Switch to JSpecify annotations in spring-security-web

web/src/main/java/org/springframework/security/web/DefaultSecurityFilterChain.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@
 import jakarta.servlet.http.HttpServletRequest;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.NonNull;
 
 import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.BeanFactory;
@@ -32,7 +33,6 @@
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
 import org.springframework.core.log.LogMessage;
-import org.springframework.lang.NonNull;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.StringUtils;
 

web/src/main/java/org/springframework/security/web/authentication/UsernamePasswordAuthenticationFilter.java

@@ -18,9 +18,9 @@
 
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.http.HttpMethod;
-import org.springframework.lang.Nullable;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -100,8 +100,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 	 * @return the password that will be presented in the <code>Authentication</code>
 	 * request token to the <code>AuthenticationManager</code>
 	 */
-	@Nullable
-	protected String obtainPassword(HttpServletRequest request) {
+	@Nullable protected String obtainPassword(HttpServletRequest request) {
 		return request.getParameter(this.passwordParameter);
 	}
 
@@ -112,8 +111,7 @@ protected String obtainPassword(HttpServletRequest request) {
 	 * @return the username that will be presented in the <code>Authentication</code>
 	 * request token to the <code>AuthenticationManager</code>
 	 */
-	@Nullable
-	protected String obtainUsername(HttpServletRequest request) {
+	@Nullable protected String obtainUsername(HttpServletRequest request) {
 		return request.getParameter(this.usernameParameter);
 	}
 

web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenRequestResolver.java

@@ -17,8 +17,8 @@
 package org.springframework.security.web.authentication.ott;
 
 import jakarta.servlet.http.HttpServletRequest;
+import org.jspecify.annotations.Nullable;
 
-import org.springframework.lang.Nullable;
 import org.springframework.security.authentication.ott.GenerateOneTimeTokenRequest;
 
 /**
@@ -35,7 +35,6 @@ public interface GenerateOneTimeTokenRequestResolver {
 	 * @param request {@link HttpServletRequest} to resolve
 	 * @return {@link GenerateOneTimeTokenRequest}
 	 */
-	@Nullable
-	GenerateOneTimeTokenRequest resolve(HttpServletRequest request);
+	@Nullable GenerateOneTimeTokenRequest resolve(HttpServletRequest request);
 
 }

web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,8 +25,8 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.NonNull;
 
-import org.springframework.lang.NonNull;
 import org.springframework.security.authentication.password.CompromisedPasswordChecker;
 import org.springframework.security.authentication.password.CompromisedPasswordDecision;
 import org.springframework.security.crypto.codec.Hex;
@@ -61,8 +61,7 @@ public HaveIBeenPwnedRestApiPasswordChecker() {
 	}
 
 	@Override
-	@NonNull
-	public CompromisedPasswordDecision check(String password) {
+	@NonNull public CompromisedPasswordDecision check(String password) {
 		byte[] hash = this.sha1Digest.digest(password.getBytes(StandardCharsets.UTF_8));
 		String encoded = new String(Hex.encode(hash)).toUpperCase(Locale.ROOT);
 		String prefix = encoded.substring(0, PREFIX_LENGTH);

web/src/main/java/org/springframework/security/web/reactive/result/view/CsrfRequestDataValueProcessor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,7 +20,8 @@
 import java.util.Map;
 import java.util.regex.Pattern;
 
-import org.springframework.lang.NonNull;
+import org.jspecify.annotations.NonNull;
+
 import org.springframework.security.web.server.csrf.CsrfToken;
 import org.springframework.web.reactive.result.view.RequestDataValueProcessor;
 import org.springframework.web.server.ServerWebExchange;

web/src/main/java/org/springframework/security/web/server/ObservationWebFilterChainDecorator.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,9 +26,9 @@
 import io.micrometer.observation.ObservationConvention;
 import io.micrometer.observation.ObservationRegistry;
 import io.micrometer.observation.contextpropagation.ObservationThreadLocalAccessor;
+import org.jspecify.annotations.Nullable;
 import reactor.core.publisher.Mono;
 
