Make classes final where possible

Update classes that have private constructors so that they are also declared final. In a few cases, inner-classes used private constructors but were subclassed. These have now been changed to have package-private constructors. Issue gh-8945
2025-05-31 09:12:14 +00:00 · 2020-07-24 19:03:31 -07:00 · 2020-07-24 19:03:31 -07:00 · 6894ff5d12
commit 6894ff5d12
parent b5d499e2eb
58 changed files with 229 additions and 226 deletions
--- a/acl/src/test/java/org/springframework/security/acls/jdbc/JdbcMutableAclServiceTests.java
+++ b/acl/src/test/java/org/springframework/security/acls/jdbc/JdbcMutableAclServiceTests.java
@ -550,7 +550,7 @@ public class JdbcMutableAclServiceTests extends AbstractTransactionalJUnit4Sprin
 	 */
 	private class CustomJdbcMutableAclService extends JdbcMutableAclService {
-		private CustomJdbcMutableAclService(DataSource dataSource, LookupStrategy lookupStrategy, AclCache aclCache) {
+		CustomJdbcMutableAclService(DataSource dataSource, LookupStrategy lookupStrategy, AclCache aclCache) {
 			super(dataSource, lookupStrategy, aclCache);
 		}
--- a/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/provisioning/UserDetailsManagerConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/provisioning/UserDetailsManagerConfigurer.java
@ -104,7 +104,7 @@ public class UserDetailsManagerConfigurer<B extends ProviderManagerBuilder<B>, C
 	 * Builds the user to be added. At minimum the username, password, and authorities
 	 * should provided. The remaining attributes have reasonable defaults.
 	 */
-	public class UserDetailsBuilder {
+	public final class UserDetailsBuilder {
 		private UserBuilder user;
--- a/config/src/main/java/org/springframework/security/config/annotation/rsocket/RSocketSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/rsocket/RSocketSecurity.java
@ -164,7 +164,7 @@ public class RSocketSecurity {
 	/**
 	 * @since 5.3
 	 */
-	public class SimpleAuthenticationSpec {
+	public final class SimpleAuthenticationSpec {
 		private ReactiveAuthenticationManager authenticationManager;
@ -208,7 +208,7 @@ public class RSocketSecurity {
 		return this;
 	}
-	public class BasicAuthenticationSpec {
+	public final class BasicAuthenticationSpec {
 		private ReactiveAuthenticationManager authenticationManager;
@ -244,7 +244,7 @@ public class RSocketSecurity {
 		return this;
 	}
-	public class JwtSpec {
+	public final class JwtSpec {
 		private ReactiveAuthenticationManager authenticationManager;
@ -370,7 +370,7 @@ public class RSocketSecurity {
 			return new Access(matcher);
 		}
-		public class Access {
+		public final class Access {
 			private final PayloadExchangeMatcher matcher;
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
@ -2942,10 +2942,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 		protected List<RequestMatcher> matchers = new ArrayList<>();
-		/**
+		RequestMatcherConfigurer(ApplicationContext context) {
 		 * @param context
 		 */
 		private RequestMatcherConfigurer(ApplicationContext context) {
 			setApplicationContext(context);
 		}
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
@ -337,7 +337,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 	 */
 	public class IgnoredRequestConfigurer extends AbstractRequestMatcherRegistry<IgnoredRequestConfigurer> {
-		private IgnoredRequestConfigurer(ApplicationContext context) {
+		IgnoredRequestConfigurer(ApplicationContext context) {
 			setApplicationContext(context);
 		}
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ChannelSecurityConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ChannelSecurityConfigurer.java
@ -220,7 +220,7 @@ public final class ChannelSecurityConfigurer<H extends HttpSecurityBuilder<H>>
 		protected List<? extends RequestMatcher> requestMatchers;
-		private RequiresChannelUrl(List<? extends RequestMatcher> requestMatchers) {
+		RequiresChannelUrl(List<? extends RequestMatcher> requestMatchers) {
 			this.requestMatchers = requestMatchers;
 		}
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java
@ -303,8 +303,8 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @since 5.2
 	 */
 	private SessionAuthenticationStrategy getSessionAuthenticationStrategy() {
-		if (sessionAuthenticationStrategy != null) {
+		if (this.sessionAuthenticationStrategy != null) {
-			return sessionAuthenticationStrategy;
+			return this.sessionAuthenticationStrategy;
 		}
 		else {
 			return new CsrfAuthenticationStrategy(this.csrfTokenRepository);
@ -321,10 +321,7 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 	 */
 	private class IgnoreCsrfProtectionRegistry extends AbstractRequestMatcherRegistry<IgnoreCsrfProtectionRegistry> {
-		/**
+		IgnoreCsrfProtectionRegistry(ApplicationContext context) {
 		 * @param context
 		 */
 		private IgnoreCsrfProtectionRegistry(ApplicationContext context) {
 			setApplicationContext(context);
 		}
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java
@ -109,7 +109,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
 		return REGISTRY;
 	}
-	public class ExpressionInterceptUrlRegistry extends
+	public final class ExpressionInterceptUrlRegistry extends
 			ExpressionUrlAuthorizationConfigurer<H>.AbstractInterceptUrlRegistry<ExpressionInterceptUrlRegistry, AuthorizedUrl> {
 		/**
@ -130,7 +130,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
 		}
 		@Override
-		protected final AuthorizedUrl chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
+		protected AuthorizedUrl chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
 			return new AuthorizedUrl(requestMatchers);
 		}
@ -267,7 +267,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
 	 *
 	 * @author Rob Winch
 	 */
-	public class MvcMatchersAuthorizedUrl extends AuthorizedUrl {
+	public final class MvcMatchersAuthorizedUrl extends AuthorizedUrl {
 		/**
 		 * Creates a new instance
@ -296,7 +296,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
 		 * Creates a new instance
 		 * @param requestMatchers the {@link RequestMatcher} instances to map
 		 */
-		private AuthorizedUrl(List<? extends RequestMatcher> requestMatchers) {
+		AuthorizedUrl(List<? extends RequestMatcher> requestMatchers) {
 			this.requestMatchers = requestMatchers;
 		}
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java
@ -113,7 +113,7 @@ public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
 		return this;
 	}
-	public class StandardInterceptUrlRegistry extends
+	public final class StandardInterceptUrlRegistry extends
 			ExpressionUrlAuthorizationConfigurer<H>.AbstractInterceptUrlRegistry<StandardInterceptUrlRegistry, AuthorizedUrl> {
 		/**
@ -134,7 +134,7 @@ public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
 		}
 		@Override
-		protected final AuthorizedUrl chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
+		protected AuthorizedUrl chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
 			return new AuthorizedUrl(requestMatchers);
 		}
@ -275,7 +275,7 @@ public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
 		 * @param requestMatchers the {@link RequestMatcher} instances to map to some
 		 * {@link ConfigAttribute} instances.
 		 */
-		private AuthorizedUrl(List<? extends RequestMatcher> requestMatchers) {
+		AuthorizedUrl(List<? extends RequestMatcher> requestMatchers) {
 			Assert.notEmpty(requestMatchers, "requestMatchers must contain at least one value");
 			this.requestMatchers = requestMatchers;
 		}
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java
@ -154,7 +154,7 @@ public final class OAuth2ClientConfigurer<B extends HttpSecurityBuilder<B>>
 	/**
 	 * Configuration options for the OAuth 2.0 Authorization Code Grant.
 	 */
-	public class AuthorizationCodeGrantConfigurer {
+	public final class AuthorizationCodeGrantConfigurer {
 		private OAuth2AuthorizationRequestResolver authorizationRequestResolver;
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
@ -224,7 +224,7 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 	/**
 	 * Configuration options for the Authorization Server's Authorization Endpoint.
 	 */
-	public class AuthorizationEndpointConfig {
+	public final class AuthorizationEndpointConfig {
 		private String authorizationRequestBaseUri;
@ -308,7 +308,7 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 	/**
 	 * Configuration options for the Authorization Server's Token Endpoint.
