Merge branch 'main' into gh-16390

Signed-off-by: yoobin_mion <[email protected]>

Author: yybmion

.github/workflows/check-snapshots.yml

@@ -0,0 +1,38 @@
+name: CI
+
+on:
+  schedule:
+    - cron: '0 10 * * *' # Once per day at 10am UTC
+  workflow_dispatch: # Manual trigger
+
+env:
+  DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+
+permissions:
+  contents: read
+
+jobs:
+  snapshot-test:
+    name: Test Against Snapshots
+    uses: spring-io/spring-security-release-tools/.github/workflows/test.yml@v1
+    strategy:
+      matrix:
+        include:
+          - java-version: 21-ea
+            toolchain: 21
+          - java-version: 17
+            toolchain: 17
+    with:
+      java-version: ${{ matrix.java-version }}
+      test-args: --refresh-dependencies -PforceMavenRepositories=snapshot,https://oss.sonatype.org/content/repositories/snapshots -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=7.+ -PreactorVersion=2025.+ -PspringDataVersion=2025.+ --stacktrace
+    secrets: inherit
+  send-notification:
+    name: Send Notification
+    needs: [ snapshot-test ]
+    if: ${{ !success() }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send Notification
+        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
+        with:
+          webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}

.github/workflows/continuous-integration-workflow.yml

@@ -27,37 +27,24 @@ jobs:
       java-version: ${{ matrix.jdk }}
       distribution: temurin
     secrets: inherit
-  test:
-    name: Test Against Snapshots
-    uses: spring-io/spring-security-release-tools/.github/workflows/test.yml@v1
-    strategy:
-      matrix:
-        include:
-          - java-version: 21-ea
-            toolchain: 21
-          - java-version: 17
-            toolchain: 17
-    with:
-      java-version: ${{ matrix.java-version }}
-      test-args: --refresh-dependencies -PforceMavenRepositories=snapshot,https://oss.sonatype.org/content/repositories/snapshots -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=7.+ -PreactorVersion=2025.+ -PspringDataVersion=2025.+ --stacktrace
-    secrets: inherit
   deploy-artifacts:
     name: Deploy Artifacts
-    needs: [ build, test]
+    needs: [ build]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml@v1
     with:
       should-deploy-artifacts: ${{ needs.build.outputs.should-deploy-artifacts }}
+      default-publish-milestones-central: true
     secrets: inherit
   deploy-docs:
     name: Deploy Docs
-    needs: [ build, test ]
+    needs: [ build ]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-docs.yml@v1
     with:
       should-deploy-docs: ${{ needs.build.outputs.should-deploy-artifacts }}
     secrets: inherit
   deploy-schema:
     name: Deploy Schema
-    needs: [ build, test ]
+    needs: [ build ]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml@v1
     with:
       should-deploy-schema: ${{ needs.build.outputs.should-deploy-artifacts }}
@@ -69,7 +56,7 @@ jobs:
     with:
       should-perform-release: ${{ needs.deploy-artifacts.outputs.artifacts-deployed }}
       project-version: ${{ needs.deploy-artifacts.outputs.project-version }}
-      milestone-repo-url: https://repo.spring.io/artifactory/milestone
+      milestone-repo-url: https://repo1.maven.org/maven2
       release-repo-url: https://repo1.maven.org/maven2
       artifact-path: org/springframework/security/spring-security-core
       slack-announcing-id: spring-security-announcing

buildSrc/build.gradle

@@ -64,6 +64,7 @@ configurations {
 dependencies {
 	implementation platform(libs.io.projectreactor.reactor.bom)
 
