authentication.jaas.JaasAuthenticationToken;
 import org.springframework.security.authentication.jaas.event.JaasAuthenticationFailedEvent;
 import org.springframework.security.authentication.jaas.event.JaasAuthenticationSuccessEvent;
+import org.springframework.security.authentication.ott.DefaultOneTimeToken;
 import org.springframework.security.authentication.ott.InvalidOneTimeTokenException;
 import org.springframework.security.authentication.ott.OneTimeTokenAuthenticationToken;
 import org.springframework.security.authentication.password.CompromisedPasswordException;
@@ -667,6 +669,11 @@ class SpringSecurityCoreVersionSerializableTests {
 			return webAuthnAuthentication;
 		});
 		// @formatter:on
+
+		// One-Time Token
+		DefaultOneTimeToken oneTimeToken = new DefaultOneTimeToken(UUID.randomUUID().toString(), "user",
+				Instant.now().plusSeconds(300));
+		generatorByClassName.put(DefaultOneTimeToken.class, (t) -> oneTimeToken);
 	}
 
 	@ParameterizedTest
diff --git a/config/src/test/resources/serialized/6.5.x/org.springframework.security.authentication.ott.DefaultOneTimeToken.serialized b/config/src/test/resources/serialized/6.5.x/org.springframework.security.authentication.ott.DefaultOneTimeToken.serialized
new file mode 100644
index 0000000000000000000000000000000000000000..806fbdee7f93bfb72806442ba61699283c3dff4d
GIT binary patch
literal 258
zcmXAjy-ve06osz>l{(M`1_lPC!Wt)3K_p^AFcc{gL%T9K?sYJ2?O@-~upl8Zva<0A
zEU+N)AUp(!cfb~BJ%8WpFZ7&+Q)6r98mn|IEnniw*g113TC3=e@s_SolM<Yi(aaFB
zGnBkt(1pgSTH@5qQGY)Ti`}ocp9t1U=wsI?izh^|RbKO3o{-Na=h_k1bX-D@LWf}U
z-(7HBCld+)-t4yyt@a!@a1T+}c)~##VPS+#&^}*2e(ns%?;8MJvl>L;Rex;1<a-ag
lBiK&`9;8K;$6}U^;%s&_iu0;U<E+SJA#*9XJS12TH-9V|S0w-d

literal 0
HcmV?d00001

diff --git a/core/src/main/java/org/springframework/security/authentication/ott/DefaultOneTimeToken.java b/core/src/main/java/org/springframework/security/authentication/ott/DefaultOneTimeToken.java
index 4133da396d9..3a5de0720e1 100644
--- a/core/src/main/java/org/springframework/security/authentication/ott/DefaultOneTimeToken.java
+++ b/core/src/main/java/org/springframework/security/authentication/ott/DefaultOneTimeToken.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 package org.springframework.security.authentication.ott;
 
+import java.io.Serial;
 import java.time.Instant;
 
 import org.springframework.util.Assert;
@@ -28,6 +29,9 @@
  */
 public class DefaultOneTimeToken implements OneTimeToken {
 
+	@Serial
+	private static final long serialVersionUID = -1545822943352278549L;
+
 	private final String token;
 
 	private final String username;
diff --git a/core/src/main/java/org/springframework/security/authentication/ott/OneTimeToken.java b/core/src/main/java/org/springframework/security/authentication/ott/OneTimeToken.java
index b2def9ef242..1a6b518bb15 100644
--- a/core/src/main/java/org/springframework/security/authentication/ott/OneTimeToken.java
+++ b/core/src/main/java/org/springframework/security/authentication/ott/OneTimeToken.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 package org.springframework.security.authentication.ott;
 
+import java.io.Serializable;
 import java.time.Instant;
 
 /**
@@ -24,7 +25,7 @@
  * @author Marcus da Coregio
  * @since 6.4
  */
-public interface OneTimeToken {
+public interface OneTimeToken extends Serializable {
 
 	/**
 	 * @return the one-time token value, never {@code null}