 	 */
-	public class TokenEndpointConfig {
+	public final class TokenEndpointConfig {
 		private OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient;
@ -364,7 +364,7 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 	/**
 	 * Configuration options for the Client's Redirection Endpoint.
 	 */
-	public class RedirectionEndpointConfig {
+	public final class RedirectionEndpointConfig {
 		private String authorizationResponseBaseUri;
@ -416,7 +416,7 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 	/**
 	 * Configuration options for the Authorization Server's UserInfo Endpoint.
 	 */
-	public class UserInfoEndpointConfig {
+	public final class UserInfoEndpointConfig {
 		private OAuth2UserService<OAuth2UserRequest, OAuth2User> userService;
--- a/config/src/main/java/org/springframework/security/config/annotation/web/messaging/MessageSecurityMetadataSourceRegistry.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/messaging/MessageSecurityMetadataSourceRegistry.java
@ -251,7 +251,7 @@ public class MessageSecurityMetadataSourceRegistry {
 	 * Represents the security constraint to be applied to the {@link MessageMatcher}
 	 * instances.
 	 */
-	public class Constraint {
+	public final class Constraint {
 		private final List<? extends MatcherBuilder> messageMatchers;
@ -409,7 +409,7 @@ public class MessageSecurityMetadataSourceRegistry {
 		return "hasAnyAuthority('" + anyAuthorities + "')";
 	}
-	private static class PreBuiltMatcherBuilder implements MatcherBuilder {
+	private final static class PreBuiltMatcherBuilder implements MatcherBuilder {
 		private MessageMatcher<?> matcher;
@ -423,7 +423,7 @@ public class MessageSecurityMetadataSourceRegistry {
 	}
-	private class PathMatcherMessageMatcherBuilder implements MatcherBuilder {
+	private final class PathMatcherMessageMatcherBuilder implements MatcherBuilder {
 		private final String pattern;
--- a/config/src/main/java/org/springframework/security/config/http/GrantedAuthorityDefaultsParserUtils.java
+++ b/config/src/main/java/org/springframework/security/config/http/GrantedAuthorityDefaultsParserUtils.java
@ -27,7 +27,10 @@ import org.springframework.security.config.core.GrantedAuthorityDefaults;
 * @author Rob Winch
 * @since 4.2
 */
-class GrantedAuthorityDefaultsParserUtils {
+final class GrantedAuthorityDefaultsParserUtils {
 	private GrantedAuthorityDefaultsParserUtils() {
 	}
 	static RootBeanDefinition registerWithDefaultRolePrefix(ParserContext pc,
 			Class<? extends AbstractGrantedAuthorityDefaultsBeanFactory> beanFactoryClass) {
@ -60,7 +63,4 @@ class GrantedAuthorityDefaultsParserUtils {
 	}
 	private GrantedAuthorityDefaultsParserUtils() {
 	}
 }
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@ -628,10 +628,13 @@ public class ServerHttpSecurity {
 	 * Configures CORS support within Spring Security. This ensures that the
 	 * {@link CorsWebFilter} is place in the correct order.
 	 */
-	public class CorsSpec {
+	public final class CorsSpec {
 		private CorsWebFilter corsFilter;
 		private CorsSpec() {
 		}
 		/**
 		 * Configures the {@link CorsConfigurationSource} to be used
 		 * @param source the source to use
@ -683,9 +686,6 @@ public class ServerHttpSecurity {
 			return this.corsFilter;
 		}
 		private CorsSpec() {
 		}
 	}
 	/**
@ -874,12 +874,15 @@ public class ServerHttpSecurity {
 	 * @since 5.2
 	 * @see #x509()
 	 */
-	public class X509Spec {
+	public final class X509Spec {
 		private X509PrincipalExtractor principalExtractor;
 		private ReactiveAuthenticationManager authenticationManager;
 		private X509Spec() {
 		}
 		public X509Spec principalExtractor(X509PrincipalExtractor principalExtractor) {
 			this.principalExtractor = principalExtractor;
 			return this;
@ -923,9 +926,6 @@ public class ServerHttpSecurity {
 			return authenticationManager;
 		}
 		private X509Spec() {
 		}
 	}
 	/**
@ -981,7 +981,7 @@ public class ServerHttpSecurity {
 		return this;
 	}
-	public class OAuth2LoginSpec {
+	public final class OAuth2LoginSpec {
 		private ReactiveClientRegistrationRepository clientRegistrationRepository;
@ -1003,6 +1003,9 @@ public class ServerHttpSecurity {
 		private ServerAuthenticationFailureHandler authenticationFailureHandler;
 		private OAuth2LoginSpec() {
 		}
 		/**
 		 * Configures the {@link ReactiveAuthenticationManager} to use. The default is
 		 * {@link OAuth2AuthorizationCodeReactiveAuthenticationManager}
@ -1378,9 +1381,6 @@ public class ServerHttpSecurity {
 			return service;
 		}
 		private OAuth2LoginSpec() {
 		}
 	}
 	/**
@ -1434,7 +1434,7 @@ public class ServerHttpSecurity {
 		return this;
 	}
-	public class OAuth2ClientSpec {
+	public final class OAuth2ClientSpec {
 		private ReactiveClientRegistrationRepository clientRegistrationRepository;
@ -1446,6 +1446,9 @@ public class ServerHttpSecurity {
 		private ServerAuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository;
 		private OAuth2ClientSpec() {
 		}
 		/**
 		 * Sets the converter to use
 		 * @param authenticationConverter the converter to use
@ -1595,9 +1598,6 @@ public class ServerHttpSecurity {
 			return service;
 		}
 		private OAuth2ClientSpec() {
 		}
 	}
 	/**
@ -1794,8 +1794,9 @@ public class ServerHttpSecurity {
 			if (this.authenticationManagerResolver != null) {
 				AuthenticationWebFilter oauth2 = new AuthenticationWebFilter(this.authenticationManagerResolver);
-				oauth2.setServerAuthenticationConverter(bearerTokenConverter);
+				oauth2.setServerAuthenticationConverter(this.bearerTokenConverter);
-				oauth2.setAuthenticationFailureHandler(new ServerAuthenticationEntryPointFailureHandler(entryPoint));
+				oauth2.setAuthenticationFailureHandler(
 						new ServerAuthenticationEntryPointFailureHandler(this.entryPoint));
 				http.addFilterAt(oauth2, SecurityWebFiltersOrder.AUTHENTICATION);
 			}
 			else if (this.jwt != null) {
@ -1961,8 +1962,9 @@ public class ServerHttpSecurity {
 			protected void configure(ServerHttpSecurity http) {
 				ReactiveAuthenticationManager authenticationManager = getAuthenticationManager();
 				AuthenticationWebFilter oauth2 = new BearerTokenAuthenticationWebFilter(authenticationManager);
-				oauth2.setServerAuthenticationConverter(bearerTokenConverter);
+				oauth2.setServerAuthenticationConverter(OAuth2ResourceServerSpec.this.bearerTokenConverter);
-				oauth2.setAuthenticationFailureHandler(new ServerAuthenticationEntryPointFailureHandler(entryPoint));
+				oauth2.setAuthenticationFailureHandler(
 						new ServerAuthenticationEntryPointFailureHandler(OAuth2ResourceServerSpec.this.entryPoint));
 				// @formatter:off
 				http
 					.addFilterAt(oauth2, SecurityWebFiltersOrder.AUTHENTICATION);
@ -2003,7 +2005,7 @@ public class ServerHttpSecurity {
 		 * @author Josh Cummings
 		 * @since 5.2
 		 */
-		public class OpaqueTokenSpec {
+		public final class OpaqueTokenSpec {
 			private String introspectionUri;
@ -2013,6 +2015,9 @@ public class ServerHttpSecurity {
 			private Supplier<ReactiveOpaqueTokenIntrospector> introspector;
 			private OpaqueTokenSpec() {
 			}
 			/**
 			 * Configures the URI of the Introspection endpoint
 			 * @param introspectionUri The URI of the Introspection endpoint
@ -2071,14 +2076,12 @@ public class ServerHttpSecurity {
 			protected void configure(ServerHttpSecurity http) {
 				ReactiveAuthenticationManager authenticationManager = getAuthenticationManager();
 				AuthenticationWebFilter oauth2 = new BearerTokenAuthenticationWebFilter(authenticationManager);
-				oauth2.setServerAuthenticationConverter(bearerTokenConverter);
+				oauth2.setServerAuthenticationConverter(OAuth2ResourceServerSpec.this.bearerTokenConverter);
-				oauth2.setAuthenticationFailureHandler(new ServerAuthenticationEntryPointFailureHandler(entryPoint));
+				oauth2.setAuthenticationFailureHandler(
 						new ServerAuthenticationEntryPointFailureHandler(OAuth2ResourceServerSpec.this.entryPoint));
 				http.addFilterAt(oauth2, SecurityWebFiltersOrder.AUTHENTICATION);
 			}
 			private OpaqueTokenSpec() {
 			}
 		}