-import org.springframework.lang.Nullable;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 import org.springframework.web.server.ServerWebExchange;
@@ -108,11 +108,9 @@ static class ObservationWebFilterChain implements WebFilterChain {
 
 		private final WebHandler handler;
 
-		@Nullable
-		private final ObservationWebFilter currentFilter;
+		@Nullable private final ObservationWebFilter currentFilter;
 
-		@Nullable
-		private final ObservationWebFilterChain chain;
+		@Nullable private final ObservationWebFilterChain chain;
 
 		/**
 		 * Public constructor with the list of filters and the target handler to use.

web/src/main/java/org/springframework/security/web/server/authentication/ServerX509AuthenticationConverter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,10 +20,10 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.NonNull;
 import reactor.core.publisher.Mono;
 
 import org.springframework.http.server.reactive.SslInfo;
-import org.springframework.lang.NonNull;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;

web/src/main/java/org/springframework/security/web/server/authentication/SwitchUserWebFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,12 +23,12 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.NonNull;
+import org.jspecify.annotations.Nullable;
 import reactor.core.publisher.Mono;
 
 import org.springframework.core.log.LogMessage;
 import org.springframework.http.HttpMethod;
-import org.springframework.lang.NonNull;
-import org.springframework.lang.Nullable;
 import org.springframework.security.authentication.AccountStatusUserDetailsChecker;
 import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -215,8 +215,7 @@ protected String getUsername(ServerWebExchange exchange) {
 		return exchange.getRequest().getQueryParams().getFirst(SPRING_SECURITY_SWITCH_USERNAME_KEY);
 	}
 
-	@NonNull
-	private Mono<Authentication> attemptSwitchUser(Authentication currentAuthentication, String userName) {
+	@NonNull private Mono<Authentication> attemptSwitchUser(Authentication currentAuthentication, String userName) {
 		Assert.notNull(userName, "The userName can not be null.");
 		this.logger.debug(LogMessage.format("Attempting to switch to user [%s]", userName));
 		return this.userDetailsService.findByUsername(userName)
@@ -225,8 +224,7 @@ private Mono<Authentication> attemptSwitchUser(Authentication currentAuthenticat
 			.map((userDetails) -> createSwitchUserToken(userDetails, currentAuthentication));
 	}
 
-	@NonNull
-	private Authentication attemptExitUser(Authentication currentAuthentication) {
+	@NonNull private Authentication attemptExitUser(Authentication currentAuthentication) {
 		Optional<Authentication> sourceAuthentication = extractSourceAuthentication(currentAuthentication);
 		if (sourceAuthentication.isEmpty()) {
 			this.logger.debug("Failed to find original user");

web/src/main/java/org/springframework/security/web/servlet/util/matcher/PathPatternRequestMatcher.java

@@ -19,11 +19,11 @@
 import java.util.Objects;
 
 import jakarta.servlet.http.HttpServletRequest;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.http.HttpMethod;
 import org.springframework.http.server.PathContainer;
 import org.springframework.http.server.RequestPath;
-import org.springframework.lang.Nullable;
 import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
 import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;

web/src/main/java/org/springframework/security/web/util/matcher/DispatcherTypeRequestMatcher.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,9 +18,9 @@
 
 import jakarta.servlet.DispatcherType;
 import jakarta.servlet.http.HttpServletRequest;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.http.HttpMethod;
-import org.springframework.lang.Nullable;
 import org.springframework.util.StringUtils;
 
 /**
@@ -36,8 +36,7 @@ public class DispatcherTypeRequestMatcher implements RequestMatcher {
 
 	private final DispatcherType dispatcherType;
 
-	@Nullable
-	private final HttpMethod httpMethod;
+	@Nullable private final HttpMethod httpMethod;
 
 	/**
 	 * Creates an instance which matches requests with the provided {@link DispatcherType}