Enable Null checking in spring-security-web via JSpecify

Closes gh-17535

Author: rwinch

config/src/test/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDslTests.kt

@@ -367,7 +367,7 @@ class HttpSecurityDslTests {
         this.spring.register(CustomFilterConfig::class.java).autowire()
 
         val filterChain = spring.context.getBean(FilterChainProxy::class.java)
-        val filters: List<Filter> = filterChain.getFilters("/")
+        val filters: List<Filter>? = filterChain.getFilters("/")
 
         assertThat(filters).anyMatch { it is CustomFilter }
     }
@@ -390,7 +390,7 @@ class HttpSecurityDslTests {
         this.spring.register(CustomFilterConfigReified::class.java).autowire()
 
         val filterChain = spring.context.getBean(FilterChainProxy::class.java)
-        val filters: List<Filter> = filterChain.getFilters("/")
+        val filters: List<Filter>? = filterChain.getFilters("/")
 
         assertThat(filters).anyMatch { it is CustomFilter }
     }
@@ -413,7 +413,7 @@ class HttpSecurityDslTests {
         this.spring.register(CustomFilterAfterConfig::class.java).autowire()
 
         val filterChain = spring.context.getBean(FilterChainProxy::class.java)
-        val filters: List<Class<out Filter>> = filterChain.getFilters("/").map { it.javaClass }
+        val filters: List<Class<out Filter>> = filterChain.getFilters("/")!!.map { it.javaClass }
 
         assertThat(filters).containsSubsequence(
             UsernamePasswordAuthenticationFilter::class.java,
@@ -440,7 +440,7 @@ class HttpSecurityDslTests {
         this.spring.register(CustomFilterAfterConfigReified::class.java).autowire()
 
         val filterChain = spring.context.getBean(FilterChainProxy::class.java)
-        val filterClasses: List<Class<out Filter>> = filterChain.getFilters("/").map { it.javaClass }
+        val filterClasses: List<Class<out Filter>> = filterChain.getFilters("/")!!.map { it.javaClass }
 
         assertThat(filterClasses).containsSubsequence(
             UsernamePasswordAuthenticationFilter::class.java,
@@ -467,7 +467,7 @@ class HttpSecurityDslTests {
         this.spring.register(CustomFilterBeforeConfig::class.java).autowire()
 
         val filterChain = spring.context.getBean(FilterChainProxy::class.java)
-        val filters: List<Class<out Filter>> = filterChain.getFilters("/").map { it.javaClass }
+        val filters: List<Class<out Filter>> = filterChain.getFilters("/")!!.map { it.javaClass }
 
         assertThat(filters).containsSubsequence(
             CustomFilter::class.java,
@@ -494,7 +494,7 @@ class HttpSecurityDslTests {
         this.spring.register(CustomFilterBeforeConfigReified::class.java).autowire()
 
         val filterChain = spring.context.getBean(FilterChainProxy::class.java)
-        val filterClasses: List<Class<out Filter>> = filterChain.getFilters("/").map { it.javaClass }
+        val filterClasses: List<Class<out Filter>> = filterChain.getFilters("/")!!.map { it.javaClass }
 
         assertThat(filterClasses).containsSubsequence(
             CustomFilter::class.java,
@@ -523,7 +523,7 @@ class HttpSecurityDslTests {
         this.spring.register(CustomSecurityConfigurerConfig::class.java).autowire()
 
         val filterChain = spring.context.getBean(FilterChainProxy::class.java)
-        val filterClasses: List<Class<out Filter>> = filterChain.getFilters("/").map { it.javaClass }
+        val filterClasses: List<Class<out Filter>> = filterChain.getFilters("/")!!.map { it.javaClass }
 
         assertThat(filterClasses).contains(
             CustomFilter::class.java
@@ -535,7 +535,7 @@ class HttpSecurityDslTests {
         this.spring.register(CustomSecurityConfigurerConfig::class.java).autowire()
 
         val filterChain = spring.context.getBean(FilterChainProxy::class.java)
-        val filterClasses: List<Class<out Filter>> = filterChain.getFilters("/").map { it.javaClass }
+        val filterClasses: List<Class<out Filter>> = filterChain.getFilters("/")!!.map { it.javaClass }
 
         assertThat(filterClasses).contains(
             CustomFilter::class.java
@@ -588,7 +588,7 @@ class HttpSecurityDslTests {
         this.spring.register(CustomDslUsingWithConfig::class.java).autowire()
 
         val filterChain = spring.context.getBean(FilterChainProxy::class.java)
-        val filterClasses: List<Class<out Filter>> = filterChain.getFilters("/").map { it.javaClass }
+        val filterClasses: List<Class<out Filter>> = filterChain.getFilters("/")!!.map { it.javaClass }
 
         assertThat(filterClasses).contains(
             UsernamePasswordAuthenticationFilter::class.java

config/src/test/kotlin/org/springframework/security/config/annotation/web/LogoutDslTests.kt