 		public ServerHttpSecurity and() {
@ -2820,7 +2823,7 @@ public class ServerHttpSecurity {
 	 * @since 5.0
 	 * @see #csrf()
 	 */
-	public class CsrfSpec {
+	public final class CsrfSpec {
 		private CsrfWebFilter filter = new CsrfWebFilter();
@ -2917,7 +2920,7 @@ public class ServerHttpSecurity {
 	 * @since 5.0
 	 * @see #exceptionHandling()
 	 */
-	public class ExceptionHandlingSpec {
+	public final class ExceptionHandlingSpec {
 		/**
 		 * Configures what to do when the application request authentication
@ -2963,7 +2966,7 @@ public class ServerHttpSecurity {
 	 * @since 5.0
 	 * @see #requestCache()
 	 */
-	public class RequestCacheSpec {
+	public final class RequestCacheSpec {
 		private ServerRequestCache requestCache = new WebSessionServerRequestCache();
@ -3013,7 +3016,7 @@ public class ServerHttpSecurity {
 	 * @since 5.0
 	 * @see #httpBasic()
 	 */
-	public class HttpBasicSpec {
+	public final class HttpBasicSpec {
 		private ReactiveAuthenticationManager authenticationManager;
@ -3104,7 +3107,7 @@ public class ServerHttpSecurity {
 	 * @since 5.0
 	 * @see #formLogin()
 	 */
-	public class FormLoginSpec {
+	public final class FormLoginSpec {
 		private final RedirectServerAuthenticationSuccessHandler defaultSuccessHandler = new RedirectServerAuthenticationSuccessHandler(
 				"/");
@ -3282,7 +3285,7 @@ public class ServerHttpSecurity {
 	}
-	private class LoginPageSpec {
+	private final class LoginPageSpec {
 		protected void configure(ServerHttpSecurity http) {
 			if (http.authenticationEntryPoint != null) {
@ -3321,7 +3324,7 @@ public class ServerHttpSecurity {
 	 * @since 5.0
 	 * @see #headers()
 	 */
-	public class HeaderSpec {
+	public final class HeaderSpec {
 		private final List<ServerHttpHeadersWriter> writers;
@ -3535,7 +3538,7 @@ public class ServerHttpSecurity {
 		 *
 		 * @see #cache()
 		 */
-		public class CacheSpec {
+		public final class CacheSpec {
 			/**
 			 * Disables cache control response headers
@ -3556,7 +3559,7 @@ public class ServerHttpSecurity {
 		 *
 		 * @see #contentTypeOptions()
 		 */
-		public class ContentTypeOptionsSpec {
+		public final class ContentTypeOptionsSpec {
 			/**
 			 * Disables the content type options response header
@ -3577,7 +3580,7 @@ public class ServerHttpSecurity {
 		 *
 		 * @see #frameOptions()
 		 */
-		public class FrameOptionsSpec {
+		public final class FrameOptionsSpec {
 			/**
 			 * The mode to configure. Default is
@ -3618,7 +3621,7 @@ public class ServerHttpSecurity {
 		 *
 		 * @see #hsts()
 		 */
-		public class HstsSpec {
+		public final class HstsSpec {
 			/**
 			 * Configures the max age. Default is one year.
@ -3687,7 +3690,10 @@ public class ServerHttpSecurity {
 		 *
 		 * @see #xssProtection()
 		 */
-		public class XssProtectionSpec {
+		public final class XssProtectionSpec {
 			private XssProtectionSpec() {
 			}
 			/**
 			 * Disables the x-xss-protection response header
@ -3698,9 +3704,6 @@ public class ServerHttpSecurity {
 				return HeaderSpec.this;
 			}
 			private XssProtectionSpec() {
 			}
 		}
 		/**
@ -3709,7 +3712,7 @@ public class ServerHttpSecurity {
 		 * @since 5.1
 		 * @see #contentSecurityPolicy(String)
 		 */
-		public class ContentSecurityPolicySpec {
+		public final class ContentSecurityPolicySpec {
 			private static final String DEFAULT_SRC_SELF_POLICY = "default-src 'self'";
@ -3760,7 +3763,7 @@ public class ServerHttpSecurity {
 		 * @since 5.1
 		 * @see #featurePolicy(String)
 		 */
-		public class FeaturePolicySpec {
+		public final class FeaturePolicySpec {
 			/**
 			 * Allows method chaining to continue configuring the
@ -3784,7 +3787,11 @@ public class ServerHttpSecurity {
 		 * @see #referrerPolicy()
 		 * @see #referrerPolicy(ReferrerPolicy)
 		 */
-		public class ReferrerPolicySpec {
+		public final class ReferrerPolicySpec {
 			private ReferrerPolicySpec(ReferrerPolicy referrerPolicy) {
 				HeaderSpec.this.referrerPolicy.setPolicy(referrerPolicy);
 			}
 			/**
 			 * Sets the policy to be used in the response header.
@ -3808,10 +3815,6 @@ public class ServerHttpSecurity {
 			private ReferrerPolicySpec() {
 			}
 			private ReferrerPolicySpec(ReferrerPolicy referrerPolicy) {
 				HeaderSpec.this.referrerPolicy.setPolicy(referrerPolicy);
 			}
 		}
 		private HeaderSpec() {
@ -4095,17 +4098,18 @@ public class ServerHttpSecurity {
 		}
 		protected void configure(ServerHttpSecurity http) {
-			if (authenticationFilter == null) {
+			if (this.authenticationFilter == null) {
-				authenticationFilter = new AnonymousAuthenticationWebFilter(getKey(), principal, authorities);
+				this.authenticationFilter = new AnonymousAuthenticationWebFilter(getKey(), this.principal,
 						this.authorities);
 			}
-			http.addFilterAt(authenticationFilter, SecurityWebFiltersOrder.ANONYMOUS_AUTHENTICATION);
+			http.addFilterAt(this.authenticationFilter, SecurityWebFiltersOrder.ANONYMOUS_AUTHENTICATION);
 		}
 		private String getKey() {
-			if (key == null) {
+			if (this.key == null) {
-				key = UUID.randomUUID().toString();
+				this.key = UUID.randomUUID().toString();
 			}
-			return key;
+			return this.key;
 		}
 		private AnonymousSpec() {
--- a/config/src/test/java/org/springframework/security/config/annotation/web/AbstractConfiguredSecurityBuilderTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/AbstractConfiguredSecurityBuilderTests.java
@ -144,7 +144,7 @@ public class AbstractConfiguredSecurityBuilderTests {
 	}
-	private static class TestConfiguredSecurityBuilder
+	private static final class TestConfiguredSecurityBuilder
 			extends AbstractConfiguredSecurityBuilder<Object, TestConfiguredSecurityBuilder> {
 		private TestConfiguredSecurityBuilder(ObjectPostProcessor<Object> objectPostProcessor) {
--- a/config/src/test/java/org/springframework/security/htmlunit/server/WebTestClientHtmlUnitDriverBuilder.java
+++ b/config/src/test/java/org/springframework/security/htmlunit/server/WebTestClientHtmlUnitDriverBuilder.java
@ -30,7 +30,7 @@ import org.springframework.test.web.servlet.htmlunit.webdriver.WebConnectionHtml
 * @author Rob Winch
 * @since 5.0
 */
-public class WebTestClientHtmlUnitDriverBuilder {
+public final class WebTestClientHtmlUnitDriverBuilder {
 	private final WebTestClient webTestClient;
--- a/core/src/main/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManager.java
+++ b/core/src/main/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManager.java
@ -34,6 +34,9 @@ public class AuthenticatedReactiveAuthorizationManager<T> implements ReactiveAut
 	private AuthenticationTrustResolver authTrustResolver = new AuthenticationTrustResolverImpl();
 	AuthenticatedReactiveAuthorizationManager() {
 	}
 	@Override
 	public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
 		return authentication.filter(this::isNotAnonymous).map(a -> new AuthorizationDecision(a.isAuthenticated()))
@ -59,7 +62,4 @@ public class AuthenticatedReactiveAuthorizationManager<T> implements ReactiveAut
 		return new AuthenticatedReactiveAuthorizationManager<>();
 	}
 	private AuthenticatedReactiveAuthorizationManager() {
 	}
 }
--- a/core/src/main/java/org/springframework/security/authorization/AuthorityReactiveAuthorizationManager.java
+++ b/core/src/main/java/org/springframework/security/authorization/AuthorityReactiveAuthorizationManager.java
@ -36,7 +36,7 @@ public class AuthorityReactiveAuthorizationManager<T> implements ReactiveAuthori
 	private final List<String> authorities;
-	private AuthorityReactiveAuthorizationManager(String... authorities) {
+	AuthorityReactiveAuthorizationManager(String... authorities) {
 		this.authorities = Arrays.asList(authorities);
 	}
--- a/core/src/main/java/org/springframework/security/core/userdetails/User.java
+++ b/core/src/main/java/org/springframework/security/core/userdetails/User.java
@ -334,7 +334,7 @@ public class User implements UserDetails, CredentialsContainer {
 	 * Builds the user to be added. At minimum the username, password, and authorities
 	 * should provided. The remaining attributes have reasonable defaults.
