AuthorizationManager allows null Authentication

It is possible to have a null Authentication and so the
AuthorizationManager APIs should allow for passing it in.

Closes gh-17795

Author: rwinch

config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt

@@ -235,13 +235,13 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl {
      * Specify that URLs are allowed by anyone.
      */
     val permitAll: AuthorizationManager<RequestAuthorizationContext> =
-        AuthorizationManager { _: Supplier<Authentication>, _: RequestAuthorizationContext -> AuthorizationDecision(true) }
+        AuthorizationManager { _: Supplier<Authentication?>, _: RequestAuthorizationContext -> AuthorizationDecision(true) }
 
     /**
      * Specify that URLs are not allowed by anyone.
      */
     val denyAll: AuthorizationManager<RequestAuthorizationContext> =
-        AuthorizationManager { _: Supplier<Authentication>, _: RequestAuthorizationContext -> AuthorizationDecision(false) }
+        AuthorizationManager { _: Supplier<Authentication?>, _: RequestAuthorizationContext -> AuthorizationDecision(false) }
 
     /**
      * Specify that URLs are allowed by any authenticated user.

config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt

@@ -193,7 +193,7 @@ class AuthorizeHttpRequestsDslTests {
     open class MvcMatcherPathVariablesConfig {
         @Bean
         open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
-            val access = AuthorizationManager { _: Supplier<Authentication>, context: RequestAuthorizationContext ->
+            val access = AuthorizationManager { _: Supplier<Authentication?>, context: RequestAuthorizationContext ->
                 AuthorizationDecision(context.variables["userName"] == "user")
             }
             http {

core/src/main/java/org/springframework/security/access/expression/AbstractSecurityExpressionHandler.java

@@ -70,7 +70,7 @@ public final void setExpressionParser(ExpressionParser expressionParser) {
 	 * suitable root object.
 	 */
 	@Override
-	public final EvaluationContext createEvaluationContext(Authentication authentication, T invocation) {
+	public final EvaluationContext createEvaluationContext(@Nullable Authentication authentication, T invocation) {
 		SecurityExpressionOperations root = createSecurityExpressionRoot(authentication, invocation);
 		StandardEvaluationContext ctx = createEvaluationContextInternal(authentication, invocation);
 		if (this.beanResolver != null) {
@@ -91,7 +91,8 @@ public final EvaluationContext createEvaluationContext(Authentication authentica
 	 * @return A {@code StandardEvaluationContext} or potentially a custom subclass if
 	 * overridden.
 	 */
-	protected StandardEvaluationContext createEvaluationContextInternal(Authentication authentication, T invocation) {
+	protected StandardEvaluationContext createEvaluationContextInternal(@Nullable Authentication authentication,
+			T invocation) {
 		return new StandardEvaluationContext();
 	}
 
@@ -102,8 +103,8 @@ protected StandardEvaluationContext createEvaluationContextInternal(Authenticati
 	 * @param invocation the invocation (filter, method, channel)
 	 * @return the object
 	 */
-	protected abstract SecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication,
-			T invocation);
+	protected abstract SecurityExpressionOperations createSecurityExpressionRoot(
+			@Nullable Authentication authentication, T invocation);
 
 	protected @Nullable RoleHierarchy getRoleHierarchy() {
 		return this.roleHierarchy;

core/src/main/java/org/springframework/security/access/expression/SecurityExpressionHandler.java

@@ -18,6 +18,8 @@
 
 import java.util.function.Supplier;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.ExpressionParser;
@@ -42,7 +44,7 @@ public interface SecurityExpressionHandler<T> extends AopInfrastructureBean {
 	 * Provides an evaluation context in which to evaluate security expressions for the
 	 * invocation type.
 	 */
-	EvaluationContext createEvaluationContext(Authentication authentication, T invocation);
+	EvaluationContext createEvaluationContext(@Nullable Authentication authentication, T invocation);
 
 	/**
 	 * Provides an evaluation context in which to evaluate security expressions for the
@@ -55,7 +57,7 @@ public interface SecurityExpressionHandler<T> extends AopInfrastructureBean {
 	 * @return the {@link EvaluationContext} to use
 	 * @since 5.8
 	 */
-	default EvaluationContext createEvaluationContext(Supplier<Authentication> authentication, T invocation) {
+	default EvaluationContext createEvaluationContext(Supplier<@Nullable Authentication> authentication, T invocation) {
 		return createEvaluationContext(authentication.get(), invocation);
 	}
 

core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java

@@ -78,7 +78,7 @@ public abstract class SecurityExpressionRoot implements SecurityExpressionOperat
 	 * Creates a new instance
 	 * @param authentication the {@link Authentication} to use. Cannot be null.
 	 */
-	public SecurityExpressionRoot(Authentication authentication) {
+	public SecurityExpressionRoot(@Nullable Authentication authentication) {
 		this(() -> authentication);
 	}
 