+	implementation libs.spring.nullability
 	implementation libs.com.google.code.gson.gson
 	implementation libs.com.thaiopensource.trag
 	implementation libs.net.sourceforge.saxon.saxon

buildSrc/src/main/groovy/security-nullability.gradle

@@ -0,0 +1,3 @@
+plugins {
+    id 'io.spring.nullability'
+}

config/spring-security-config.gradle

@@ -31,6 +31,7 @@ dependencies {
 	optional project(':spring-security-oauth2-resource-server')
 	optional project(':spring-security-rsocket')
 	optional project(':spring-security-web')
+	optional project(':spring-security-webauthn')
 	optional 'io.projectreactor:reactor-core'
 	optional 'org.aspectj:aspectjweaver'
 	optional 'org.springframework:spring-jdbc'
@@ -43,7 +44,6 @@ dependencies {
 	optional 'org.jetbrains.kotlin:kotlin-reflect'
 	optional 'org.jetbrains.kotlin:kotlin-stdlib-jdk8'
 	optional 'jakarta.annotation:jakarta.annotation-api'
-	optional libs.webauthn4j.core
 
 	provided 'jakarta.servlet:jakarta.servlet-api'
 
@@ -57,6 +57,7 @@ dependencies {
 	testImplementation project(':spring-security-saml2-service-provider')
 	testImplementation project(path : ':spring-security-saml2-service-provider', configuration : 'tests')
 	testImplementation project(path : ':spring-security-web', configuration : 'tests')
+	testImplementation project(path : ':spring-security-webauthn', configuration : 'tests')
 	testImplementation "jakarta.inject:jakarta.inject-api"
 	testImplementation "org.assertj:assertj-core"
 	testImplementation "org.junit.jupiter:junit-jupiter-api"

config/src/main/java/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java

@@ -50,6 +50,7 @@
  * @param <O> The object that this builder returns
  * @param <B> The type of this builder (that is returned by the base class)
  * @author Rob Winch
+ * @author DingHao
  * @see WebSecurity
  */
 public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBuilder<O>>
@@ -59,7 +60,7 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
 
 	private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers = new LinkedHashMap<>();
 
-	private final List<SecurityConfigurer<O, B>> configurersAddedInInitializing = new ArrayList<>();
+	private List<SecurityConfigurer<O, B>> configurersAddedInInitializing = new ArrayList<>();
 
 	private final Map<Class<?>, Object> sharedObjects = new HashMap<>();
 
@@ -114,34 +115,38 @@ public O getOrBuild() {
 	}
 
 	/**
-	 * Applies a {@link SecurityConfigurerAdapter} to this {@link SecurityBuilder} and
-	 * invokes {@link SecurityConfigurerAdapter#setBuilder(SecurityBuilder)}.
+	 * Applies a {@link SecurityConfigurer} to this {@link SecurityBuilder} overriding any
+	 * {@link SecurityConfigurer} of the exact same class. Note that object hierarchies
+	 * are not considered.
 	 * @param configurer
 	 * @return the {@link SecurityConfigurerAdapter} for further customizations
 	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use
-	 * {@link #with(SecurityConfigurerAdapter, Customizer)} instead.
 	 */
-	@Deprecated(since = "6.2", forRemoval = true)
-	@SuppressWarnings("unchecked")
-	public <C extends SecurityConfigurerAdapter<O, B>> C apply(C configurer) throws Exception {
-		configurer.addObjectPostProcessor(this.objectPostProcessor);
-		configurer.setBuilder((B) this);
+	public <C extends SecurityConfigurer<O, B>> C apply(C configurer) throws Exception {
 		add(configurer);
 		return configurer;
 	}
 
 	/**
-	 * Applies a {@link SecurityConfigurer} to this {@link SecurityBuilder} overriding any
-	 * {@link SecurityConfigurer} of the exact same class. Note that object hierarchies
-	 * are not considered.
+	 * Applies a {@link SecurityConfigurerAdapter} to this {@link SecurityBuilder} and
+	 * invokes {@link SecurityConfigurerAdapter#setBuilder(SecurityBuilder)}.
+	 *
+	 * <p>
+	 * A shortcut for applying a configurer as-is, or in other words: <code>
+	 *     .with(new MyConfigurer())
+	 * </code>
+	 *
+	 * <p>
+	 * Is identical to: <code>
+	 *     .with(new MyConfigurer(), Customizer.withDefaults())
+	 * </code>
 	 * @param configurer
-	 * @return the {@link SecurityConfigurerAdapter} for further customizations
+	 * @return the {@link SecurityBuilder} for further customizations
 	 * @throws Exception
+	 * @since 7.0
 	 */
-	public <C extends SecurityConfigurer<O, B>> C apply(C configurer) throws Exception {
-		add(configurer);
-		return configurer;
+	public <C extends SecurityConfigurerAdapter<O, B>> B with(C configurer) throws Exception {
+		return with(configurer, Customizer.withDefaults());
 	}
 