 	 */
-	public static class UserBuilder {
+	public static final class UserBuilder {
 		private String username;
--- a/core/src/test/java/org/springframework/security/PopulatedDatabase.java
+++ b/core/src/test/java/org/springframework/security/PopulatedDatabase.java
@ -26,7 +26,7 @@ import org.springframework.jdbc.core.JdbcTemplate;
 *
 * @author Ben Alex
 */
-public class PopulatedDatabase {
+public final class PopulatedDatabase {
 	private static TestDataSource dataSource = null;
--- a/crypto/src/main/java/org/springframework/security/crypto/encrypt/CipherUtils.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/encrypt/CipherUtils.java
@ -36,7 +36,10 @@ import javax.crypto.spec.PBEParameterSpec;
 *
 * @author Keith Donald
 */
-class CipherUtils {
+final class CipherUtils {
 	private CipherUtils() {
 	}
 	/**
 	 * Generates a SecretKey.
@ -138,7 +141,4 @@ class CipherUtils {
 		}
 	}
 	private CipherUtils() {
 	}
 }
--- a/crypto/src/main/java/org/springframework/security/crypto/encrypt/Encryptors.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/encrypt/Encryptors.java
@ -24,7 +24,10 @@ import org.springframework.security.crypto.keygen.KeyGenerators;
 *
 * @author Keith Donald
 */
-public class Encryptors {
+public final class Encryptors {
 	private Encryptors() {
 	}
 	/**
 	 * Creates a standard password-based bytes encryptor using 256 bit AES encryption with
@ -112,9 +115,6 @@ public class Encryptors {
 		return NO_OP_TEXT_INSTANCE;
 	}
 	private Encryptors() {
 	}
 	private static final TextEncryptor NO_OP_TEXT_INSTANCE = new NoOpTextEncryptor();
 	private static final class NoOpTextEncryptor implements TextEncryptor {
--- a/crypto/src/main/java/org/springframework/security/crypto/factory/PasswordEncoderFactories.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/factory/PasswordEncoderFactories.java
@ -32,7 +32,10 @@ import org.springframework.security.crypto.scrypt.SCryptPasswordEncoder;
 * @author Rob Winch
 * @since 5.0
 */
-public class PasswordEncoderFactories {
+public final class PasswordEncoderFactories {
 	private PasswordEncoderFactories() {
 	}
 	/**
 	 * Creates a {@link DelegatingPasswordEncoder} with default mappings. Additional
@ -79,7 +82,4 @@ public class PasswordEncoderFactories {
 		return new DelegatingPasswordEncoder(encodingId, encoders);
 	}
 	private PasswordEncoderFactories() {
 	}
 }
--- a/crypto/src/main/java/org/springframework/security/crypto/keygen/KeyGenerators.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/keygen/KeyGenerators.java
@ -23,7 +23,10 @@ import java.security.SecureRandom;
 *
 * @author Keith Donald
 */
-public class KeyGenerators {
+public final class KeyGenerators {
 	private KeyGenerators() {
 	}
 	/**
 	 * Create a {@link BytesKeyGenerator} that uses a {@link SecureRandom} to generate
@ -59,9 +62,4 @@ public class KeyGenerators {
 		return new HexEncodingStringKeyGenerator(secureRandom());
 	}
 	// internal helpers
 	private KeyGenerators() {
 	}
 }
--- a/crypto/src/main/java/org/springframework/security/crypto/password/PasswordEncoderUtils.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/password/PasswordEncoderUtils.java
@ -24,7 +24,10 @@ import org.springframework.security.crypto.codec.Utf8;
 *
 * @author Rob Winch
 */
-class PasswordEncoderUtils {
+final class PasswordEncoderUtils {
 	private PasswordEncoderUtils() {
 	}
 	/**
 	 * Constant time comparison to prevent against timing attacks.
@ -43,12 +46,9 @@ class PasswordEncoderUtils {
 		if (s == null) {
 			return null;
 		}
-
+		// need to check if Utf8.encode() runs in constant time (probably not).
-		return Utf8.encode(s); // need to check if Utf8.encode() runs in constant time
+		// This may leak length of string.
-								// (probably not). This may leak length of string.
+		return Utf8.encode(s);
 	}
 	private PasswordEncoderUtils() {
 	}
 }
--- a/crypto/src/main/java/org/springframework/security/crypto/util/EncodingUtils.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/util/EncodingUtils.java
@ -22,7 +22,10 @@ package org.springframework.security.crypto.util;
 *
 * @author Keith Donald
 */
-public class EncodingUtils {
+public final class EncodingUtils {
 	private EncodingUtils() {
 	}
 	/**
 	 * Combine the individual byte arrays into one array.
@ -54,7 +57,4 @@ public class EncodingUtils {
 		return subarray;
 	}
 	private EncodingUtils() {
 	}
 }
--- a/etc/checkstyle/checkstyle-suppressions.xml
+++ b/etc/checkstyle/checkstyle-suppressions.xml
@ -3,7 +3,6 @@
 		"-//Checkstyle//DTD SuppressionFilter Configuration 1.2//EN"
 		"https://checkstyle.org/dtds/suppressions_1_2.dtd">
 <suppressions>
 	<suppress files=".*" checks="FinalClass" />
 	<suppress files=".*" checks="InnerAssignment" />
 	<suppress files=".*" checks="InnerTypeLast" />
 	<suppress files=".*" checks="InterfaceIsType" />
--- a/messaging/src/test/java/org/springframework/security/messaging/handler/invocation/ResolvableMethod.java
+++ b/messaging/src/test/java/org/springframework/security/messaging/handler/invocation/ResolvableMethod.java
@ -127,7 +127,7 @@ import static java.util.stream.Collectors.joining;
 * @author Rossen Stoyanchev
 * @since 5.2
 */
-public class ResolvableMethod {
+public final class ResolvableMethod {
 	private static final Log logger = LogFactory.getLog(ResolvableMethod.class);
@ -258,7 +258,7 @@ public class ResolvableMethod {
 	/**
 	 * Builder for {@code ResolvableMethod}.
