Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs

---
updated-dependencies:
- dependency-name: "@antora/collector-extension"
  dependency-version: 1.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/dependabot.yml

@@ -1,12 +1,10 @@
 version: 2
 registries:
-  spring-milestones:
-    type: maven-repository
-    url: https://repo.spring.io/milestone
   shibboleth:
     type: maven-repository
     url: https://build.shibboleth.net/maven/releases
 updates:
+  # 6.5.x
   - package-ecosystem: gradle
     target-branch: 6.5.x
     directory: /
@@ -17,7 +15,6 @@ updates:
     labels:
       - 'type: dependency-upgrade'
     registries:
-      - spring-milestones
       - shibboleth
     ignore:
       - dependency-name: com.nimbusds:nimbus-jose-jwt
@@ -34,8 +31,28 @@ updates:
         update-types:
           - version-update:semver-major
           - version-update:semver-minor
+  - package-ecosystem: npm
+    target-branch: 6.5.x
+    directory: /docs
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+  - package-ecosystem: github-actions
+    target-branch: 6.5.x
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+
+  # 7.0.x
   - package-ecosystem: gradle
-    target-branch: 6.4.x
+    target-branch: 7.0.x
     directory: /
     schedule:
       interval: daily
@@ -44,10 +61,10 @@ updates:
     labels:
       - 'type: dependency-upgrade'
     registries:
-      - spring-milestones
       - shibboleth
     ignore:
       - dependency-name: com.nimbusds:nimbus-jose-jwt
+      - dependency-name: io.spring.nullability:*
       - dependency-name: org.python:jython
       - dependency-name: org.apache.directory.server:*
       - dependency-name: org.apache.directory.shared:*
@@ -57,11 +74,34 @@ updates:
       - dependency-name: org.mockito:mockito-bom
         update-types:
           - version-update:semver-major
+      - dependency-name: com.gradle.enterprise
+        update-types:
+          - version-update:semver-major
+          - version-update:semver-minor
       - dependency-name: '*'
         update-types:
           - version-update:semver-major
           - version-update:semver-minor
+  - package-ecosystem: npm
+    target-branch: 7.0.x
+    directory: /docs
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+  - package-ecosystem: github-actions
+    target-branch: 7.0.x
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
 
+  # main
   - package-ecosystem: gradle
     target-branch: main
     directory: /
@@ -72,7 +112,6 @@ updates:
     labels:
       - 'type: dependency-upgrade'
     registries:
-      - spring-milestones
       - shibboleth
     ignore:
       - dependency-name: com.nimbusds:nimbus-jose-jwt
@@ -92,17 +131,6 @@ updates:
       - dependency-name: '*'
         update-types:
           - version-update:semver-major
-          - version-update:semver-minor
-
-  - package-ecosystem: npm
-    target-branch: docs-build
-    directory: /
-    schedule:
-      interval: weekly
-    labels:
-      - 'type: task'
-      - 'in: build'
-
   - package-ecosystem: npm
     target-branch: main
     directory: /docs
@@ -110,4 +138,63 @@ updates:
       interval: weekly
     labels:
       - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+  - package-ecosystem: github-actions
+    target-branch: main
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+
+  # docs-build
+  - package-ecosystem: gradle
+    target-branch: docs-build
+    directory: /
+    schedule:
+      interval: daily
+      time: '03:00'
+      timezone: Etc/UTC
+    labels:
+      - 'type: dependency-upgrade'
+    registries:
+      - shibboleth
+    ignore:
+      - dependency-name: com.nimbusds:nimbus-jose-jwt
+      - dependency-name: org.python:jython
+      - dependency-name: org.apache.directory.server:*
+      - dependency-name: org.apache.directory.shared:*
+      - dependency-name: org.junit:junit-bom
+        update-types:
+          - version-update:semver-major
+      - dependency-name: org.mockito:mockito-bom
+        update-types:
+          - version-update:semver-major
+      - dependency-name: com.gradle.enterprise
+        update-types:
+          - version-update:semver-major
+          - version-update:semver-minor
+      - dependency-name: '*'
+        update-types:
+          - version-update:semver-major
+  - package-ecosystem: npm
+    target-branch: docs-build
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+  - package-ecosystem: github-actions
+    target-branch: docs-build
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
       - 'in: build'

.github/workflows/auto-merge-dependabot.yml

@@ -0,0 +1,16 @@
+name: Merge Dependabot PR
+
+on:
+  pull_request:
+    branches:
+      - main
+      - '*.x'
+
+run-name: Merge Dependabot PR ${{ github.ref_name }}
+
+jobs:
+  merge-dependabot-pr:
+    permissions: write-all
+    uses: spring-io/spring-github-workflows/.github/workflows/spring-merge-dependabot-pr.yml@v7
+    with:
+      mergeArguments: --auto --rebase

.github/workflows/check-snapshots.yml

@@ -14,14 +14,12 @@ permissions:
 jobs:
   snapshot-test:
     name: Test Against Snapshots
-    uses: spring-io/spring-security-release-tools/.github/workflows/test.yml@v1
+    uses: spring-io/spring-security-release-tools/.github/workflows/test.yml@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
     strategy:
       matrix:
         include:
-          - java-version: 21-ea
-            toolchain: 21
-          - java-version: 17
-            toolchain: 17
+          - java-version: 25
+            toolchain: 25
     with:
       java-version: ${{ matrix.java-version }}
       test-args: --refresh-dependencies -PforceMavenRepositories=snapshot,https://oss.sonatype.org/content/repositories/snapshots -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=7.+ -PreactorVersion=2025.+ -PspringDataVersion=2025.+ --stacktrace
@@ -33,6 +31,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Send Notification
-        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
+        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
         with:
           webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}

