Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs

---
updated-dependencies:
- dependency-name: "@antora/collector-extension"
  dependency-version: 1.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/dependabot.yml

@@ -1,11 +1,12 @@
 version: 2
 registries:
-  spring-milestones:
+  shibboleth:
     type: maven-repository
-    url: https://repo.spring.io/milestone
+    url: https://build.shibboleth.net/maven/releases
 updates:
+  # 6.5.x
   - package-ecosystem: gradle
-    target-branch: 6.4.x
+    target-branch: 6.5.x
     directory: /
     schedule:
       interval: daily
@@ -14,7 +15,7 @@ updates:
     labels:
       - 'type: dependency-upgrade'
     registries:
-      - spring-milestones
+      - shibboleth
     ignore:
       - dependency-name: com.nimbusds:nimbus-jose-jwt
       - dependency-name: org.python:jython
@@ -30,8 +31,28 @@ updates:
         update-types:
           - version-update:semver-major
           - version-update:semver-minor
+  - package-ecosystem: npm
+    target-branch: 6.5.x
+    directory: /docs
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+  - package-ecosystem: github-actions
+    target-branch: 6.5.x
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+
+  # 7.0.x
   - package-ecosystem: gradle
-    target-branch: 6.3.x
+    target-branch: 7.0.x
     directory: /
     schedule:
       interval: daily
@@ -40,9 +61,10 @@ updates:
     labels:
       - 'type: dependency-upgrade'
     registries:
-      - spring-milestones
+      - shibboleth
     ignore:
       - dependency-name: com.nimbusds:nimbus-jose-jwt
+      - dependency-name: io.spring.nullability:*
       - dependency-name: org.python:jython
       - dependency-name: org.apache.directory.server:*
       - dependency-name: org.apache.directory.shared:*
@@ -52,10 +74,34 @@ updates:
       - dependency-name: org.mockito:mockito-bom
         update-types:
           - version-update:semver-major
+      - dependency-name: com.gradle.enterprise
+        update-types:
+          - version-update:semver-major
+          - version-update:semver-minor
       - dependency-name: '*'
         update-types:
           - version-update:semver-major
           - version-update:semver-minor
+  - package-ecosystem: npm
+    target-branch: 7.0.x
+    directory: /docs
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+  - package-ecosystem: github-actions
+    target-branch: 7.0.x
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+
+  # main
   - package-ecosystem: gradle
     target-branch: main
     directory: /
@@ -66,7 +112,7 @@ updates:
     labels:
       - 'type: dependency-upgrade'
     registries:
-      - spring-milestones
+      - shibboleth
     ignore:
       - dependency-name: com.nimbusds:nimbus-jose-jwt
       - dependency-name: org.python:jython
@@ -85,36 +131,6 @@ updates:
       - dependency-name: '*'
         update-types:
           - version-update:semver-major
-          - version-update:semver-minor
-
-  - package-ecosystem: github-actions
-    target-branch: 6.3.x
-    directory: /
-    schedule:
-      interval: weekly
-    labels:
-      - 'type: task'
-      - 'in: build'
-    ignore:
-      - dependency-name: sjohnr/*
-  - package-ecosystem: github-actions
-    target-branch: docs-build
-    directory: /
-    schedule:
-      interval: weekly
-    labels:
-      - 'type: task'
-      - 'in: build'
-
-  - package-ecosystem: npm
-    target-branch: docs-build
-    directory: /
-    schedule:
-      interval: weekly
-    labels:
-      - 'type: task'
-      - 'in: build'
-
   - package-ecosystem: npm
     target-branch: main
     directory: /docs
@@ -122,12 +138,63 @@ updates:
       interval: weekly
     labels:
       - 'type: task'
+      - 'type: dependency-upgrade'
       - 'in: build'
-  - package-ecosystem: npm
+  - package-ecosystem: github-actions
-    target-branch: 6.3.x
+    target-branch: main
-    directory: /docs
+    directory: /
     schedule:
       interval: weekly
     labels:
       - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+
+  # docs-build
+  - package-ecosystem: gradle
+    target-branch: docs-build
+    directory: /
+    schedule:
+      interval: daily
+      time: '03:00'
+      timezone: Etc/UTC
+    labels:
+      - 'type: dependency-upgrade'
+    registries:
+      - shibboleth
+    ignore:
+      - dependency-name: com.nimbusds:nimbus-jose-jwt
+      - dependency-name: org.python:jython
+      - dependency-name: org.apache.directory.server:*
+      - dependency-name: org.apache.directory.shared:*
+      - dependency-name: org.junit:junit-bom
+        update-types:
+          - version-update:semver-major
+      - dependency-name: org.mockito:mockito-bom
+        update-types:
+          - version-update:semver-major
+      - dependency-name: com.gradle.enterprise
+        update-types:
+          - version-update:semver-major
+          - version-update:semver-minor
+      - dependency-name: '*'
+        update-types:
+          - version-update:semver-major
+  - package-ecosystem: npm
+    target-branch: docs-build
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+  - package-ecosystem: github-actions
+    target-branch: docs-build
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
       - 'in: build'

.github/workflows/auto-merge-dependabot.yml

@@ -0,0 +1,16 @@
+name: Merge Dependabot PR
+
+on:
+  pull_request:
+    branches:
+      - main
+      - '*.x'
+
+run-name: Merge Dependabot PR ${{ github.ref_name }}
+
+jobs:
+  merge-dependabot-pr:
+    permissions: write-all
+    uses: spring-io/spring-github-workflows/.github/workflows/spring-merge-dependabot-pr.yml@v7
+    with:
+      mergeArguments: --auto --rebase

.github/workflows/check-snapshots.yml

@@ -0,0 +1,36 @@
+name: CI
+
+on:
+  schedule:
+    - cron: '0 10 * * *' # Once per day at 10am UTC
+  workflow_dispatch: # Manual trigger
+
+env:
+  DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+
+permissions:
+  contents: read
+
+jobs:
+  snapshot-test:
+    name: Test Against Snapshots
+    uses: spring-io/spring-security-release-tools/.github/workflows/test.yml@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
+    strategy:
+      matrix:
+        include:
+          - java-version: 25
+            toolchain: 25
+    with:
+      java-version: ${{ matrix.java-version }}
+      test-args: --refresh-dependencies -PforceMavenRepositories=snapshot,https://oss.sonatype.org/content/repositories/snapshots -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=7.+ -PreactorVersion=2025.+ -PspringDataVersion=2025.+ --stacktrace
+    secrets: inherit
+  send-notification:
+    name: Send Notification
+    needs: [ snapshot-test ]
+    if: ${{ !success() }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send Notification
+        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
+        with:
+          webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}

.github/workflows/continuous-integration-workflow.yml

@@ -21,62 +21,28 @@ jobs:
     strategy:
       matrix:
         os: [ ubuntu-latest, windows-latest ]
-        jdk: [ 17 ]
+        jdk: [ 25 ]
     with:
       runs-on: ${{ matrix.os }}
       java-version: ${{ matrix.jdk }}
       distribution: temurin
     secrets: inherit
-  test:
-    name: Test Against Snapshots
-    uses: spring-io/spring-security-release-tools/.github/workflows/test.yml@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
-    strategy:
-      matrix:
-        include:
-          - java-version: 21-ea
-            toolchain: 21
-          - java-version: 17
-            toolchain: 17
-    with:
-      java-version: ${{ matrix.java-version }}
-      test-args: --refresh-dependencies -PforceMavenRepositories=snapshot -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=6.2.+ -PreactorVersion=2023.0.+ -PspringDataVersion=2024.0.+ --stacktrace
-    secrets: inherit
-  check-samples:
-    name: Check Samples
-    runs-on: ubuntu-latest
-    if: ${{ github.repository_owner == 'spring-projects' }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Set up gradle
-        uses: spring-io/spring-gradle-build-action@v2
-        with:
-          java-version: 17
-          distribution: temurin
-      - name: Check samples project
-        env:
-          LOCAL_REPOSITORY_PATH: ${{ github.workspace }}/build/publications/repos
-          SAMPLES_DIR: ../spring-security-samples
-        run: |
-          # Extract version from gradle.properties
-          version=$(cat gradle.properties | grep "version=" | awk -F'=' '{print $2}')
-          # Extract samplesBranch from gradle.properties
-          samples_branch=$(cat gradle.properties | grep "samplesBranch=" | awk -F'=' '{print $2}')
-          ./gradlew publishMavenJavaPublicationToLocalRepository
-          ./gradlew cloneRepository -PrepositoryName="spring-projects/spring-security-samples" -Pref="$samples_branch" -PcloneOutputDirectory="$SAMPLES_DIR"
-          ./gradlew --refresh-dependencies --project-dir "$SAMPLES_DIR" --init-script spring-security-ci.gradle -PlocalRepositoryPath="$LOCAL_REPOSITORY_PATH" -PspringSecurityVersion="$version" test integrationTest
   deploy-artifacts:
     name: Deploy Artifacts
-    needs: [ build, test, check-samples ]
+    needs: [ build]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
     with:
       should-deploy-artifacts: ${{ needs.build.outputs.should-deploy-artifacts }}
+      default-publish-milestones-central: true
+      java-version: 25
     secrets: inherit
   deploy-schema:
     name: Deploy Schema
-    needs: [ build, test, check-samples ]
+    needs: [ build ]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
     with:
       should-deploy-schema: ${{ needs.build.outputs.should-deploy-artifacts }}
+      java-version: 25
     secrets: inherit
   perform-release:
     name: Perform Release
@@ -85,10 +51,11 @@ jobs:
     with:
       should-perform-release: ${{ needs.deploy-artifacts.outputs.artifacts-deployed }}
       project-version: ${{ needs.deploy-artifacts.outputs.project-version }}
-      milestone-repo-url: https://repo.spring.io/artifactory/milestone
+      milestone-repo-url: https://repo1.maven.org/maven2
       release-repo-url: https://repo1.maven.org/maven2
       artifact-path: org/springframework/security/spring-security-core
       slack-announcing-id: spring-security-announcing
+      java-version: 25
     secrets: inherit
   send-notification:
     name: Send Notification