@@ -350,8 +350,8 @@ class LogoutDslTests {
 
     class NoopLogoutHandler: LogoutHandler {
         override fun logout(
-            request: HttpServletRequest?,
-            response: HttpServletResponse?,
+            request: HttpServletRequest,
+            response: HttpServletResponse,
             authentication: Authentication?
         ) { }
 

config/src/test/kotlin/org/springframework/security/config/annotation/web/RequiresChannelDslTests.kt

@@ -132,8 +132,8 @@ class RequiresChannelDslTests {
 
         companion object {
             val CHANNEL_PROCESSOR: ChannelProcessor = object : ChannelProcessor {
-                override fun decide(invocation: FilterInvocation?, config: MutableCollection<ConfigAttribute>?) {}
-                override fun supports(attribute: ConfigAttribute?): Boolean = true
+                override fun decide(invocation: FilterInvocation, config: MutableCollection<ConfigAttribute>) {}
+                override fun supports(attribute: ConfigAttribute): Boolean = true
             }
         }
 

config/src/test/kotlin/org/springframework/security/config/annotation/web/SecurityContextDslTests.kt

@@ -93,7 +93,7 @@ class SecurityContextDslTests {
         testContext.autowire()
         val filterChainProxy = testContext.context.getBean(FilterChainProxy::class.java)
         // @formatter:off
-        val filterTypes = filterChainProxy.getFilters("/").toList()
+        val filterTypes = filterChainProxy.getFilters("/")!!.toList()
 
         assertThat(filterTypes)
                 .anyMatch { it is SecurityContextHolderFilter }

config/src/test/kotlin/org/springframework/security/config/web/server/ServerHttpBasicDslTests.kt

@@ -270,8 +270,8 @@ class ServerHttpBasicDslTests {
 
     open class MockServerAuthenticationFailureHandler: ServerAuthenticationFailureHandler {
         override fun onAuthenticationFailure(
-            webFilterExchange: WebFilterExchange?,
-            exception: AuthenticationException?
+            webFilterExchange: WebFilterExchange,
+            exception: AuthenticationException
         ): Mono<Void> {
             return Mono.empty()
         }

core/src/main/java/org/springframework/security/access/ConfigAttribute.java

@@ -18,6 +18,8 @@
 
 import java.io.Serializable;
 
+import org.jspecify.annotations.NullUnmarked;
+
 import org.springframework.security.access.intercept.RunAsManager;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.annotation.SecurityAnnotationScanner;
@@ -45,6 +47,7 @@
  * {@link AuthorizationManager}.
  */
 @Deprecated
+@NullUnmarked
 public interface ConfigAttribute extends Serializable {
 
 	/**

core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java

@@ -177,7 +177,7 @@ public void setTrustResolver(AuthenticationTrustResolver trustResolver) {
 		this.trustResolver = trustResolver;
 	}
 
-	public void setRoleHierarchy(RoleHierarchy roleHierarchy) {
+	public void setRoleHierarchy(@Nullable RoleHierarchy roleHierarchy) {
 		this.roleHierarchy = roleHierarchy;
 	}
 

core/src/main/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandler.java

@@ -85,6 +85,7 @@ public StandardEvaluationContext createEvaluationContextInternal(@Nullable Authe
 	}
 
 	@Override
+	@SuppressWarnings("NullAway") // FIXME: Dataflow analysis limitation
 	public EvaluationContext createEvaluationContext(Supplier<? extends @Nullable Authentication> authentication,
 			MethodInvocation mi) {
 		MethodSecurityExpressionOperations root = createSecurityExpressionRoot(authentication, mi);

core/src/main/java/org/springframework/security/access/vote/RoleVoter.java

@@ -18,6 +18,8 @@
 
 import java.util.Collection;
 
+import org.jspecify.annotations.NullUnmarked;
+
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
@@ -53,6 +55,7 @@
  * instead
  */
 @Deprecated
+@NullUnmarked
 public class RoleVoter implements AccessDecisionVoter<Object> {
 
 	private String rolePrefix = "ROLE_";

core/src/main/java/org/springframework/security/authentication/AuthenticationTrustResolver.java

@@ -18,6 +18,7 @@
 
 import org.jspecify.annotations.Nullable;
 
+import org.springframework.lang.Contract;
 import org.springframework.security.core.Authentication;
 
 /**
@@ -80,6 +81,7 @@ default boolean isFullyAuthenticated(@Nullable Authentication authentication) {
 	 * {@link Authentication#isAuthenticated()} is true.
 	 * @since 6.1.7
 	 */
+	@Contract("null -> false")
 	default boolean isAuthenticated(@Nullable Authentication authentication) {
 		return authentication != null && authentication.isAuthenticated() && !isAnonymous(authentication);
 	}