 	 */
-	public static class Builder<T> {
+	public static final class Builder<T> {
 		private final Class<?> objectClass;
@ -400,7 +400,7 @@ public class ResolvableMethod {
 		 * <p>
 		 * {@code build().method()}
 		 */
-		public final Method resolveMethod() {
+		public Method resolveMethod() {
 			return method().method();
 		}
@ -418,7 +418,7 @@ public class ResolvableMethod {
 		 * <p>
 		 * {@code build().returnType()}
 		 */
-		public final MethodParameter resolveReturnType() {
+		public MethodParameter resolveReturnType() {
 			return method().returnType();
 		}
@ -466,7 +466,7 @@ public class ResolvableMethod {
 	/**
 	 * Predicate with a descriptive label.
 	 */
-	private static class LabeledPredicate<T> implements Predicate<T> {
+	private static final class LabeledPredicate<T> implements Predicate<T> {
 		private final String label;
@ -507,7 +507,7 @@ public class ResolvableMethod {
 	/**
 	 * Resolver for method arguments.
 	 */
-	public class ArgResolver {
+	public final class ArgResolver {
 		private final List<Predicate<MethodParameter>> filters = new ArrayList<>(4);
@ -578,7 +578,7 @@ public class ResolvableMethod {
 		/**
 		 * Resolve the argument.
 		 */
-		public final MethodParameter arg() {
+		public MethodParameter arg() {
 			List<MethodParameter> matches = applyFilters();
 			Assert.state(!matches.isEmpty(), () -> "No matching arg in method\n" + formatMethod());
 			Assert.state(matches.size() == 1,
@ -588,8 +588,8 @@ public class ResolvableMethod {
 		private List<MethodParameter> applyFilters() {
 			List<MethodParameter> matches = new ArrayList<>();
-			for (int i = 0; i < method.getParameterCount(); i++) {
+			for (int i = 0; i < ResolvableMethod.this.method.getParameterCount(); i++) {
-				MethodParameter param = new SynthesizingMethodParameter(method, i);
+				MethodParameter param = new SynthesizingMethodParameter(ResolvableMethod.this.method, i);
 				param.initParameterNameDiscovery(nameDiscoverer);
 				if (this.filters.stream().allMatch(p -> p.test(param))) {
 					matches.add(param);
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizationContext.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizationContext.java
@ -140,7 +140,7 @@ public final class OAuth2AuthorizationContext {
 	/**
 	 * A builder for {@link OAuth2AuthorizationContext}.
 	 */
-	public static class Builder {
+	public static final class Builder {
 		private ClientRegistration clientRegistration;
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizeRequest.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizeRequest.java
@ -122,7 +122,7 @@ public final class OAuth2AuthorizeRequest {
 	/**
 	 * A builder for {@link OAuth2AuthorizeRequest}.
 	 */
-	public static class Builder {
+	public static final class Builder {
 		private String clientRegistrationId;
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java
@ -89,7 +89,7 @@ public final class OAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code authorization_code} grant.
 	 */
-	public class AuthorizationCodeGrantBuilder implements Builder {
+	public final class AuthorizationCodeGrantBuilder implements Builder {
 		private AuthorizationCodeGrantBuilder() {
 		}
@ -131,7 +131,7 @@ public final class OAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code refresh_token} grant.
 	 */
-	public class RefreshTokenGrantBuilder implements Builder {
+	public final class RefreshTokenGrantBuilder implements Builder {
 		private OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient;
@ -226,7 +226,7 @@ public final class OAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code client_credentials} grant.
 	 */
-	public class ClientCredentialsGrantBuilder implements Builder {
+	public final class ClientCredentialsGrantBuilder implements Builder {
 		private OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient;
@ -319,7 +319,7 @@ public final class OAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code password} grant.
 	 */
-	public class PasswordGrantBuilder implements Builder {
+	public final class PasswordGrantBuilder implements Builder {
 		private OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient;
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java
@ -89,7 +89,7 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code authorization_code} grant.
 	 */
-	public class AuthorizationCodeGrantBuilder implements Builder {
+	public final class AuthorizationCodeGrantBuilder implements Builder {
 		private AuthorizationCodeGrantBuilder() {
 		}
@ -133,7 +133,7 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code refresh_token} grant.
 	 */
-	public class RefreshTokenGrantBuilder implements Builder {
+	public final class RefreshTokenGrantBuilder implements Builder {
 		private ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient;
@ -230,7 +230,7 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code client_credentials} grant.
 	 */
-	public class ClientCredentialsGrantBuilder implements Builder {
+	public final class ClientCredentialsGrantBuilder implements Builder {
 		private ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient;
@ -325,7 +325,7 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code password} grant.
 	 */
-	public class PasswordGrantBuilder implements Builder {
+	public final class PasswordGrantBuilder implements Builder {
 		private ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient;
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java
@ -195,7 +195,7 @@ public final class ClientRegistration implements Serializable {
 		private Map<String, Object> configurationMetadata = Collections.emptyMap();
-		private ProviderDetails() {
+		ProviderDetails() {
 		}
 		/**
@ -263,7 +263,7 @@ public final class ClientRegistration implements Serializable {
 			private String userNameAttributeName;
-			private UserInfoEndpoint() {
+			UserInfoEndpoint() {
 			}
 			/**
@ -322,7 +322,7 @@ public final class ClientRegistration implements Serializable {
 	/**
 	 * A builder for {@link ClientRegistration}.
 	 */
-	public static class Builder implements Serializable {
+	public static final class Builder implements Serializable {
 		private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java
@ -131,7 +131,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 	private final Mono<Authentication> currentAuthenticationMono = ReactiveSecurityContextHolder.getContext()
 			.map(SecurityContext::getAuthentication).defaultIfEmpty(ANONYMOUS_USER_TOKEN);
-	private final Mono<String> clientRegistrationIdMono = currentAuthenticationMono
+	private final Mono<String> clientRegistrationIdMono = this.currentAuthenticationMono
 			.filter(t -> this.defaultOAuth2AuthorizedClient && t instanceof OAuth2AuthenticationToken)
 			.cast(OAuth2AuthenticationToken.class).map(OAuth2AuthenticationToken::getAuthorizedClientRegistrationId);
@ -472,7 +472,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 	private Mono<String> effectiveClientRegistrationId(ClientRequest request) {
 		return Mono.justOrEmpty(clientRegistrationId(request))
 				.switchIfEmpty(Mono.justOrEmpty(this.defaultClientRegistrationId))
-				.switchIfEmpty(clientRegistrationIdMono);
+				.switchIfEmpty(this.clientRegistrationIdMono);
 	}
 	/**
@ -488,7 +488,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 	 * {@link ServerWebExchange} that is active for the given request.
