Revert "Allow null object for AuthorizationManagerFactory"

This reverts commit 223d1ce9a6f86ed208a0124b91b215187a62c40b.

Author: sjohnr

core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java

@@ -40,13 +40,13 @@
  * @author Steve Riesenberg
  * @since 3.0
  */
-public abstract class SecurityExpressionRoot<T extends @Nullable Object> implements SecurityExpressionOperations {
+public abstract class SecurityExpressionRoot<T> implements SecurityExpressionOperations {
 
 	private static final AuthorizationManagerFactory<?> DEFAULT_AUTHORIZATION_MANAGER_FACTORY = new DefaultAuthorizationManagerFactory<>();
 
 	private final Supplier<Authentication> authentication;
 
-	private final T object;
+	private final @Nullable T object;
 
 	private @Nullable DefaultAuthorizationManagerFactory<T> defaultAuthorizationManagerFactory;
 
@@ -94,7 +94,12 @@ public SecurityExpressionRoot(Authentication authentication) {
 	 */
 	@Deprecated(since = "7.0")
 	public SecurityExpressionRoot(Supplier<Authentication> authentication) {
-		this(authentication, null);
+		this.authentication = SingletonSupplier.of(() -> {
+			Authentication value = authentication.get();
+			Assert.notNull(value, "Authentication object cannot be null");
+			return value;
+		});
+		this.object = null;
 	}
 
 	/**
@@ -169,6 +174,7 @@ public final boolean isFullyAuthenticated() {
 		return isGranted(this.authorizationManagerFactory.fullyAuthenticated());
 	}
 
+	@SuppressWarnings("DataFlowIssue")
 	private boolean isGranted(AuthorizationManager<T> authorizationManager) {
 		AuthorizationResult authorizationResult = authorizationManager.authorize(this.authentication, this.object);
 		return (authorizationResult != null && authorizationResult.isGranted());

core/src/main/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java

@@ -18,8 +18,6 @@
 
 import java.util.function.Supplier;
 
-import org.jspecify.annotations.Nullable;
-
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.core.Authentication;
@@ -32,7 +30,7 @@
  * @author Evgeniy Cheban
  * @since 5.5
  */
-public final class AuthenticatedAuthorizationManager<T extends @Nullable Object> implements AuthorizationManager<T> {
+public final class AuthenticatedAuthorizationManager<T> implements AuthorizationManager<T> {
 
 	private final AbstractAuthorizationStrategy authorizationStrategy;
 

core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java

@@ -19,8 +19,6 @@
 import java.util.Set;
 import java.util.function.Supplier;
 
-import org.jspecify.annotations.Nullable;
-
 import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.core.Authentication;
@@ -34,7 +32,7 @@
  * @author Evgeniy Cheban
  * @since 5.5
  */
-public final class AuthorityAuthorizationManager<T extends @Nullable Object> implements AuthorizationManager<T> {
+public final class AuthorityAuthorizationManager<T> implements AuthorizationManager<T> {
 
 	private static final String ROLE_PREFIX = "ROLE_";
 

core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java

@@ -18,7 +18,6 @@
 
 import java.util.function.Supplier;
 
-import org.jspecify.annotations.NullUnmarked;
 import org.jspecify.annotations.Nullable;
 
 import org.springframework.security.access.AccessDeniedException;
@@ -31,9 +30,8 @@
  * @param <T> the type of object that the authorization check is being done on.
  * @author Evgeniy Cheban
  */
-@NullUnmarked
 @FunctionalInterface
-public interface AuthorizationManager<T> {
+public interface AuthorizationManager<@Nullable T> {
 
 	/**
 	 * Determines if access should be granted for a specific authentication and object.

core/src/main/java/org/springframework/security/authorization/AuthorizationManagerFactory.java

@@ -16,16 +16,14 @@
 
 package org.springframework.security.authorization;
 
-import org.jspecify.annotations.Nullable;
-
 /**
  * A factory for creating different kinds of {@link AuthorizationManager} instances.
  *
  * @param <T> the type of object that the authorization check is being done on
  * @author Steve Riesenberg
  * @since 7.0
  */
-public interface AuthorizationManagerFactory<T extends @Nullable Object> {
+public interface AuthorizationManagerFactory<T> {
 
 	/**
 	 * Create an {@link AuthorizationManager} that allows anyone.

core/src/main/java/org/springframework/security/authorization/DefaultAuthorizationManagerFactory.java

@@ -16,8 +16,6 @@
 
 package org.springframework.security.authorization;
 
-import org.jspecify.annotations.Nullable;
-
 import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
@@ -31,8 +29,7 @@
  * @author Steve Riesenberg
  * @since 7.0
  */
-public final class DefaultAuthorizationManagerFactory<T extends @Nullable Object>
-		implements AuthorizationManagerFactory<T> {
+public final class DefaultAuthorizationManagerFactory<T> implements AuthorizationManagerFactory<T> {
 
 	private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
 

core/src/main/java/org/springframework/security/authorization/SingleResultAuthorizationManager.java

@@ -18,8 +18,6 @@
 
 import java.util.function.Supplier;
 
-import org.jspecify.annotations.Nullable;
-
 import org.springframework.security.core.Authentication;
 import org.springframework.util.Assert;
 
@@ -30,7 +28,7 @@
  * @author Max Batischev
  * @since 6.5
  */
-public final class SingleResultAuthorizationManager<C extends @Nullable Object> implements AuthorizationManager<C> {
+public final class SingleResultAuthorizationManager<C> implements AuthorizationManager<C> {
 
 	private static final SingleResultAuthorizationManager<?> DENY_MANAGER = new SingleResultAuthorizationManager<>(
 			new AuthorizationDecision(false));