.github/workflows/finalize-release.yml

@@ -0,0 +1,27 @@
+name: Finalize Release
+
+on:
+  workflow_dispatch: # Manual trigger
+    inputs:
+      version:
+        description: The Spring Security release to finalize (e.g. 7.0.0-RC2)
+        required: true
+
+env:
+  DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+
+permissions:
+  contents: read
+
+jobs:
+  perform-release:
+    name: Perform Release
+    uses: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
+    with:
+      should-perform-release: true
+      project-version: ${{ inputs.version }}
+      milestone-repo-url: https://repo1.maven.org/maven2
+      release-repo-url: https://repo1.maven.org/maven2
+      artifact-path: org/springframework/security/spring-security-core
+      slack-announcing-id: spring-security-announcing
+    secrets: inherit

.github/workflows/gradle-wrapper-upgrade-execution.yml

@@ -9,6 +9,7 @@ permissions:
 jobs:
   upgrade_wrapper:
     name: Execution
+    if: ${{ github.repository == 'spring-projects/spring-security' }}
     runs-on: ubuntu-latest
     steps:
       - name: Set up Git configuration
@@ -20,10 +21,10 @@ jobs:
           git config --global user.email 'github-actions[bot]@users.noreply.github.com'
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Set up JDK 17
+      - name: Set up JDK 25
         uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
-          java-version: '17'
+          java-version: '25'
           distribution: 'temurin'
       - name: Set up Gradle
         uses: gradle/setup-gradle@f29f5a9d7b09a7c6b29859002d29d24e1674c884 # v5.0.1

.github/workflows/pr-build-workflow.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Set up gradle
         uses: spring-io/spring-gradle-build-action@efc55f07f4dfa22f2afd97f9ea1be4212eeed737 # v2.0.5
         with:
-          java-version: '17'
+          java-version: '25'
           distribution: 'temurin'
       - name: Build with Gradle
         run: ./gradlew clean build -PskipCheckExpectedBranchVersion --continue --scan
@@ -28,13 +28,13 @@ jobs:
       - name: Set up gradle
         uses: spring-io/spring-gradle-build-action@efc55f07f4dfa22f2afd97f9ea1be4212eeed737 # v2.0.5
         with:
-          java-version: '17'
+          java-version: '25'
           distribution: 'temurin'
       - name: Run Antora
         run: ./gradlew -PbuildSrc.skipTests=true :spring-security-docs:antora
       - name: Upload Docs
         id: upload
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: docs
           path: docs/build/site

.github/workflows/release-scheduler.yml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       matrix:
         # List of active maintenance branches.
-        branch: [ main, 6.4.x, 6.3.x ]
+        branch: [ main, 7.0.x, 6.5.x, 6.4.x, 6.3.x ]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout

.github/workflows/update-antora-ui-spring.yml

@@ -12,11 +12,12 @@ permissions:
 
 jobs:
   update-antora-ui-spring:
-    runs-on: ubuntu-latest
     name: Update on Supported Branches
+    if: ${{ github.repository == 'spring-projects/spring-security' }}
+    runs-on: ubuntu-latest
     strategy:
       matrix:
-        branch: [ '5.8.x', '6.2.x', '6.3.x', 'main' ]
+        branch: [ '6.5.x', '7.0.x', 'main' ]
     steps:
       - uses: spring-io/spring-doc-actions/update-antora-spring-ui@415e2b11a766ba64799fffb5c97a4f7e17f677cf
         name: Update
@@ -25,8 +26,9 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
           antora-file-path: 'docs/antora-playbook.yml'
   update-antora-ui-spring-docs-build:
-    runs-on: ubuntu-latest
     name: Update on docs-build
+    if: ${{ github.repository == 'spring-projects/spring-security' }}
+    runs-on: ubuntu-latest
     steps:
       - uses: spring-io/spring-doc-actions/update-antora-spring-ui@415e2b11a766ba64799fffb5c97a4f7e17f677cf
         name: Update

.gitignore

@@ -25,6 +25,7 @@ atlassian-ide-plugin.xml
 s101plugin.state
 .attach_pid*
 .~lock.*#
+.kotlin/
 
 !.idea/checkstyle-idea.xml
 !.idea/externalDependencies.xml

.sdkmanrc

@@ -3,4 +3,4 @@
 # See https://sdkman.io/usage#config
 # A summary is to add the following to ~/.sdkman/etc/config
 # sdkman_auto_env=true
-java=17.0.3-tem
+java=25-librca

.vscode/settings.json

@@ -1,3 +1,3 @@
 {
-	"java.import.gradle.enabled": false
+  "java.gradle.buildServer.enabled": "off"
 }

CONTRIBUTING.adoc

@@ -31,7 +31,7 @@ If you have a question, check Stack Overflow using
 https://stackoverflow.com/questions/tagged/spring-security+or+spring-ldap+or+spring-authorization-server+or+spring-session?tab=Newest[this list of tags].
 Find an existing discussion, or start a new one if necessary.
 
-If you believe there is an issue, search through https://github.com/spring-projects/spring-security/issues[existing issues] trying a  few different ways to find discussions, past or current, that are related to the issue.
+If you believe there is an issue, search through https://github.com/spring-projects/spring-security/issues[existing issues] trying a few different ways to find discussions, past or current, that are related to the issue.
 Reading those discussions helps you to learn about the issue, and helps us to make a decision.
 
 [[find-an-issue]]
@@ -79,6 +79,9 @@ See https://github.com/spring-projects/spring-security/tree/main#building-from-s
 
 The wiki pages https://github.com/spring-projects/spring-framework/wiki/Code-Style[Code Style] and https://github.com/spring-projects/spring-framework/wiki/IntelliJ-IDEA-Editor-Settings[IntelliJ IDEA Editor Settings] define the source file coding standards we use along with some IDEA editor settings we customize.
 
+Additionally, since Streams are https://github.com/spring-projects/spring-security/issues/7154[much slower] than `for` loops, please use them judiciously.
+The team may ask you to change to a `for` loop if the given code is along a hot path.
+
 To format the code as well as check the style, run `./gradlew format && ./gradlew check`.
 
 [[submit-a-pull-request]]
@@ -91,7 +94,7 @@ Don't worry if you don't get them all correct the first time, we will help you.
 
 1. [[sign-cla]] All commits must include a __Signed-off-by__ trailer at the end of each commit message to indicate that the contributor agrees to the Developer Certificate of Origin.
 For additional details, please refer to the blog post https://spring.io/blog/2025/01/06/hello-dco-goodbye-cla-simplifying-contributions-to-spring[Hello DCO, Goodbye CLA: Simplifying Contributions to Spring].
-2. [[create-an-issue-list]] Must you https://github.com/spring-projects/spring-security/issues/new/choose[create an issue] first? No, but it is recommended for features and larger bug fixes. It's easier discuss with the team first to determine the right fix or enhancement.
+2. [[create-an-issue-list]] Must you https://github.com/spring-projects/spring-security/issues/new/choose[create an issue] first? No, but it is recommended for features and larger bug fixes. It's easier to discuss with the team first to determine the right fix or enhancement.
 For typos and straightforward bug fixes, starting with a pull request is encouraged.
 Please include a description for context and motivation.
 Note that the team may close your pull request if it's not a fit for the project.

