Allow null object for AuthorizationManagerFactory

Signed-off-by: Steve Riesenberg <[email protected]>

Author: sjohnr

core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java

@@ -40,13 +40,13 @@
  * @author Steve Riesenberg
  * @since 3.0
  */
-public abstract class SecurityExpressionRoot<T> implements SecurityExpressionOperations {
+public abstract class SecurityExpressionRoot<T extends @Nullable Object> implements SecurityExpressionOperations {
 
 	private static final AuthorizationManagerFactory<?> DEFAULT_AUTHORIZATION_MANAGER_FACTORY = new DefaultAuthorizationManagerFactory<>();
 
 	private final Supplier<Authentication> authentication;
 
-	private final @Nullable T object;
+	private final T object;
 
 	private @Nullable DefaultAuthorizationManagerFactory<T> defaultAuthorizationManagerFactory;
 
@@ -94,12 +94,7 @@ public SecurityExpressionRoot(Authentication authentication) {
 	 */
 	@Deprecated(since = "7.0")
 	public SecurityExpressionRoot(Supplier<Authentication> authentication) {
-		this.authentication = SingletonSupplier.of(() -> {
-			Authentication value = authentication.get();
-			Assert.notNull(value, "Authentication object cannot be null");
-			return value;
-		});
-		this.object = null;
+		this(authentication, null);
 	}
 
 	/**
@@ -174,7 +169,6 @@ public final boolean isFullyAuthenticated() {
 		return isGranted(this.authorizationManagerFactory.fullyAuthenticated());
 	}
 
-	@SuppressWarnings("DataFlowIssue")
 	private boolean isGranted(AuthorizationManager<T> authorizationManager) {
 		AuthorizationResult authorizationResult = authorizationManager.authorize(this.authentication, this.object);
 		return (authorizationResult != null && authorizationResult.isGranted());

core/src/main/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java

@@ -18,6 +18,8 @@
 
 import java.util.function.Supplier;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.core.Authentication;
@@ -30,7 +32,7 @@
  * @author Evgeniy Cheban
  * @since 5.5
  */
-public final class AuthenticatedAuthorizationManager<T> implements AuthorizationManager<T> {
+public final class AuthenticatedAuthorizationManager<T extends @Nullable Object> implements AuthorizationManager<T> {
 
 	private final AbstractAuthorizationStrategy authorizationStrategy;
 

core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java

@@ -19,6 +19,8 @@
 import java.util.Set;
 import java.util.function.Supplier;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.core.Authentication;
@@ -32,7 +34,7 @@
  * @author Evgeniy Cheban
  * @since 5.5
  */
-public final class AuthorityAuthorizationManager<T> implements AuthorizationManager<T> {
+public final class AuthorityAuthorizationManager<T extends @Nullable Object> implements AuthorizationManager<T> {
 
 	private static final String ROLE_PREFIX = "ROLE_";
 

core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java

@@ -18,6 +18,7 @@
 
 import java.util.function.Supplier;
 
+import org.jspecify.annotations.NullUnmarked;
 import org.jspecify.annotations.Nullable;
 
 import org.springframework.security.access.AccessDeniedException;
@@ -30,8 +31,9 @@
  * @param <T> the type of object that the authorization check is being done on.
  * @author Evgeniy Cheban
  */
+@NullUnmarked
 @FunctionalInterface
-public interface AuthorizationManager<@Nullable T> {
+public interface AuthorizationManager<T> {
 
 	/**
 	 * Determines if access should be granted for a specific authentication and object.

core/src/main/java/org/springframework/security/authorization/AuthorizationManagerFactory.java

@@ -16,14 +16,16 @@
 
 package org.springframework.security.authorization;
 
+import org.jspecify.annotations.Nullable;
+
 /**
  * A factory for creating different kinds of {@link AuthorizationManager} instances.
  *
  * @param <T> the type of object that the authorization check is being done on
  * @author Steve Riesenberg
  * @since 7.0
  */
-public interface AuthorizationManagerFactory<T> {
+public interface AuthorizationManagerFactory<T extends @Nullable Object> {
 
 	/**
 	 * Create an {@link AuthorizationManager} that allows anyone.

core/src/main/java/org/springframework/security/authorization/DefaultAuthorizationManagerFactory.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.authorization;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
@@ -29,7 +31,8 @@
  * @author Steve Riesenberg
  * @since 7.0
  */
-public final class DefaultAuthorizationManagerFactory<T> implements AuthorizationManagerFactory<T> {
+public final class DefaultAuthorizationManagerFactory<T extends @Nullable Object>
+		implements AuthorizationManagerFactory<T> {
 
 	private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
 

core/src/main/java/org/springframework/security/authorization/SingleResultAuthorizationManager.java

@@ -18,6 +18,8 @@
 
 import java.util.function.Supplier;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.util.Assert;
 
@@ -28,7 +30,7 @@
  * @author Max Batischev
  * @since 6.5
  */
-public final class SingleResultAuthorizationManager<C> implements AuthorizationManager<C> {
+public final class SingleResultAuthorizationManager<C extends @Nullable Object> implements AuthorizationManager<C> {
 
 	private static final SingleResultAuthorizationManager<?> DENY_MANAGER = new SingleResultAuthorizationManager<>(
 			new AuthorizationDecision(false));