@@ -89,7 +89,7 @@ public SecurityExpressionRoot(Authentication authentication) {
 	 * Cannot be null.
 	 * @since 5.8
 	 */
-	public SecurityExpressionRoot(Supplier<Authentication> authentication) {
+	public SecurityExpressionRoot(Supplier<@Nullable Authentication> authentication) {
 		this.authentication = SingletonSupplier.of(() -> {
 			Authentication value = authentication.get();
 			Assert.notNull(value, "Authentication object cannot be null");

core/src/main/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandler.java

@@ -79,12 +79,14 @@ public DefaultMethodSecurityExpressionHandler() {
 	 * implementation.
 	 */
 	@Override
-	public StandardEvaluationContext createEvaluationContextInternal(Authentication auth, MethodInvocation mi) {
+	public StandardEvaluationContext createEvaluationContextInternal(@Nullable Authentication auth,
+			MethodInvocation mi) {
 		return new MethodSecurityEvaluationContext(auth, mi, getParameterNameDiscoverer());
 	}
 
 	@Override
-	public EvaluationContext createEvaluationContext(Supplier<Authentication> authentication, MethodInvocation mi) {
+	public EvaluationContext createEvaluationContext(Supplier<@Nullable Authentication> authentication,
+			MethodInvocation mi) {
 		MethodSecurityExpressionOperations root = createSecurityExpressionRoot(authentication, mi);
 		MethodSecurityEvaluationContext ctx = new MethodSecurityEvaluationContext(root, mi,
 				getParameterNameDiscoverer());
@@ -96,13 +98,13 @@ public EvaluationContext createEvaluationContext(Supplier<Authentication> authen
 	 * Creates the root object for expression evaluation.
 	 */
 	@Override
-	protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication,
+	protected MethodSecurityExpressionOperations createSecurityExpressionRoot(@Nullable Authentication authentication,
 			MethodInvocation invocation) {
 		return createSecurityExpressionRoot(() -> authentication, invocation);
 	}
 
-	private MethodSecurityExpressionOperations createSecurityExpressionRoot(Supplier<Authentication> authentication,
-			MethodInvocation invocation) {
+	private MethodSecurityExpressionOperations createSecurityExpressionRoot(
+			Supplier<@Nullable Authentication> authentication, MethodInvocation invocation) {
 		MethodSecurityExpressionRoot root = new MethodSecurityExpressionRoot(authentication);
 		root.setThis(invocation.getThis());
 		root.setPermissionEvaluator(getPermissionEvaluator());

core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityExpressionRoot.java

@@ -38,11 +38,11 @@ class MethodSecurityExpressionRoot extends SecurityExpressionRoot implements Met
 
 	private @Nullable Object target;
 
-	MethodSecurityExpressionRoot(Authentication a) {
+	MethodSecurityExpressionRoot(@Nullable Authentication a) {
 		super(a);
 	}
 
-	MethodSecurityExpressionRoot(Supplier<Authentication> authentication) {
+	MethodSecurityExpressionRoot(Supplier<@Nullable Authentication> authentication) {
 		super(authentication);
 	}
 

core/src/main/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java

@@ -18,6 +18,8 @@
 
 import java.util.function.Supplier;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.core.Authentication;
@@ -111,7 +113,7 @@ public static <T> AuthenticatedAuthorizationManager<T> anonymous() {
 	 * @return an {@link AuthorizationDecision}
 	 */
 	@Override
-	public AuthorizationResult authorize(Supplier<Authentication> authentication, T object) {
+	public AuthorizationResult authorize(Supplier<@Nullable Authentication> authentication, T object) {
 		boolean granted = this.authorizationStrategy.isGranted(authentication.get());
 		return new AuthorizationDecision(granted);
 	}

core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java

@@ -19,6 +19,8 @@
 import java.util.Collection;
 import java.util.function.Supplier;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.core.Authentication;
@@ -55,7 +57,8 @@ public void setRoleHierarchy(RoleHierarchy roleHierarchy) {
 	 * @return an {@link AuthorityAuthorizationDecision}
 	 */
 	@Override
-	public AuthorizationResult authorize(Supplier<Authentication> authentication, Collection<String> authorities) {
+	public AuthorizationResult authorize(Supplier<@Nullable Authentication> authentication,
+			Collection<String> authorities) {
 		boolean granted = isGranted(authentication.get(), authorities);
 		return new AuthorityAuthorizationDecision(granted, AuthorityUtils.createAuthorityList(authorities));
 	}

core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java

@@ -19,6 +19,8 @@
 import java.util.Set;
 import java.util.function.Supplier;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.core.Authentication;
@@ -137,7 +139,7 @@ private static String[] toNamedRolesArray(String rolePrefix, String[] roles) {
 	 * {@inheritDoc}
 	 */
 	@Override
-	public AuthorizationResult authorize(Supplier<Authentication> authentication, T object) {
+	public AuthorizationResult authorize(Supplier<@Nullable Authentication> authentication, T object) {
 		return this.delegate.authorize(authentication, this.authorities);
 	}