README.adoc

@@ -68,6 +68,27 @@ The https://github.com/spring-projects/spring-security/tree/docs-build[playbook
 
 Discover more commands with `./gradlew tasks`.
 
+=== IDE setup (IntelliJ)
+
+No special steps are needed to open Spring Security in IntelliJ.
+
+=== IDE setup (Eclipse and VS Code)
+
+To work in Eclipse or VS Code, first generate Eclipse metadata so you can import the project into Eclipse or VS Code:
+
+[indent=0]
+----
+./gradlew cleanEclipse eclipse
+----
+
+If you have not built the project yet, run `./gradlew publishToMavenLocal` first so dependencies are resolved.
+
+*VS Code:* Open the repository root as a folder. The repository includes `.vscode/settings.json` which disables automatic Gradle import so that the generated Eclipse metadata (`.classpath`, `.project`) is used. Do not use the Gradle for Java extension to import the project.
+
+*Eclipse:* File → Import → General → Existing Projects into Workspace, then select the repository root.
+
+The build uses a custom Eclipse plugin to work around Gradle dependency cycles that confuse IDE metadata generation. You may see Eclipse warnings about `xml-apis` from some test dependencies; those are excluded in the build and can be ignored.
+
 == Getting Support
 Check out the https://stackoverflow.com/questions/tagged/spring-security[Spring Security tags on Stack Overflow].
 https://spring.io/support[Commercial support] is available too.

access/spring-security-access.gradle

@@ -0,0 +1,54 @@
+plugins {
+	id 'compile-warnings-error'
+	id 'javadoc-warnings-error'
+}
+
+apply plugin: 'io.spring.convention.spring-module'
+
+dependencies {
+	management platform(project(":spring-security-dependencies"))
+	api project(':spring-security-crypto')
+	api project(':spring-security-core')
+	api 'org.springframework:spring-aop'
+	api 'org.springframework:spring-beans'
+	api 'org.springframework:spring-context'
+	api 'org.springframework:spring-core'
+	api 'org.springframework:spring-expression'
+	api 'io.micrometer:micrometer-observation'
+
+	optional project(':spring-security-acl')
+	optional project(':spring-security-messaging')
+	optional project(':spring-security-web')
+	optional 'org.springframework:spring-websocket'
+	optional 'com.fasterxml.jackson.core:jackson-databind'
+	optional 'io.micrometer:context-propagation'
+	optional 'io.projectreactor:reactor-core'
+	optional 'jakarta.annotation:jakarta.annotation-api'
+	optional 'org.aspectj:aspectjrt'
+	optional 'org.springframework:spring-jdbc'
+	optional 'org.springframework:spring-tx'
+	optional 'org.jetbrains.kotlinx:kotlinx-coroutines-reactor'
+
+	provided 'jakarta.servlet:jakarta.servlet-api'
+
+	testImplementation project(path : ':spring-security-web', configuration : 'tests')
+	testImplementation 'commons-collections:commons-collections'
+	testImplementation 'io.projectreactor:reactor-test'
+	testImplementation "org.assertj:assertj-core"
+	testImplementation "org.junit.jupiter:junit-jupiter-api"
+	testImplementation "org.junit.jupiter:junit-jupiter-params"
+	testImplementation "org.junit.jupiter:junit-jupiter-engine"
+	testImplementation "org.mockito:mockito-core"
+	testImplementation "org.mockito:mockito-junit-jupiter"
+	testImplementation "org.springframework:spring-core-test"
+	testImplementation "org.springframework:spring-test"
+	testImplementation 'org.skyscreamer:jsonassert'
+	testImplementation 'org.springframework:spring-test'
+	testImplementation 'org.jetbrains.kotlin:kotlin-reflect'
+	testImplementation 'org.jetbrains.kotlin:kotlin-stdlib-jdk8'
+	testImplementation 'io.mockk:mockk'
+
+	testRuntimeOnly 'org.hsqldb:hsqldb'
+	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
+}
+

access/src/main/java/org/springframework/security/access/ConfigAttribute.java

@@ -18,6 +18,8 @@ package org.springframework.security.access;
 
 import java.io.Serializable;
 
+import org.jspecify.annotations.NullUnmarked;
+
 import org.springframework.security.access.intercept.RunAsManager;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.annotation.SecurityAnnotationScanner;
@@ -45,6 +47,7 @@ import org.springframework.security.core.annotation.SecurityAnnotationScanner;
  * {@link AuthorizationManager}.
  */
 @Deprecated
+@NullUnmarked
 public interface ConfigAttribute extends Serializable {
 
 	/**

access/src/main/java/org/springframework/security/access/annotation/Jsr250MethodSecurityMetadataSource.java

@@ -25,10 +25,13 @@ import java.util.List;
 import jakarta.annotation.security.DenyAll;
 import jakarta.annotation.security.PermitAll;
 import jakarta.annotation.security.RolesAllowed;
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.core.annotation.AnnotationUtils;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource;
+import org.springframework.util.StringUtils;
 
 /**
  * Sources method security metadata from major JSR 250 security annotations.
@@ -39,6 +42,7 @@ import org.springframework.security.access.method.AbstractFallbackMethodSecurity
  * {@link org.springframework.security.authorization.method.Jsr250AuthorizationManager}
  * instead
  */
+@NullUnmarked
 @Deprecated
 public class Jsr250MethodSecurityMetadataSource extends AbstractFallbackMethodSecurityMetadataSource {
 
@@ -71,11 +75,11 @@ public class Jsr250MethodSecurityMetadataSource extends AbstractFallbackMethodSe
 	}
 
 	@Override
-	public Collection<ConfigAttribute> getAllConfigAttributes() {
+	public @Nullable Collection<ConfigAttribute> getAllConfigAttributes() {
 		return null;
 	}
 
-	private List<ConfigAttribute> processAnnotations(Annotation[] annotations) {
+	private @Nullable List<ConfigAttribute> processAnnotations(Annotation @Nullable [] annotations) {
 		if (annotations == null || annotations.length == 0) {
 			return null;
 		}
@@ -105,7 +109,7 @@ public class Jsr250MethodSecurityMetadataSource extends AbstractFallbackMethodSe
 		if (role == null) {
 			return role;
 		}
-		if (this.defaultRolePrefix == null || this.defaultRolePrefix.length() == 0) {
+		if (!StringUtils.hasLength(this.defaultRolePrefix)) {
 			return role;
 		}
 		if (role.startsWith(this.defaultRolePrefix)) {

access/src/main/java/org/springframework/security/access/annotation/SecuredAnnotationSecurityMetadataSource.java

@@ -22,6 +22,9 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.core.GenericTypeResolver;
 import org.springframework.core.annotation.AnnotationUtils;
 import org.springframework.security.access.ConfigAttribute;
@@ -41,13 +44,14 @@ import org.springframework.util.Assert;
  * @deprecated Use
  * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor#secured}
  */
+@NullUnmarked
 @Deprecated
 @SuppressWarnings({ "unchecked" })
 public class SecuredAnnotationSecurityMetadataSource extends AbstractFallbackMethodSecurityMetadataSource {
 
 	private AnnotationMetadataExtractor annotationExtractor;
 
-	private Class<? extends Annotation> annotationType;
+	private @Nullable Class<? extends Annotation> annotationType;
 
 	public SecuredAnnotationSecurityMetadataSource() {
 		this(new SecuredAnnotationMetadataExtractor());
@@ -73,11 +77,11 @@ public class SecuredAnnotationSecurityMetadataSource extends AbstractFallbackMet
 	}
 
 	@Override
-	public Collection<ConfigAttribute> getAllConfigAttributes() {
+	public @Nullable Collection<ConfigAttribute> getAllConfigAttributes() {
 		return null;
 	}
 
-	private Collection<ConfigAttribute> processAnnotation(Annotation annotation) {
+	private @Nullable Collection<ConfigAttribute> processAnnotation(@Nullable Annotation annotation) {
 		return (annotation != null) ? this.annotationExtractor.extractAttributes(annotation) : null;
 	}
 

access/src/main/java/org/springframework/security/access/event/package-info.java

@@ -17,4 +17,7 @@
 /**
  * Authorization event and listener classes.
  */
+@NullMarked
 package org.springframework.security.access.event;
+
+import org.jspecify.annotations.NullMarked;

access/src/main/java/org/springframework/security/access/expression/method/AbstractExpressionBasedMethodConfigAttribute.java