 	 */
 	private Mono<Optional<ServerWebExchange>> effectiveServerWebExchange(ClientRequest request) {
-		return Mono.justOrEmpty(serverWebExchange(request)).switchIfEmpty(currentServerWebExchangeMono)
+		return Mono.justOrEmpty(serverWebExchange(request)).switchIfEmpty(this.currentServerWebExchangeMono)
 				.map(Optional::of).defaultIfEmpty(Optional.empty());
 	}
@ -534,7 +534,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 		this.clientResponseHandler = new AuthorizationFailureForwarder(authorizationFailureHandler);
 	}
-	private static class UnAuthenticatedReactiveOAuth2AuthorizedClientManager
+	private static final class UnAuthenticatedReactiveOAuth2AuthorizedClientManager
 			implements ReactiveOAuth2AuthorizedClientManager {
 		private final ReactiveClientRegistrationRepository clientRegistrationRepository;
@ -628,7 +628,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 	 *
 	 * @since 5.3
 	 */
-	private class AuthorizationFailureForwarder implements ClientResponseHandler {
+	private final class AuthorizationFailureForwarder implements ClientResponseHandler {
 		/**
 		 * A map of HTTP Status Code to OAuth 2.0 Error codes for HTTP status codes that
@ -667,7 +667,9 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 				Mono<String> clientRegistrationId = effectiveClientRegistrationId(request);
-				return Mono.zip(currentAuthenticationMono, serverWebExchange, clientRegistrationId)
+				return Mono
 						.zip(ServerOAuth2AuthorizedClientExchangeFilterFunction.this.currentAuthenticationMono,
 								serverWebExchange, clientRegistrationId)
 						.flatMap(tuple3 -> handleAuthorizationFailure(tuple3.getT1(), // Authentication
 																						// principal
 								tuple3.getT2().orElse(null), // ServerWebExchange exchange
@ -723,7 +725,9 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 				Mono<String> clientRegistrationId = effectiveClientRegistrationId(request);
-				return Mono.zip(currentAuthenticationMono, serverWebExchange, clientRegistrationId)
+				return Mono
 						.zip(ServerOAuth2AuthorizedClientExchangeFilterFunction.this.currentAuthenticationMono,
 								serverWebExchange, clientRegistrationId)
 						.flatMap(tuple3 -> handleAuthorizationFailure(tuple3.getT1(), // Authentication
 																						// principal
 								tuple3.getT2().orElse(null), // ServerWebExchange exchange
@ -744,11 +748,13 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 		private Mono<Void> handleAuthorizationException(ClientRequest request, OAuth2AuthorizationException exception) {
 			Mono<Optional<ServerWebExchange>> serverWebExchange = effectiveServerWebExchange(request);
-			return Mono.zip(currentAuthenticationMono, serverWebExchange)
+			return Mono.zip(ServerOAuth2AuthorizedClientExchangeFilterFunction.this.currentAuthenticationMono,
-					.flatMap(tuple2 -> handleAuthorizationFailure(tuple2.getT1(), // Authentication
+					serverWebExchange).flatMap(
 							tuple2 -> handleAuthorizationFailure(tuple2.getT1(), // Authentication
 																					// principal
-							tuple2.getT2().orElse(null), // ServerWebExchange exchange
+									tuple2.getT2().orElse(null), // ServerWebExchange
-							exception));
+																	// exchange
 									exception));
 		}
 		/**
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunction.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunction.java
@ -637,7 +637,7 @@ public final class ServletOAuth2AuthorizedClientExchangeFilterFunction implement
 	 *
 	 * @since 5.3
 	 */
-	private static class AuthorizationFailureForwarder implements ClientResponseHandler {
+	private static final class AuthorizationFailureForwarder implements ClientResponseHandler {
 		/**
 		 * A map of HTTP status code to OAuth 2.0 error code for HTTP status codes that
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/JdbcOAuth2AuthorizedClientServiceTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/JdbcOAuth2AuthorizedClientServiceTests.java
@ -398,7 +398,7 @@ public class JdbcOAuth2AuthorizedClientServiceTests {
 		return new OAuth2AuthorizedClient(clientRegistration, principal.getName(), accessToken, refreshToken);
 	}
-	private static class CustomTableDefinitionJdbcOAuth2AuthorizedClientService
+	private final static class CustomTableDefinitionJdbcOAuth2AuthorizedClientService
 			extends JdbcOAuth2AuthorizedClientService {
 		private static final String COLUMN_NAMES = "clientRegistrationId, " + "principalName, " + "accessTokenType, "
@ -453,7 +453,7 @@ public class JdbcOAuth2AuthorizedClientServiceTests {
 			this.jdbcOperations.update(REMOVE_AUTHORIZED_CLIENT_SQL, pss);
 		}
-		private static class OAuth2AuthorizedClientRowMapper implements RowMapper<OAuth2AuthorizedClient> {
+		private final static class OAuth2AuthorizedClientRowMapper implements RowMapper<OAuth2AuthorizedClient> {
 			private final ClientRegistrationRepository clientRegistrationRepository;
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/userinfo/DelegatingOAuth2UserServiceTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/userinfo/DelegatingOAuth2UserServiceTests.java
@ -47,8 +47,9 @@ public class DelegatingOAuth2UserServiceTests {
 	@Test(expected = IllegalArgumentException.class)
 	@SuppressWarnings("unchecked")
 	public void loadUserWhenUserRequestIsNullThenThrowIllegalArgumentException() {
 		OAuth2UserService<OAuth2UserRequest, OAuth2User> userService = mock(OAuth2UserService.class);
 		DelegatingOAuth2UserService<OAuth2UserRequest, OAuth2User> delegatingUserService = new DelegatingOAuth2UserService<>(
-				Arrays.asList(mock(OAuth2UserService.class), mock(OAuth2UserService.class)));
+				Arrays.asList(userService, userService));
 		delegatingUserService.loadUser(null);
 	}
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AccessTokenResponse.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AccessTokenResponse.java
@ -94,7 +94,7 @@ public final class OAuth2AccessTokenResponse {
 	/**
 	 * A builder for {@link OAuth2AccessTokenResponse}.
 	 */
-	public static class Builder {
+	public static final class Builder {
 		private String tokenValue;
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java
@ -226,7 +226,7 @@ public final class OAuth2AuthorizationRequest implements Serializable {
 	/**
 	 * A builder for {@link OAuth2AuthorizationRequest}.
 	 */
-	public static class Builder {
+	public static final class Builder {
 		private String authorizationUri;
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponse.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponse.java
@ -118,7 +118,7 @@ public final class OAuth2AuthorizationResponse {
 	/**
 	 * A builder for {@link OAuth2AuthorizationResponse}.
 	 */
-	public static class Builder {
+	public static final class Builder {
 		private String redirectUri;
--- a/rsocket/src/main/java/org/springframework/security/rsocket/authorization/PayloadExchangeMatcherReactiveAuthorizationManager.java
+++ b/rsocket/src/main/java/org/springframework/security/rsocket/authorization/PayloadExchangeMatcherReactiveAuthorizationManager.java
@ -38,7 +38,7 @@ import org.springframework.util.Assert;
 * @author Rob Winch
 * @since 5.2
 */
-public class PayloadExchangeMatcherReactiveAuthorizationManager
+public final class PayloadExchangeMatcherReactiveAuthorizationManager
 		implements ReactiveAuthorizationManager<PayloadExchange> {
 	private final List<PayloadExchangeMatcherEntry<ReactiveAuthorizationManager<PayloadExchangeAuthorizationContext>>> mappings;
@ -63,7 +63,7 @@ public class PayloadExchangeMatcherReactiveAuthorizationManager
 		return new PayloadExchangeMatcherReactiveAuthorizationManager.Builder();
 	}
-	public static class Builder {
+	public static final class Builder {
 		private final List<PayloadExchangeMatcherEntry<ReactiveAuthorizationManager<PayloadExchangeAuthorizationContext>>> mappings = new ArrayList<>();
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
@ -673,7 +673,7 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 	 *
 	 * @since 5.4
 	 */
-	public static class Tuple {
+	public static final class Tuple {
 		private final Saml2AuthenticationToken authentication;
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationRequest.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationRequest.java
@ -119,7 +119,7 @@ public final class Saml2AuthenticationRequest {
 	/**
 	 * A builder for {@link Saml2AuthenticationRequest}.
 	 */
-	public static class Builder {
+	public static final class Builder {
 		private String issuer;
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationRequestContext.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationRequestContext.java
@ -108,7 +108,7 @@ public class Saml2AuthenticationRequestContext {
 	/**
 	 * A builder for {@link Saml2AuthenticationRequestContext}.
 	 */
-	public static class Builder {
+	public static final class Builder {
 		private String issuer;
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2PostAuthenticationRequest.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2PostAuthenticationRequest.java
@ -31,7 +31,7 @@ import static org.springframework.security.saml2.provider.service.registration.S
 */
 public class Saml2PostAuthenticationRequest extends AbstractSaml2AuthenticationRequest {
-	private Saml2PostAuthenticationRequest(String samlRequest, String relayState, String authenticationRequestUri) {
+	Saml2PostAuthenticationRequest(String samlRequest, String relayState, String authenticationRequestUri) {
 		super(samlRequest, relayState, authenticationRequestUri);
 	}
@ -59,7 +59,7 @@ public class Saml2PostAuthenticationRequest extends AbstractSaml2AuthenticationR
 	/**
 	 * Builder class for a {@link Saml2PostAuthenticationRequest} object.