 	/**
@@ -365,8 +370,12 @@ private void init() throws Exception {
 		for (SecurityConfigurer<O, B> configurer : configurers) {
 			configurer.init((B) this);
 		}
-		for (SecurityConfigurer<O, B> configurer : this.configurersAddedInInitializing) {
-			configurer.init((B) this);
+		while (!this.configurersAddedInInitializing.isEmpty()) {
+			List<SecurityConfigurer<O, B>> toInit = this.configurersAddedInInitializing;
+			this.configurersAddedInInitializing = new ArrayList<>();
+			for (SecurityConfigurer<O, B> configurer : toInit) {
+				configurer.init((B) this);
+			}
 		}
 	}
 

config/src/main/java/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java

@@ -21,6 +21,7 @@
 
 import org.springframework.core.GenericTypeResolver;
 import org.springframework.core.annotation.AnnotationAwareOrderComparator;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.util.Assert;
 
@@ -83,7 +84,7 @@ public void addObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor) {
 
 	/**
 	 * Sets the {@link SecurityBuilder} to be used. This is automatically set when using
-	 * {@link AbstractConfiguredSecurityBuilder#apply(SecurityConfigurerAdapter)}
+	 * {@link AbstractConfiguredSecurityBuilder#with(SecurityConfigurerAdapter, Customizer)}
 	 * @param builder the {@link SecurityBuilder} to set
 	 */
 	public void setBuilder(B builder) {

config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java

@@ -195,7 +195,9 @@ public <T extends UserDetailsService> DaoAuthenticationConfigurer<Authentication
 	 * @throws Exception if an error occurs when adding the LDAP authentication
 	 */
 	public LdapAuthenticationProviderConfigurer<AuthenticationManagerBuilder> ldapAuthentication() throws Exception {
-		return apply(new LdapAuthenticationProviderConfigurer<>());
+		LdapAuthenticationProviderConfigurer<AuthenticationManagerBuilder> ldap = new LdapAuthenticationProviderConfigurer<>();
+		with(ldap);
+		return ldap;
 	}
 
 	/**
@@ -277,7 +279,8 @@ public UserDetailsService getDefaultUserDetailsService() {
 	private <C extends UserDetailsAwareConfigurer<AuthenticationManagerBuilder, ? extends UserDetailsService>> C apply(
 			C configurer) throws Exception {
 		this.defaultUserDetailsService = configurer.getUserDetailsService();
-		return super.apply(configurer);
+		with(configurer);
+		return configurer;
 	}
 
 }

config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/EnableGlobalAuthentication.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,7 +26,6 @@
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
 
 /**
  * The {@link EnableGlobalAuthentication} annotation signals that the annotated class can
@@ -87,14 +86,12 @@
  *
  * <ul>
  * <li>{@link EnableWebSecurity}</li>
- * <li>{@link EnableWebMvcSecurity}</li>
  * <li>{@link EnableGlobalMethodSecurity}</li>
  * </ul>
  *
  * Configuring {@link AuthenticationManagerBuilder} in a class without the
  * {@link EnableGlobalAuthentication} annotation has unpredictable results.
  *
- * @see EnableWebMvcSecurity
  * @see EnableWebSecurity
  * @see EnableGlobalMethodSecurity
  * @author Rob Winch

config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyDataConfiguration.java

@@ -49,7 +49,7 @@ DataTargetVisitor dataTargetVisitor() {
 		return new DataTargetVisitor();
 	}
 
-	private static final class DataTargetVisitor implements AuthorizationAdvisorProxyFactory.TargetVisitor, Ordered {
+	static final class DataTargetVisitor implements AuthorizationAdvisorProxyFactory.TargetVisitor, Ordered {
 
 		private static final int DEFAULT_ORDER = 200;