@@ -16,6 +16,9 @@
 
 package org.springframework.security.access.expression.method;
 
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.expression.Expression;
 import org.springframework.expression.ParseException;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
@@ -35,12 +38,13 @@ import org.springframework.util.Assert;
  * @deprecated Use {@link org.springframework.security.authorization.AuthorizationManager}
  * interceptors instead
  */
+@NullUnmarked
 @Deprecated
 abstract class AbstractExpressionBasedMethodConfigAttribute implements ConfigAttribute {
 
-	private final Expression filterExpression;
+	private final @Nullable Expression filterExpression;
 
-	private final Expression authorizeExpression;
+	private final @Nullable Expression authorizeExpression;
 
 	/**
 	 * Parses the supplied expressions as Spring-EL.
@@ -71,7 +75,7 @@ abstract class AbstractExpressionBasedMethodConfigAttribute implements ConfigAtt
 	}
 
 	@Override
-	public String getAttribute() {
+	public @Nullable String getAttribute() {
 		return null;
 	}
 

access/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedAnnotationAttributeFactory.java

@@ -16,12 +16,16 @@
 
 package org.springframework.security.access.expression.method;
 
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.expression.Expression;
 import org.springframework.expression.ExpressionParser;
 import org.springframework.expression.ParseException;
 import org.springframework.security.access.prepost.PostInvocationAttribute;
 import org.springframework.security.access.prepost.PreInvocationAttribute;
 import org.springframework.security.access.prepost.PrePostInvocationAttributeFactory;
+import org.springframework.util.Assert;
 
 /**
  * {@link PrePostInvocationAttributeFactory} which interprets the annotation value as an
@@ -33,16 +37,18 @@ import org.springframework.security.access.prepost.PrePostInvocationAttributeFac
  * @deprecated Use {@link org.springframework.security.authorization.AuthorizationManager}
  * interceptors instead
  */
+@NullUnmarked
 @Deprecated
 public class ExpressionBasedAnnotationAttributeFactory implements PrePostInvocationAttributeFactory {
 
 	private final Object parserLock = new Object();
 
-	private ExpressionParser parser;
+	private @Nullable ExpressionParser parser;
 
 	private MethodSecurityExpressionHandler handler;
 
 	public ExpressionBasedAnnotationAttributeFactory(MethodSecurityExpressionHandler handler) {
+		Assert.notNull(handler, "handler cannot be null");
 		this.handler = handler;
 	}
 
@@ -64,7 +70,7 @@ public class ExpressionBasedAnnotationAttributeFactory implements PrePostInvocat
 	}
 
 	@Override
-	public PostInvocationAttribute createPostInvocationAttribute(String postFilterAttribute,
+	public @Nullable PostInvocationAttribute createPostInvocationAttribute(String postFilterAttribute,
 			String postAuthorizeAttribute) {
 		try {
 			ExpressionParser parser = getParser();

access/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPreInvocationAdvice.java

@@ -19,6 +19,7 @@ package org.springframework.security.access.expression.method;
 import java.util.Collection;
 
 import org.aopalliance.intercept.MethodInvocation;
+import org.jspecify.annotations.NullUnmarked;
 
 import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.Expression;
@@ -37,6 +38,7 @@ import org.springframework.util.Assert;
  * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
  * instead
  */
+@NullUnmarked
 @Deprecated
 public class ExpressionBasedPreInvocationAdvice implements PreInvocationAuthorizationAdvice {
 

access/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.access.expression.method;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.expression.Expression;
 import org.springframework.expression.ParseException;
 import org.springframework.security.access.prepost.PostInvocationAttribute;
@@ -36,7 +38,7 @@ class PostInvocationExpressionAttribute extends AbstractExpressionBasedMethodCon
 		super(filterExpression, authorizeExpression);
 	}
 
-	PostInvocationExpressionAttribute(Expression filterExpression, Expression authorizeExpression)
+	PostInvocationExpressionAttribute(@Nullable Expression filterExpression, @Nullable Expression authorizeExpression)
 			throws ParseException {
 		super(filterExpression, authorizeExpression);
 	}

access/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.access.expression.method;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.expression.Expression;
 import org.springframework.expression.ParseException;
 import org.springframework.security.access.prepost.PreInvocationAttribute;
@@ -40,8 +42,8 @@ class PreInvocationExpressionAttribute extends AbstractExpressionBasedMethodConf
 		this.filterTarget = filterTarget;
 	}
 
-	PreInvocationExpressionAttribute(Expression filterExpression, String filterTarget, Expression authorizeExpression)
+	PreInvocationExpressionAttribute(@Nullable Expression filterExpression, String filterTarget,
-			throws ParseException {
+			Expression authorizeExpression) throws ParseException {
 		super(filterExpression, authorizeExpression);
 		this.filterTarget = filterTarget;
 	}

access/src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java

@@ -22,6 +22,8 @@ import java.util.Set;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.context.ApplicationEvent;
@@ -114,6 +116,7 @@ import org.springframework.util.CollectionUtils;
  * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
  * for method security.
  */
+@NullUnmarked
 @Deprecated
 public abstract class AbstractSecurityInterceptor
 		implements InitializingBean, ApplicationEventPublisherAware, MessageSourceAware {
@@ -125,11 +128,11 @@ public abstract class AbstractSecurityInterceptor
 	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
 		.getContextHolderStrategy();
 
-	private ApplicationEventPublisher eventPublisher;
+	private @Nullable ApplicationEventPublisher eventPublisher;
 
-	private AccessDecisionManager accessDecisionManager;
+	private @Nullable AccessDecisionManager accessDecisionManager;
 
-	private AfterInvocationManager afterInvocationManager;
+	private @Nullable AfterInvocationManager afterInvocationManager;
 
 	private AuthenticationManager authenticationManager = new NoOpAuthenticationManager();
 
@@ -190,7 +193,7 @@ public abstract class AbstractSecurityInterceptor
 		}
 	}
 
-	protected InterceptorStatusToken beforeInvocation(Object object) {
+	protected @Nullable InterceptorStatusToken beforeInvocation(Object object) {
 		Assert.notNull(object, "Object was null");
 		if (!getSecureObjectClass().isAssignableFrom(object.getClass())) {
 			throw new IllegalArgumentException("Security invocation attempted for object " + object.getClass().getName()
@@ -291,7 +294,7 @@ public abstract class AbstractSecurityInterceptor
 	 * @return the object the secure object invocation should ultimately return to its
 	 * caller (may be <tt>null</tt>)
 	 */
-	protected Object afterInvocation(InterceptorStatusToken token, Object returnedObject) {
+	protected Object afterInvocation(InterceptorStatusToken token, @Nullable Object returnedObject) {
 		if (token == null) {
 			// public object
 			return returnedObject;

access/src/main/java/org/springframework/security/access/intercept/AfterInvocationProviderManager.java

@@ -22,6 +22,8 @@ import java.util.List;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.core.log.LogMessage;
@@ -52,12 +54,14 @@ import org.springframework.util.CollectionUtils;
  * @see org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor
  * @deprecated Use delegation with {@link AuthorizationManager}
  */
+@NullUnmarked
 @Deprecated
 public class AfterInvocationProviderManager implements AfterInvocationManager, InitializingBean {
 
 	protected static final Log logger = LogFactory.getLog(AfterInvocationProviderManager.class);
 
-	private List<AfterInvocationProvider> providers;
+	@SuppressWarnings("NullAway.Init")
+	private @Nullable List<AfterInvocationProvider> providers;
 
 	@Override
 	public void afterPropertiesSet() {

access/src/main/java/org/springframework/security/access/intercept/MethodInvocationPrivilegeEvaluator.java

@@ -21,6 +21,8 @@ import java.util.Collection;
 import org.aopalliance.intercept.MethodInvocation;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.core.log.LogMessage;
@@ -46,12 +48,14 @@ import org.springframework.util.Assert;
  * @deprecated Use {@link org.springframework.security.authorization.AuthorizationManager}
  * instead
  */
+@NullUnmarked
 @Deprecated
 public class MethodInvocationPrivilegeEvaluator implements InitializingBean {
 
 	protected static final Log logger = LogFactory.getLog(MethodInvocationPrivilegeEvaluator.class);
 
-	private AbstractSecurityInterceptor securityInterceptor;
+	@SuppressWarnings("NullAway.Init")
+	private @Nullable AbstractSecurityInterceptor securityInterceptor;
 