 	 */
-	public static class Builder extends AbstractSaml2AuthenticationRequest.Builder<Builder> {
+	public static final class Builder extends AbstractSaml2AuthenticationRequest.Builder<Builder> {
 		private Builder() {
 			super();
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2RedirectAuthenticationRequest.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2RedirectAuthenticationRequest.java
@ -29,7 +29,7 @@ import static org.springframework.security.saml2.provider.service.registration.S
 * @since 5.3
 * @see Saml2AuthenticationRequestFactory
 */
-public class Saml2RedirectAuthenticationRequest extends AbstractSaml2AuthenticationRequest {
+public final class Saml2RedirectAuthenticationRequest extends AbstractSaml2AuthenticationRequest {
 	private final String sigAlg;
@ -82,7 +82,7 @@ public class Saml2RedirectAuthenticationRequest extends AbstractSaml2Authenticat
 	/**
 	 * Builder class for a {@link Saml2RedirectAuthenticationRequest} object.
 	 */
-	public static class Builder extends AbstractSaml2AuthenticationRequest.Builder<Builder> {
+	public static final class Builder extends AbstractSaml2AuthenticationRequest.Builder<Builder> {
 		private String sigAlg;
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java
@ -28,6 +28,8 @@ import java.util.function.Consumer;
 import java.util.function.Function;
 import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.AssertingPartyDetails;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.ProviderDetails;
 import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
 import org.springframework.util.Assert;
@ -69,7 +71,7 @@ import org.springframework.util.Assert;
 * @author Josh Cummings
 * @since 5.2
 */
-public class RelyingPartyRegistration {
+public final class RelyingPartyRegistration {
 	private final String registrationId;
--- a/test/src/main/java/org/springframework/security/test/context/support/WithUserDetailsSecurityContextFactory.java
+++ b/test/src/main/java/org/springframework/security/test/context/support/WithUserDetailsSecurityContextFactory.java
@ -87,7 +87,7 @@ final class WithUserDetailsSecurityContextFactory implements WithSecurityContext
 		}
 	}
-	private class ReactiveUserDetailsServiceAdapter implements UserDetailsService {
+	private final class ReactiveUserDetailsServiceAdapter implements UserDetailsService {
 		private final ReactiveUserDetailsService userDetailsService;
--- a/test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java
+++ b/test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java
@ -242,7 +242,10 @@ public class SecurityMockServerConfigurers {
 		return new CsrfMutator();
 	}
-	public static class CsrfMutator implements WebTestClientConfigurer, MockServerConfigurer {
+	public static final class CsrfMutator implements WebTestClientConfigurer, MockServerConfigurer {
 		private CsrfMutator() {
 		}
 		@Override
 		public void afterConfigurerAdded(WebTestClient.Builder builder,
@ -262,9 +265,6 @@ public class SecurityMockServerConfigurers {
 		}
 		private CsrfMutator() {
 		}
 	}
 	/**
@ -272,7 +272,7 @@ public class SecurityMockServerConfigurers {
 	 * SecurityMockServerConfigurers#mockUser(UserDetails)}}. Defaults to use a password
 	 * of "password" and granted authorities of "ROLE_USER".
 	 */
-	public static class UserExchangeMutator implements WebTestClientConfigurer, MockServerConfigurer {
+	public static final class UserExchangeMutator implements WebTestClientConfigurer, MockServerConfigurer {
 		private final User.UserBuilder userBuilder;
@ -376,7 +376,7 @@ public class SecurityMockServerConfigurers {
 	}
-	private static class MutatorWebTestClientConfigurer implements WebTestClientConfigurer, MockServerConfigurer {
+	private static final class MutatorWebTestClientConfigurer implements WebTestClientConfigurer, MockServerConfigurer {
 		private final Supplier<Mono<SecurityContext>> context;
@ -402,7 +402,7 @@ public class SecurityMockServerConfigurers {
 	}
-	private static class SetupMutatorFilter implements WebFilter {
+	private static final class SetupMutatorFilter implements WebFilter {
 		private final Supplier<Mono<SecurityContext>> context;
@ -443,7 +443,7 @@ public class SecurityMockServerConfigurers {
 	 * @author Josh Cummings
 	 * @since 5.2
 	 */
-	public static class JwtMutator implements WebTestClientConfigurer, MockServerConfigurer {
+	public static final class JwtMutator implements WebTestClientConfigurer, MockServerConfigurer {
 		private Jwt jwt;
@ -1149,7 +1149,7 @@ public class SecurityMockServerConfigurers {
 		 * Used to wrap the {@link OAuth2AuthorizedClientManager} to provide support for
 		 * testing when the request is wrapped
 		 */
-		private static class TestReactiveOAuth2AuthorizedClientManager
+		private static final class TestReactiveOAuth2AuthorizedClientManager
 				implements ReactiveOAuth2AuthorizedClientManager {
 			final static String TOKEN_ATTR_NAME = TestReactiveOAuth2AuthorizedClientManager.class.getName()
@ -1186,10 +1186,13 @@ public class SecurityMockServerConfigurers {
 		}
-		private static class OAuth2ClientServerTestUtils {
+		private static final class OAuth2ClientServerTestUtils {
 			private static final ServerOAuth2AuthorizedClientRepository DEFAULT_CLIENT_REPO = new WebSessionServerOAuth2AuthorizedClientRepository();
 			private OAuth2ClientServerTestUtils() {
 			}
 			/**
 			 * Gets the {@link ReactiveOAuth2AuthorizedClientManager} for the specified
 			 * {@link ServerWebExchange}. If one is not found, one based off of
@ -1278,9 +1281,6 @@ public class SecurityMockServerConfigurers {
 			}
 			private OAuth2ClientServerTestUtils() {
 			}
 		}
 	}
--- a/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java
+++ b/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java
@ -457,7 +457,7 @@ public final class SecurityMockMvcRequestPostProcessors {
 	/**
 	 * Populates the X509Certificate instances onto the request
 	 */
-	private static class X509RequestPostProcessor implements RequestPostProcessor {
+	private static final class X509RequestPostProcessor implements RequestPostProcessor {
 		private final X509Certificate[] certificates;
@ -480,12 +480,15 @@ public final class SecurityMockMvcRequestPostProcessors {
 	 * @author Rob Winch
 	 * @since 4.0
 	 */
-	public static class CsrfRequestPostProcessor implements RequestPostProcessor {
+	public static final class CsrfRequestPostProcessor implements RequestPostProcessor {
 		private boolean asHeader;
 		private boolean useInvalidToken;
 		private CsrfRequestPostProcessor() {
 		}
 		/*
 		 * (non-Javadoc)
 		 *
@ -531,9 +534,6 @@ public final class SecurityMockMvcRequestPostProcessors {
 			return this;
 		}
 		private CsrfRequestPostProcessor() {
 		}
 		/**
 		 * Used to wrap the CsrfTokenRepository to provide support for testing when the
 		 * request is wrapped (i.e. Spring Session is in use).
@ -759,7 +759,7 @@ public final class SecurityMockMvcRequestPostProcessors {
 		 * Used to wrap the SecurityContextRepository to provide support for testing in
 		 * stateless mode
 		 */
-		static class TestSecurityContextRepository implements SecurityContextRepository {
+		static final class TestSecurityContextRepository implements SecurityContextRepository {
 			private final static String ATTR_NAME = TestSecurityContextRepository.class.getName().concat(".REPO");
@ -1035,7 +1035,7 @@ public final class SecurityMockMvcRequestPostProcessors {
 	}
-	private static class HttpBasicRequestPostProcessor implements RequestPostProcessor {
+	private static final class HttpBasicRequestPostProcessor implements RequestPostProcessor {
 		private String headerValue;
@ -1648,7 +1648,7 @@ public final class SecurityMockMvcRequestPostProcessors {
 		 * Used to wrap the {@link OAuth2AuthorizedClientManager} to provide support for
 		 * testing when the request is wrapped
 		 */
-		private static class TestOAuth2AuthorizedClientManager implements OAuth2AuthorizedClientManager {
+		private static final class TestOAuth2AuthorizedClientManager implements OAuth2AuthorizedClientManager {
 			final static String TOKEN_ATTR_NAME = TestOAuth2AuthorizedClientManager.class.getName().concat(".TOKEN");
@ -1682,7 +1682,7 @@ public final class SecurityMockMvcRequestPostProcessors {
 		}
-		private static class OAuth2ClientServletTestUtils {
+		private static final class OAuth2ClientServletTestUtils {
 			private static final OAuth2AuthorizedClientRepository DEFAULT_CLIENT_REPO = new HttpSessionOAuth2AuthorizedClientRepository();
--- a/web/src/main/java/org/springframework/security/web/FilterChainProxy.java
+++ b/web/src/main/java/org/springframework/security/web/FilterChainProxy.java
@ -294,7 +294,7 @@ public class FilterChainProxy extends GenericFilterBean {
 	 * Internal {@code FilterChain} implementation that is used to pass a request through
 	 * the additional internal list of filters which match the request.
