diff --git a/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java b/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java index b65782a6d4..f22cee6088 100644 --- a/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java +++ b/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java @@ -50,13 +50,13 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator } @Override - public boolean isAllowed(String uri, Authentication authentication) { + public boolean isAllowed(String uri, @Nullable Authentication authentication) { return isAllowed(null, uri, null, authentication); } @Override public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method, - Authentication authentication) { + @Nullable Authentication authentication) { FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext); HttpServletRequest httpRequest = this.requestTransformer.transform(filterInvocation.getHttpRequest()); AuthorizationResult result = this.authorizationManager.authorize(() -> authentication, httpRequest); diff --git a/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java b/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java index f605557275..65bef09cf6 100644 --- a/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java +++ b/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java @@ -65,7 +65,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv * be used) */ @Override - public boolean isAllowed(String uri, Authentication authentication) { + public boolean isAllowed(String uri, @Nullable Authentication authentication) { return isAllowed(null, uri, null, authentication); } @@ -88,7 +88,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv */ @Override public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method, - Authentication authentication) { + @Nullable Authentication authentication) { Assert.notNull(uri, "uri parameter is required"); FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext); Collection attributes = this.securityInterceptor.obtainSecurityMetadataSource() diff --git a/web/src/main/java/org/springframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java b/web/src/main/java/org/springframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java index 45a9bc1bac..8ecb81aabe 100644 --- a/web/src/main/java/org/springframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java +++ b/web/src/main/java/org/springframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java @@ -73,7 +73,7 @@ public final class RequestMatcherDelegatingWebInvocationPrivilegeEvaluator * @return true if access is allowed, false if denied */ @Override - public boolean isAllowed(String uri, Authentication authentication) { + public boolean isAllowed(String uri, @Nullable Authentication authentication) { List privilegeEvaluators = getDelegate(null, uri, null); if (privilegeEvaluators.isEmpty()) { return true; @@ -106,7 +106,8 @@ public final class RequestMatcherDelegatingWebInvocationPrivilegeEvaluator * @return true if access is allowed, false if denied */ @Override - public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) { + public boolean isAllowed(String contextPath, String uri, @Nullable String method, + @Nullable Authentication authentication) { List privilegeEvaluators = getDelegate(contextPath, uri, method); if (privilegeEvaluators.isEmpty()) { return true; diff --git a/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java b/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java index 131cb7d147..23ad3d6151 100644 --- a/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java +++ b/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java @@ -16,6 +16,8 @@ package org.springframework.security.web.access; +import org.jspecify.annotations.Nullable; + import org.springframework.security.core.Authentication; /** @@ -35,7 +37,7 @@ public interface WebInvocationPrivilegeEvaluator { * @param uri the URI excluding the context path (a default context path setting will * be used) */ - boolean isAllowed(String uri, Authentication authentication); + boolean isAllowed(String uri, @Nullable Authentication authentication); /** * Determines whether the user represented by the supplied Authentication @@ -58,6 +60,6 @@ public interface WebInvocationPrivilegeEvaluator { * be used in evaluation whether access should be granted. * @return true if access is allowed, false if denied */ - boolean isAllowed(String contextPath, String uri, String method, Authentication authentication); + boolean isAllowed(String contextPath, String uri, @Nullable String method, @Nullable Authentication authentication); }