 	@Override
 	public void afterPropertiesSet() {

access/src/main/java/org/springframework/security/access/intercept/NullRunAsManager.java

@@ -18,6 +18,9 @@ package org.springframework.security.access.intercept;
 
 import java.util.Collection;
 
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
 
@@ -30,11 +33,13 @@ import org.springframework.security.core.Authentication;
  * @author Ben Alex
  * @deprecated please see {@link RunAsManager} deprecation notice
  */
+@NullUnmarked
 @Deprecated
 final class NullRunAsManager implements RunAsManager {
 
 	@Override
-	public Authentication buildRunAs(Authentication authentication, Object object, Collection<ConfigAttribute> config) {
+	public @Nullable Authentication buildRunAs(Authentication authentication, Object object,
+			Collection<ConfigAttribute> config) {
 		return null;
 	}
 

access/src/main/java/org/springframework/security/access/intercept/RunAsImplAuthenticationProvider.java

@@ -16,6 +16,9 @@
 
 package org.springframework.security.access.intercept;
 
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.context.MessageSource;
 import org.springframework.context.MessageSourceAware;
@@ -44,12 +47,14 @@ import org.springframework.util.Assert;
  * class is only used by now-deprecated components. There is not yet an equivalent
  * replacement in Spring Security.
  */
+@NullUnmarked
 @Deprecated
 public class RunAsImplAuthenticationProvider implements InitializingBean, AuthenticationProvider, MessageSourceAware {
 
 	protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
 
-	private String key;
+	@SuppressWarnings("NullAway.Init")
+	private @Nullable String key;
 
 	@Override
 	public void afterPropertiesSet() {

access/src/main/java/org/springframework/security/access/intercept/RunAsManagerImpl.java

@@ -20,6 +20,9 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
@@ -56,10 +59,12 @@ import org.springframework.util.Assert;
  * class is only used by now-deprecated components. There is not yet an equivalent
  * replacement in Spring Security.
  */
+@NullUnmarked
 @Deprecated
 public class RunAsManagerImpl implements RunAsManager, InitializingBean {
 
-	private String key;
+	@SuppressWarnings("NullAway.Init")
+	private @Nullable String key;
 
 	private String rolePrefix = "ROLE_";
 
@@ -70,7 +75,7 @@ public class RunAsManagerImpl implements RunAsManager, InitializingBean {
 	}
 
 	@Override
-	public Authentication buildRunAs(Authentication authentication, Object object,
+	public @Nullable Authentication buildRunAs(Authentication authentication, Object object,
 			Collection<ConfigAttribute> attributes) {
 		List<GrantedAuthority> newAuthorities = new ArrayList<>();
 		for (ConfigAttribute attribute : attributes) {

access/src/main/java/org/springframework/security/access/intercept/RunAsUserToken.java

@@ -21,7 +21,6 @@ import java.util.Collection;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.SpringSecurityCoreVersion;
 
 /**
  * An immutable {@link org.springframework.security.core.Authentication} implementation
@@ -35,7 +34,7 @@ import org.springframework.security.core.SpringSecurityCoreVersion;
 @Deprecated
 public class RunAsUserToken extends AbstractAuthenticationToken {
 
-	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+	private static final long serialVersionUID = 620L;
 
 	private final Class<? extends Authentication> originalAuthentication;
 

access/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityInterceptor.java

@@ -18,6 +18,8 @@ package org.springframework.security.access.intercept.aopalliance;
 
 import org.aopalliance.intercept.MethodInterceptor;
 import org.aopalliance.intercept.MethodInvocation;
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.security.access.SecurityMetadataSource;
 import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
@@ -42,10 +44,11 @@ import org.springframework.security.access.method.MethodSecurityMetadataSource;
  * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
  * instead
  */
+@NullUnmarked
 @Deprecated
 public class MethodSecurityInterceptor extends AbstractSecurityInterceptor implements MethodInterceptor {
 
-	private MethodSecurityMetadataSource securityMetadataSource;
+	private @Nullable MethodSecurityMetadataSource securityMetadataSource;
 
 	@Override
 	public Class<?> getSecureObjectClass() {

access/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java

@@ -23,6 +23,8 @@ import java.lang.reflect.Method;
 
 import org.aopalliance.aop.Advice;
 import org.aopalliance.intercept.MethodInterceptor;
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.aop.Pointcut;
 import org.springframework.aop.support.AbstractPointcutAdvisor;
@@ -51,19 +53,22 @@ import org.springframework.util.CollectionUtils;
  *
  * @author Ben Alex
  * @author Luke Taylor
- * @deprecated Use {@link EnableMethodSecurity} or publish interceptors directly
+ * @deprecated Use
+ * <code>org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity</code>
+ * or publish interceptors directly
  */
+@NullUnmarked
 @Deprecated
 @SuppressWarnings("serial")
 public class MethodSecurityMetadataSourceAdvisor extends AbstractPointcutAdvisor implements BeanFactoryAware {
 
 	private transient MethodSecurityMetadataSource attributeSource;
 
-	private transient MethodInterceptor interceptor;
+	private transient @Nullable MethodInterceptor interceptor;
 
 	private final Pointcut pointcut = new MethodSecurityMetadataSourcePointcut();
 
-	private BeanFactory beanFactory;
+	private @Nullable BeanFactory beanFactory;
 
 	private final String adviceBeanName;
 

access/src/main/java/org/springframework/security/access/intercept/aopalliance/package-info.java

@@ -18,4 +18,7 @@
  * Enforces security for AOP Alliance <code>MethodInvocation</code>s, such as via Spring
  * AOP.
  */
+@NullMarked
 package org.springframework.security.access.intercept.aopalliance;
+
+import org.jspecify.annotations.NullMarked;

access/src/main/java/org/springframework/security/access/intercept/aspectj/MethodInvocationAdapter.java

@@ -23,6 +23,7 @@ import org.aopalliance.intercept.MethodInvocation;
 import org.aspectj.lang.JoinPoint;
 import org.aspectj.lang.ProceedingJoinPoint;
 import org.aspectj.lang.reflect.CodeSignature;
+import org.jspecify.annotations.NullUnmarked;
 
 import org.springframework.util.Assert;
 
@@ -35,6 +36,7 @@ import org.springframework.util.Assert;
  * @deprecated This class will be removed from the public API. See
  * `JoinPointMethodInvocation` in `spring-security-aspects` for its replacement
  */
+@NullUnmarked
 @Deprecated
 public final class MethodInvocationAdapter implements MethodInvocation {
 

access/src/main/java/org/springframework/security/access/intercept/aspectj/package-info.java

@@ -18,4 +18,7 @@
  * Enforces security for AspectJ <code>JointPoint</code>s, delegating secure object
  * callbacks to the calling aspect.
  */
+@NullMarked
 package org.springframework.security.access.intercept.aspectj;
+
+import org.jspecify.annotations.NullMarked;

access/src/main/java/org/springframework/security/access/intercept/package-info.java

@@ -33,4 +33,7 @@
  * an appropriate {@link org.springframework.security.access.SecurityMetadataSource} for
  * the type of resources the secure object represents.
  */
+@NullMarked
 package org.springframework.security.access.intercept;
+
+import org.jspecify.annotations.NullMarked;

access/src/main/java/org/springframework/security/access/method/AbstractFallbackMethodSecurityMetadataSource.java

@@ -20,6 +20,8 @@ import java.lang.reflect.Method;
 import java.util.Collection;
 import java.util.Collections;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.aop.support.AopUtils;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.authorization.AuthorizationManager;
@@ -52,7 +54,7 @@ import org.springframework.security.authorization.AuthorizationManager;
 public abstract class AbstractFallbackMethodSecurityMetadataSource extends AbstractMethodSecurityMetadataSource {
 
 	@Override
-	public Collection<ConfigAttribute> getAttributes(Method method, Class<?> targetClass) {
+	public Collection<ConfigAttribute> getAttributes(Method method, @Nullable Class<?> targetClass) {
 		// The method may be on an interface, but we need attributes from the target
 		// class.
 		// If the target class is null, the method will be unchanged.
@@ -92,7 +94,7 @@ public abstract class AbstractFallbackMethodSecurityMetadataSource extends Abstr
 	 * @param targetClass the target class for the invocation (may be <code>null</code>)
 	 * @return the security metadata (or null if no metadata applies)
 	 */
-	protected abstract Collection<ConfigAttribute> findAttributes(Method method, Class<?> targetClass);
+	protected abstract Collection<ConfigAttribute> findAttributes(Method method, @Nullable Class<?> targetClass);
 