 	 */
-	private static class VirtualFilterChain implements FilterChain {
+	private static final class VirtualFilterChain implements FilterChain {
 		private final FilterChain originalChain;
--- a/web/src/main/java/org/springframework/security/web/server/authorization/DelegatingReactiveAuthorizationManager.java
+++ b/web/src/main/java/org/springframework/security/web/server/authorization/DelegatingReactiveAuthorizationManager.java
@ -35,7 +35,7 @@ import org.springframework.web.server.ServerWebExchange;
 * @author Mathieu Ouellet
 * @since 5.0
 */
-public class DelegatingReactiveAuthorizationManager implements ReactiveAuthorizationManager<ServerWebExchange> {
+public final class DelegatingReactiveAuthorizationManager implements ReactiveAuthorizationManager<ServerWebExchange> {
 	private static final Log logger = LogFactory.getLog(DelegatingReactiveAuthorizationManager.class);
@ -63,7 +63,7 @@ public class DelegatingReactiveAuthorizationManager implements ReactiveAuthoriza
 		return new DelegatingReactiveAuthorizationManager.Builder();
 	}
-	public static class Builder {
+	public static final class Builder {
 		private final List<ServerWebExchangeMatcherEntry<ReactiveAuthorizationManager<AuthorizationContext>>> mappings = new ArrayList<>();
--- a/web/src/main/java/org/springframework/security/web/server/context/NoOpServerSecurityContextRepository.java
+++ b/web/src/main/java/org/springframework/security/web/server/context/NoOpServerSecurityContextRepository.java
@ -28,13 +28,15 @@ import org.springframework.web.server.ServerWebExchange;
 * @author Rob Winch
 * @since 5.0
 */
-public class NoOpServerSecurityContextRepository implements ServerSecurityContextRepository {
+public final class NoOpServerSecurityContextRepository implements ServerSecurityContextRepository {
 	private static final NoOpServerSecurityContextRepository INSTANCE = new NoOpServerSecurityContextRepository();
 	private NoOpServerSecurityContextRepository() {
 	}
 	public Mono<Void> save(ServerWebExchange exchange, SecurityContext context) {
 		return Mono.empty();
 	}
 	public Mono<SecurityContext> load(ServerWebExchange exchange) {
@ -45,7 +47,4 @@ public class NoOpServerSecurityContextRepository implements ServerSecurityContex
 		return INSTANCE;
 	}
 	private NoOpServerSecurityContextRepository() {
 	}
 }
--- a/web/src/main/java/org/springframework/security/web/server/savedrequest/NoOpServerRequestCache.java
+++ b/web/src/main/java/org/springframework/security/web/server/savedrequest/NoOpServerRequestCache.java
@ -30,7 +30,10 @@ import org.springframework.web.server.ServerWebExchange;
 * @author Rob Winch
 * @since 5.0
 */
-public class NoOpServerRequestCache implements ServerRequestCache {
+public final class NoOpServerRequestCache implements ServerRequestCache {
 	private NoOpServerRequestCache() {
 	}
 	@Override
 	public Mono<Void> saveRequest(ServerWebExchange exchange) {
@ -51,7 +54,4 @@ public class NoOpServerRequestCache implements ServerRequestCache {
 		return new NoOpServerRequestCache();
 	}
 	private NoOpServerRequestCache() {
 	}
 }
--- a/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java
+++ b/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java
@ -263,7 +263,7 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
 	}
-	private static class SpringAntMatcher implements Matcher {
+	private static final class SpringAntMatcher implements Matcher {
 		private final AntPathMatcher antMatcher;
@ -296,7 +296,7 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
 	/**
 	 * Optimized matcher for trailing wildcards
 	 */
-	private static class SubpathMatcher implements Matcher {
+	private static final class SubpathMatcher implements Matcher {
 		private final String subpath;
--- a/web/src/test/java/org/springframework/security/test/web/reactive/server/WebTestHandler.java
+++ b/web/src/test/java/org/springframework/security/test/web/reactive/server/WebTestHandler.java
@ -30,7 +30,7 @@ import org.springframework.web.server.handler.FilteringWebHandler;
 * @author Rob Winch
 * @since 5.0
 */
-public class WebTestHandler {
+public final class WebTestHandler {
 	private final MockWebHandler webHandler = new MockWebHandler();
@ -50,7 +50,7 @@ public class WebTestHandler {
 		return new WebHandlerResult(webHandler.exchange);
 	}
-	public static class WebHandlerResult {
+	public static final class WebHandlerResult {
 		private final ServerWebExchange exchange;
--- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServicesTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServicesTests.java
@ -138,7 +138,7 @@ public class PersistentTokenBasedRememberMeServicesTests {
 		return services;
 	}
-	private class MockTokenRepository implements PersistentTokenRepository {
+	private final class MockTokenRepository implements PersistentTokenRepository {
 		private PersistentRememberMeToken storedToken;
--- a/web/src/test/java/org/springframework/security/web/method/ResolvableMethod.java
+++ b/web/src/test/java/org/springframework/security/web/method/ResolvableMethod.java
@ -126,7 +126,7 @@ import static java.util.stream.Collectors.joining;
 * @author Rossen Stoyanchev
 * @since 5.0
 */
-public class ResolvableMethod {
+public final class ResolvableMethod {
 	private static final Log logger = LogFactory.getLog(ResolvableMethod.class);
@ -253,7 +253,7 @@ public class ResolvableMethod {
 	/**
 	 * Builder for {@code ResolvableMethod}.
 	 */
-	public static class Builder<T> {
+	public static final class Builder<T> {
 		private final Class<?> objectClass;
@ -386,7 +386,7 @@ public class ResolvableMethod {
 		 * <p>
 		 * {@code build().method()}
 		 */
-		public final Method resolveMethod() {
+		public Method resolveMethod() {
 			return build().method();
 		}
@ -404,7 +404,7 @@ public class ResolvableMethod {
 		 * <p>
 		 * {@code build().returnType()}
 		 */
-		public final MethodParameter resolveReturnType() {
+		public MethodParameter resolveReturnType() {
 			return build().returnType();
 		}
@ -452,7 +452,7 @@ public class ResolvableMethod {
 	/**
 	 * Predicate with a descriptive label.
 	 */
-	private static class LabeledPredicate<T> implements Predicate<T> {
+	private static final class LabeledPredicate<T> implements Predicate<T> {
 		private final String label;
@ -493,7 +493,7 @@ public class ResolvableMethod {
 	/**
 	 * Resolver for method arguments.
 	 */
-	public class ArgResolver {
+	public final class ArgResolver {
 		private final List<Predicate<MethodParameter>> filters = new ArrayList<>(4);
@ -564,7 +564,7 @@ public class ResolvableMethod {
 		/**
 		 * Resolve the argument.
 		 */
-		public final MethodParameter arg() {
+		public MethodParameter arg() {
 			List<MethodParameter> matches = applyFilters();
 			Assert.state(!matches.isEmpty(), () -> "No matching arg in method\n" + formatMethod());
 			Assert.state(matches.size() == 1,