 	/**
 	 * Obtains the security metadata registered against the specified class.

access/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java

@@ -21,6 +21,7 @@ import java.util.Collection;
 import org.aopalliance.intercept.MethodInvocation;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.NullUnmarked;
 
 import org.springframework.aop.framework.AopProxyUtils;
 import org.springframework.security.access.ConfigAttribute;
@@ -36,6 +37,7 @@ import org.springframework.security.authorization.AuthorizationManager;
  * {@code <method-security>} and {@code <intercept-methods>} instead or use
  * annotation-based or {@link AuthorizationManager}-based authorization
  */
+@NullUnmarked
 @Deprecated
 public abstract class AbstractMethodSecurityMetadataSource implements MethodSecurityMetadataSource {
 

access/src/main/java/org/springframework/security/access/method/DelegatingMethodSecurityMetadataSource.java

@@ -25,6 +25,8 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.core.log.LogMessage;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.authorization.AuthorizationManager;
@@ -57,7 +59,7 @@ public final class DelegatingMethodSecurityMetadataSource extends AbstractMethod
 	}
 
 	@Override
-	public Collection<ConfigAttribute> getAttributes(Method method, Class<?> targetClass) {
+	public Collection<ConfigAttribute> getAttributes(Method method, @Nullable Class<?> targetClass) {
 		DefaultCacheKey cacheKey = new DefaultCacheKey(method, targetClass);
 		synchronized (this.attributeCache) {
 			Collection<ConfigAttribute> cached = this.attributeCache.get(cacheKey);
@@ -104,9 +106,9 @@ public final class DelegatingMethodSecurityMetadataSource extends AbstractMethod
 
 		private final Method method;
 
-		private final Class<?> targetClass;
+		private final @Nullable Class<?> targetClass;
 
-		DefaultCacheKey(Method method, Class<?> targetClass) {
+		DefaultCacheKey(Method method, @Nullable Class<?> targetClass) {
 			this.method = method;
 			this.targetClass = targetClass;
 		}

access/src/main/java/org/springframework/security/access/method/MapBasedMethodSecurityMetadataSource.java

@@ -25,6 +25,9 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.beans.factory.BeanClassLoaderAware;
 import org.springframework.core.log.LogMessage;
 import org.springframework.security.access.ConfigAttribute;
@@ -47,11 +50,13 @@ import org.springframework.util.ClassUtils;
  * {@code <method-security>} and {@code <intercept-methods>} instead or use
  * annotation-based or {@link AuthorizationManager}-based authorization
  */
+@NullUnmarked
 @Deprecated
 public class MapBasedMethodSecurityMetadataSource extends AbstractFallbackMethodSecurityMetadataSource
 		implements BeanClassLoaderAware {
 
-	private ClassLoader beanClassLoader = ClassUtils.getDefaultClassLoader();
+	@SuppressWarnings("NullAway")
+	private @Nullable ClassLoader beanClassLoader = ClassUtils.getDefaultClassLoader();
 
 	/**
 	 * Map from RegisteredMethod to ConfigAttribute list
@@ -80,7 +85,7 @@ public class MapBasedMethodSecurityMetadataSource extends AbstractFallbackMethod
 	 * Implementation does not support class-level attributes.
 	 */
 	@Override
-	protected Collection<ConfigAttribute> findAttributes(Class<?> clazz) {
+	protected @Nullable Collection<ConfigAttribute> findAttributes(Class<?> clazz) {
 		return null;
 	}
 
@@ -89,14 +94,14 @@ public class MapBasedMethodSecurityMetadataSource extends AbstractFallbackMethod
 	 * applicable.
 	 */
 	@Override
-	protected Collection<ConfigAttribute> findAttributes(Method method, Class<?> targetClass) {
+	protected @Nullable Collection<ConfigAttribute> findAttributes(Method method, Class<?> targetClass) {
 		if (targetClass == null) {
 			return null;
 		}
 		return findAttributesSpecifiedAgainst(method, targetClass);
 	}
 
-	private List<ConfigAttribute> findAttributesSpecifiedAgainst(Method method, Class<?> clazz) {
+	private @Nullable List<ConfigAttribute> findAttributesSpecifiedAgainst(Method method, Class<?> clazz) {
 		RegisteredMethod registeredMethod = new RegisteredMethod(method, clazz);
 		if (this.methodMap.containsKey(registeredMethod)) {
 			return this.methodMap.get(registeredMethod);

access/src/main/java/org/springframework/security/access/method/MethodSecurityMetadataSource.java

@@ -19,6 +19,8 @@ package org.springframework.security.access.method;
 import java.lang.reflect.Method;
 import java.util.Collection;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.SecurityMetadataSource;
 import org.springframework.security.authorization.AuthorizationManager;
@@ -37,6 +39,6 @@ import org.springframework.security.authorization.AuthorizationManager;
 @Deprecated
 public interface MethodSecurityMetadataSource extends SecurityMetadataSource {
 
-	Collection<ConfigAttribute> getAttributes(Method method, Class<?> targetClass);
+	Collection<ConfigAttribute> getAttributes(Method method, @Nullable Class<?> targetClass);
 
 }

access/src/main/java/org/springframework/security/access/method/package-info.java

@@ -18,4 +18,7 @@
  * Provides {@code SecurityMetadataSource} implementations for securing Java method
  * invocations via different AOP libraries.
  */
+@NullMarked
 package org.springframework.security.access.method;
+
+import org.jspecify.annotations.NullMarked;

access/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java

@@ -21,6 +21,8 @@ import java.util.Collection;
 import org.aopalliance.intercept.MethodInvocation;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.AfterInvocationProvider;
@@ -40,6 +42,7 @@ import org.springframework.security.core.Authentication;
  * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
  * instead
  */
+@NullUnmarked
 @Deprecated
 public class PostInvocationAdviceProvider implements AfterInvocationProvider {
 
@@ -62,7 +65,7 @@ public class PostInvocationAdviceProvider implements AfterInvocationProvider {
 				returnedObject);
 	}
 
-	private PostInvocationAttribute findPostInvocationAttribute(Collection<ConfigAttribute> config) {
+	private @Nullable PostInvocationAttribute findPostInvocationAttribute(Collection<ConfigAttribute> config) {
 		for (ConfigAttribute attribute : config) {
 			if (attribute instanceof PostInvocationAttribute) {
 				return (PostInvocationAttribute) attribute;

access/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java

@@ -21,6 +21,8 @@ import java.util.Collection;
 import org.aopalliance.intercept.MethodInvocation;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
@@ -42,6 +44,7 @@ import org.springframework.security.core.Authentication;
  * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor}
  * instead
  */
+@NullUnmarked
 @Deprecated
 public class PreInvocationAuthorizationAdviceVoter implements AccessDecisionVoter<MethodInvocation> {
 
@@ -75,7 +78,7 @@ public class PreInvocationAuthorizationAdviceVoter implements AccessDecisionVote
 		return this.preAdvice.before(authentication, method, preAttr) ? ACCESS_GRANTED : ACCESS_DENIED;
 	}
 
-	private PreInvocationAttribute findPreInvocationAttribute(Collection<ConfigAttribute> config) {
+	private @Nullable PreInvocationAttribute findPreInvocationAttribute(Collection<ConfigAttribute> config) {
 		for (ConfigAttribute attribute : config) {
 			if (attribute instanceof PreInvocationAttribute) {
 				return (PreInvocationAttribute) attribute;

access/src/main/java/org/springframework/security/access/prepost/PrePostAdviceReactiveMethodInterceptor.java

@@ -22,6 +22,8 @@ import java.util.Collection;
 import kotlinx.coroutines.reactive.ReactiveFlowKt;
 import org.aopalliance.intercept.MethodInterceptor;
 import org.aopalliance.intercept.MethodInvocation;
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
 import org.reactivestreams.Publisher;
 import reactor.core.Exceptions;
 import reactor.core.publisher.Flux;
@@ -54,6 +56,7 @@ import org.springframework.util.Assert;
  * or
  * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterReactiveMethodInterceptor}
  */
+@NullUnmarked
 @Deprecated
 public class PrePostAdviceReactiveMethodInterceptor implements MethodInterceptor {
 
@@ -142,7 +145,7 @@ public class PrePostAdviceReactiveMethodInterceptor implements MethodInterceptor
 			.map((r) -> (attr != null) ? this.postAdvice.after(auth, invocation, attr, r) : r));
 	}
 
-	private static <T extends Publisher<?>> T proceed(final MethodInvocation invocation) {
+	private static <T extends Publisher<?>> @Nullable T proceed(final MethodInvocation invocation) {
 		try {
 			return (T) invocation.proceed();
 		}
@@ -151,7 +154,7 @@ public class PrePostAdviceReactiveMethodInterceptor implements MethodInterceptor
 		}
 	}
 
-	private static Object flowProceed(final MethodInvocation invocation) {
+	private static @Nullable Object flowProceed(final MethodInvocation invocation) {
 		try {
 			return invocation.proceed();
 		}
@@ -160,7 +163,7 @@ public class PrePostAdviceReactiveMethodInterceptor implements MethodInterceptor
 		}
 	}
 
-	private static PostInvocationAttribute findPostInvocationAttribute(Collection<ConfigAttribute> config) {
+	private static @Nullable PostInvocationAttribute findPostInvocationAttribute(Collection<ConfigAttribute> config) {
 		for (ConfigAttribute attribute : config) {
 			if (attribute instanceof PostInvocationAttribute) {
 				return (PostInvocationAttribute) attribute;
@@ -169,7 +172,7 @@ public class PrePostAdviceReactiveMethodInterceptor implements MethodInterceptor
 		return null;
 	}
 
-	private static PreInvocationAttribute findPreInvocationAttribute(Collection<ConfigAttribute> config) {
+	private static @Nullable PreInvocationAttribute findPreInvocationAttribute(Collection<ConfigAttribute> config) {
 		for (ConfigAttribute attribute : config) {
 			if (attribute instanceof PreInvocationAttribute) {
 				return (PreInvocationAttribute) attribute;

access/src/main/java/org/springframework/security/access/prepost/PrePostAnnotationSecurityMetadataSource.java

@@ -22,6 +22,9 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.core.annotation.AnnotationUtils;
 import org.springframework.core.log.LogMessage;
 import org.springframework.security.access.ConfigAttribute;
@@ -54,6 +57,7 @@ import org.springframework.util.ClassUtils;
  * {@link org.springframework.security.authorization.method.PostAuthorizeAuthorizationManager}
  * instead
  */
+@NullUnmarked
 @Deprecated
 public class PrePostAnnotationSecurityMetadataSource extends AbstractMethodSecurityMetadataSource {
 
@@ -98,7 +102,7 @@ public class PrePostAnnotationSecurityMetadataSource extends AbstractMethodSecur
 	}
 
 	@Override
-	public Collection<ConfigAttribute> getAllConfigAttributes() {
+	public @Nullable Collection<ConfigAttribute> getAllConfigAttributes() {
 		return null;
 	}
 
@@ -108,7 +112,8 @@ public class PrePostAnnotationSecurityMetadataSource extends AbstractMethodSecur
 	 * for the logic of this method. The ordering here is slightly different in that we
 	 * consider method-specific annotations on an interface before class-level ones.
 	 */
-	private <A extends Annotation> A findAnnotation(Method method, Class<?> targetClass, Class<A> annotationClass) {
+	private <A extends Annotation> @Nullable A findAnnotation(Method method, Class<?> targetClass,
+			Class<A> annotationClass) {
 		// The method may be on an interface, but we need attributes from the target
 		// class.
 		// If the target class is null, the method will be unchanged.

access/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.access.prepost;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.security.authorization.AuthorizationManager;
 
@@ -29,9 +31,10 @@ import org.springframework.security.authorization.AuthorizationManager;
 @Deprecated
 public interface PrePostInvocationAttributeFactory extends AopInfrastructureBean {
 
-	PreInvocationAttribute createPreInvocationAttribute(String preFilterAttribute, String filterObject,
+	PreInvocationAttribute createPreInvocationAttribute(@Nullable String preFilterAttribute,
-			String preAuthorizeAttribute);
+			@Nullable String filterObject, @Nullable String preAuthorizeAttribute);
 
-	PostInvocationAttribute createPostInvocationAttribute(String postFilterAttribute, String postAuthorizeAttribute);
+	PostInvocationAttribute createPostInvocationAttribute(@Nullable String postFilterAttribute,
+			@Nullable String postAuthorizeAttribute);
 
 }

access/src/main/java/org/springframework/security/access/vote/AbstractAclVoter.java

@@ -17,6 +17,8 @@
 package org.springframework.security.access.vote;
 
 import org.aopalliance.intercept.MethodInvocation;
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.AuthorizationServiceException;
@@ -30,10 +32,12 @@ import org.springframework.util.Assert;
  * @deprecated Now used by only-deprecated classes. Generally speaking, in-memory ACL is
  * no longer advised, so no replacement is planned at this point.
  */
+@NullUnmarked
 @Deprecated
 public abstract class AbstractAclVoter implements AccessDecisionVoter<MethodInvocation> {
 
-	private Class<?> processDomainObjectClass;
+	@SuppressWarnings("NullAway.Init")
+	private @Nullable Class<?> processDomainObjectClass;
 
 	protected Object getDomainObjectInstance(MethodInvocation invocation) {
 		Object[] args = invocation.getArguments();

access/src/main/java/org/springframework/security/access/vote/RoleHierarchyVoter.java

@@ -18,6 +18,9 @@ package org.springframework.security.access.vote;
 
 import java.util.Collection;
 
+import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
@@ -33,10 +36,12 @@ import org.springframework.util.Assert;
  * {@link org.springframework.security.authorization.AuthorityAuthorizationManager#setRoleHierarchy}
  * instead
  */
+@NullUnmarked
 @Deprecated
 public class RoleHierarchyVoter extends RoleVoter {
 
-	private RoleHierarchy roleHierarchy = null;
+	@SuppressWarnings("NullAway")
+	private @Nullable RoleHierarchy roleHierarchy = null;
 
 	public RoleHierarchyVoter(RoleHierarchy roleHierarchy) {
 		Assert.notNull(roleHierarchy, "RoleHierarchy must not be null");

access/src/main/java/org/springframework/security/access/vote/RoleVoter.java

@@ -18,6 +18,8 @@ package org.springframework.security.access.vote;
 
 import java.util.Collection;
 
+import org.jspecify.annotations.NullUnmarked;
+
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
@@ -53,6 +55,7 @@ import org.springframework.security.core.GrantedAuthority;
  * instead
  */
 @Deprecated
+@NullUnmarked
 public class RoleVoter implements AccessDecisionVoter<Object> {
 
 	private String rolePrefix = "ROLE_";

access/src/main/java/org/springframework/security/access/vote/package-info.java

@@ -17,4 +17,7 @@
 /**
  * Implements a vote-based approach to authorization decisions.
  */
+@NullMarked
 package org.springframework.security.access.vote;
+
+import org.jspecify.annotations.NullMarked;

access/src/main/java/org/springframework/security/acls/AclEntryVoter.java

@@ -71,7 +71,7 @@ import org.springframework.util.StringUtils;
  * <tt>AclEntryVoter</tt>:
  * <ul>
  * <li>Process domain object class <code>BankAccount</code>, configuration attribute
- * <code>VOTE_ACL_BANK_ACCONT_READ</code>, require permission
+ * <code>VOTE_ACL_BANK_ACCOUNT_READ</code>, require permission
  * <code>BasePermission.READ</code></li>
  * <li>Process domain object class <code>BankAccount</code>, configuration attribute
  * <code>VOTE_ACL_BANK_ACCOUNT_WRITE</code>, require permission list

access/src/main/java/org/springframework/security/messaging/access/expression/EvaluationContextPostProcessor.java

@@ -39,7 +39,7 @@ interface EvaluationContextPostProcessor<I> {
 	 * that was passed in.
 	 * @param context the original {@link EvaluationContext}
 	 * @param invocation the security invocation object (i.e. Message)
-	 * @return the upated context.
+	 * @return the updated context.
 	 */
 	EvaluationContext postProcess(EvaluationContext context, I invocation);
 

access/src/main/java/org/springframework/security/messaging/access/expression/MessageExpressionConfigAttribute.java

@@ -18,12 +18,13 @@ package org.springframework.security.messaging.access.expression;
 
 import java.util.Map;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.Expression;
 import org.springframework.messaging.Message;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.messaging.util.matcher.MessageMatcher;
-import org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher;
 import org.springframework.util.Assert;
 
 /**
@@ -42,7 +43,7 @@ class MessageExpressionConfigAttribute implements ConfigAttribute, EvaluationCon
 
 	private final Expression authorizeExpression;
 
-	private final MessageMatcher<?> matcher;
+	private final MessageMatcher<Object> matcher;
 
 	/**
 	 * Creates a new instance
@@ -53,7 +54,7 @@ class MessageExpressionConfigAttribute implements ConfigAttribute, EvaluationCon
 		Assert.notNull(authorizeExpression, "authorizeExpression cannot be null");
 		Assert.notNull(matcher, "matcher cannot be null");
 		this.authorizeExpression = authorizeExpression;
-		this.matcher = matcher;
+		this.matcher = (MessageMatcher<Object>) matcher;
 	}
 
 	Expression getAuthorizeExpression() {
@@ -61,7 +62,7 @@ class MessageExpressionConfigAttribute implements ConfigAttribute, EvaluationCon
 	}
 
 	@Override
-	public String getAttribute() {
+	public @Nullable String getAttribute() {
 		return null;
 	}
 
@@ -72,12 +73,9 @@ class MessageExpressionConfigAttribute implements ConfigAttribute, EvaluationCon
 
 	@Override
 	public EvaluationContext postProcess(EvaluationContext ctx, Message<?> message) {
-		if (this.matcher instanceof SimpDestinationMessageMatcher) {
+		Map<String, String> variables = this.matcher.matcher(message).getVariables();
-			Map<String, String> variables = ((SimpDestinationMessageMatcher) this.matcher)
+		for (Map.Entry<String, String> entry : variables.entrySet()) {
-				.extractPathVariables(message);
+			ctx.setVariable(entry.getKey(), entry.getValue());
-			for (Map.Entry<String, String> entry : variables.entrySet()) {
-				ctx.setVariable(entry.getKey(), entry.getValue());
-			}
 		}
 		return ctx;
 	}

access/src/main/java/org/springframework/security/messaging/access/expression/MessageExpressionVoter.java

@@ -18,6 +18,8 @@ package org.springframework.security.messaging.access.expression;
 
 import java.util.Collection;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.expression.EvaluationContext;
 import org.springframework.messaging.Message;
 import org.springframework.security.access.AccessDecisionVoter;
@@ -60,7 +62,7 @@ public class MessageExpressionVoter<T> implements AccessDecisionVoter<Message<T>
 		return ExpressionUtils.evaluateAsBoolean(attr.getAuthorizeExpression(), ctx) ? ACCESS_GRANTED : ACCESS_DENIED;
 	}
 
-	private MessageExpressionConfigAttribute findConfigAttribute(Collection<ConfigAttribute> attributes) {
+	private @Nullable MessageExpressionConfigAttribute findConfigAttribute(Collection<ConfigAttribute> attributes) {
 		for (ConfigAttribute attribute : attributes) {
 			if (attribute instanceof MessageExpressionConfigAttribute) {
 				return (MessageExpressionConfigAttribute) attribute;

access/src/main/java/org/springframework/security/messaging/access/intercept/ChannelSecurityInterceptor.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.messaging.access.intercept;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.messaging.Message;
 import org.springframework.messaging.MessageChannel;
 import org.springframework.messaging.support.ChannelInterceptor;
@@ -36,7 +38,7 @@ import org.springframework.util.Assert;
  *
  * @author Rob Winch
  * @since 4.0
- * @deprecated Use {@link AuthorizationChannelInterceptor} instead
+ * @deprecated Use {@code AuthorizationChannelInterceptor} instead
  */
 @Deprecated
 public final class ChannelSecurityInterceptor extends AbstractSecurityInterceptor implements ChannelInterceptor {
@@ -83,7 +85,7 @@ public final class ChannelSecurityInterceptor extends AbstractSecurityIntercepto
 	}
 
 	@Override
-	public void afterSendCompletion(Message<?> message, MessageChannel channel, boolean sent, Exception ex) {
+	public void afterSendCompletion(Message<?> message, MessageChannel channel, boolean sent, @Nullable Exception ex) {
 		InterceptorStatusToken token = clearToken();
 		finallyInvocation(token);
 	}
@@ -99,7 +101,7 @@ public final class ChannelSecurityInterceptor extends AbstractSecurityIntercepto
 	}
 
 	@Override
-	public void afterReceiveCompletion(Message<?> message, MessageChannel channel, Exception ex) {
+	public void afterReceiveCompletion(@Nullable Message<?> message, MessageChannel channel, @Nullable Exception ex) {
 	}
 
 	private InterceptorStatusToken clearToken() {

access/src/main/java/org/springframework/security/messaging/access/intercept/DefaultMessageSecurityMetadataSource.java

@@ -17,6 +17,7 @@
 package org.springframework.security.messaging.access.intercept;
 
 import java.util.Collection;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
@@ -61,7 +62,7 @@ public final class DefaultMessageSecurityMetadataSource implements MessageSecuri
 				return entry.getValue();
 			}
 		}
-		return null;
+		return Collections.emptyList();
 	}
 
 	@Override

access/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java

@@ -21,6 +21,7 @@ import java.util.Collection;
 import jakarta.servlet.ServletContext;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.core.log.LogMessage;
 import org.springframework.security.access.AccessDeniedException;
@@ -46,7 +47,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
 
 	private final AbstractSecurityInterceptor securityInterceptor;
 
-	private ServletContext servletContext;
+	private @Nullable ServletContext servletContext;
 
 	public DefaultWebInvocationPrivilegeEvaluator(AbstractSecurityInterceptor securityInterceptor) {
 		Assert.notNull(securityInterceptor, "SecurityInterceptor cannot be null");
@@ -64,7 +65,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
 	 * be used)
 	 */
 	@Override
-	public boolean isAllowed(String uri, Authentication authentication) {
+	public boolean isAllowed(String uri, @Nullable Authentication authentication) {
 		return isAllowed(null, uri, null, authentication);
 	}
 
@@ -86,7 +87,8 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
 	 * @return true if access is allowed, false if denied
 	 */
 	@Override
-	public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
+	public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method,
+			@Nullable Authentication authentication) {
 		Assert.notNull(uri, "uri parameter is required");
 		FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
 		Collection<ConfigAttribute> attributes = this.securityInterceptor.obtainSecurityMetadataSource()

access/src/main/java/org/springframework/security/web/access/channel/AbstractRetryEntryPoint.java

@@ -22,13 +22,12 @@ import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.core.log.LogMessage;
 import org.springframework.security.web.DefaultRedirectStrategy;
 import org.springframework.security.web.PortMapper;
 import org.springframework.security.web.PortMapperImpl;
-import org.springframework.security.web.PortResolver;
-import org.springframework.security.web.PortResolverImpl;
 import org.springframework.security.web.RedirectStrategy;
 import org.springframework.util.Assert;
 
@@ -45,8 +44,6 @@ public abstract class AbstractRetryEntryPoint implements ChannelEntryPoint {
 
 	private PortMapper portMapper = new PortMapperImpl();
 
-	private PortResolver portResolver = new PortResolverImpl();
-
 	/**
 	 * The scheme ("http://" or "https://")
 	 */
@@ -68,7 +65,7 @@ public abstract class AbstractRetryEntryPoint implements ChannelEntryPoint {
 	public void commence(HttpServletRequest request, HttpServletResponse response) throws IOException {
 		String queryString = request.getQueryString();
 		String redirectUrl = request.getRequestURI() + ((queryString != null) ? ("?" + queryString) : "");
-		Integer currentPort = this.portResolver.getServerPort(request);
+		Integer currentPort = this.portMapper.getServerPort(request);
 		Integer redirectPort = getMappedPort(currentPort);
 		if (redirectPort != null) {
 			boolean includePort = redirectPort != this.standardPort;
@@ -79,7 +76,7 @@ public abstract class AbstractRetryEntryPoint implements ChannelEntryPoint {
 		this.redirectStrategy.sendRedirect(request, response, redirectUrl);
 	}
 
-	protected abstract Integer getMappedPort(Integer mapFromPort);
+	protected abstract @Nullable Integer getMappedPort(Integer mapFromPort);
 
 	protected final PortMapper getPortMapper() {
 		return this.portMapper;
@@ -90,17 +87,6 @@ public abstract class AbstractRetryEntryPoint implements ChannelEntryPoint {
 		this.portMapper = portMapper;
 	}
 
-	@Deprecated(forRemoval = true)
-	public void setPortResolver(PortResolver portResolver) {
-		Assert.notNull(portResolver, "portResolver cannot be null");
-		this.portResolver = portResolver;
-	}
-
-	@Deprecated(forRemoval = true)
-	protected final PortResolver getPortResolver() {
-		return this.portResolver;
-	}
-
 	/**
 	 * Sets the strategy to be used for redirecting to the required channel URL. A
 	 * {@code DefaultRedirectStrategy} instance will be used if not set.