.github/workflows/continuous-integration-workflow.yml

@@ -21,7 +21,7 @@ jobs:
     strategy:
       matrix:
         os: [ ubuntu-latest, windows-latest ]
-        jdk: [ 17 ]
+        jdk: [ 25 ]
     with:
       runs-on: ${{ matrix.os }}
       java-version: ${{ matrix.jdk }}
@@ -34,6 +34,7 @@ jobs:
     with:
       should-deploy-artifacts: ${{ needs.build.outputs.should-deploy-artifacts }}
       default-publish-milestones-central: true
+      java-version: 25
     secrets: inherit
   deploy-schema:
     name: Deploy Schema
@@ -41,6 +42,7 @@ jobs:
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
     with:
       should-deploy-schema: ${{ needs.build.outputs.should-deploy-artifacts }}
+      java-version: 25
     secrets: inherit
   perform-release:
     name: Perform Release
@@ -53,6 +55,7 @@ jobs:
       release-repo-url: https://repo1.maven.org/maven2
       artifact-path: org/springframework/security/spring-security-core
       slack-announcing-id: spring-security-announcing
+      java-version: 25
     secrets: inherit
   send-notification:
     name: Send Notification

.github/workflows/finalize-release.yml

@@ -16,7 +16,7 @@ permissions:
 jobs:
   perform-release:
     name: Perform Release
-    uses: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml@v1
+    uses: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
     with:
       should-perform-release: true
       project-version: ${{ inputs.version }}

.github/workflows/gradle-wrapper-upgrade-execution.yml

@@ -9,6 +9,7 @@ permissions:
 jobs:
   upgrade_wrapper:
     name: Execution
+    if: ${{ github.repository == 'spring-projects/spring-security' }}
     runs-on: ubuntu-latest
     steps:
       - name: Set up Git configuration
@@ -20,10 +21,10 @@ jobs:
           git config --global user.email 'github-actions[bot]@users.noreply.github.com'
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Set up JDK 17
+      - name: Set up JDK 25
         uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
-          java-version: '17'
+          java-version: '25'
           distribution: 'temurin'
       - name: Set up Gradle
         uses: gradle/setup-gradle@f29f5a9d7b09a7c6b29859002d29d24e1674c884 # v5.0.1

.github/workflows/pr-build-workflow.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Set up gradle
         uses: spring-io/spring-gradle-build-action@efc55f07f4dfa22f2afd97f9ea1be4212eeed737 # v2.0.5
         with:
-          java-version: '17'
+          java-version: '25'
           distribution: 'temurin'
       - name: Build with Gradle
         run: ./gradlew clean build -PskipCheckExpectedBranchVersion --continue --scan
@@ -28,13 +28,13 @@ jobs:
       - name: Set up gradle
         uses: spring-io/spring-gradle-build-action@efc55f07f4dfa22f2afd97f9ea1be4212eeed737 # v2.0.5
         with:
-          java-version: '17'
+          java-version: '25'
           distribution: 'temurin'
       - name: Run Antora
         run: ./gradlew -PbuildSrc.skipTests=true :spring-security-docs:antora
       - name: Upload Docs
         id: upload
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: docs
           path: docs/build/site

.github/workflows/release-scheduler.yml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       matrix:
         # List of active maintenance branches.
-        branch: [ main, 6.5.x, 6.4.x, 6.3.x ]
+        branch: [ main, 7.0.x, 6.5.x, 6.4.x, 6.3.x ]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout

.github/workflows/update-antora-ui-spring.yml

@@ -12,11 +12,12 @@ permissions:
 
 jobs:
   update-antora-ui-spring:
-    runs-on: ubuntu-latest
     name: Update on Supported Branches
+    if: ${{ github.repository == 'spring-projects/spring-security' }}
+    runs-on: ubuntu-latest
     strategy:
       matrix:
-        branch: [ '6.4.x', '6.5.x', 'main' ]
+        branch: [ '6.5.x', '7.0.x', 'main' ]
     steps:
       - uses: spring-io/spring-doc-actions/update-antora-spring-ui@415e2b11a766ba64799fffb5c97a4f7e17f677cf
         name: Update
@@ -25,8 +26,9 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
           antora-file-path: 'docs/antora-playbook.yml'
   update-antora-ui-spring-docs-build:
-    runs-on: ubuntu-latest
     name: Update on docs-build
+    if: ${{ github.repository == 'spring-projects/spring-security' }}
+    runs-on: ubuntu-latest
     steps:
       - uses: spring-io/spring-doc-actions/update-antora-spring-ui@415e2b11a766ba64799fffb5c97a4f7e17f677cf
         name: Update

.sdkmanrc

@@ -3,4 +3,4 @@
 # See https://sdkman.io/usage#config
 # A summary is to add the following to ~/.sdkman/etc/config
 # sdkman_auto_env=true
-java=17.0.3-tem
+java=25-librca

.vscode/settings.json

@@ -1,3 +1,3 @@
 {
-	"java.import.gradle.enabled": false
+  "java.gradle.buildServer.enabled": "off"
 }

CONTRIBUTING.adoc

@@ -31,7 +31,7 @@ If you have a question, check Stack Overflow using
 https://stackoverflow.com/questions/tagged/spring-security+or+spring-ldap+or+spring-authorization-server+or+spring-session?tab=Newest[this list of tags].
 Find an existing discussion, or start a new one if necessary.
 
-If you believe there is an issue, search through https://github.com/spring-projects/spring-security/issues[existing issues] trying a  few different ways to find discussions, past or current, that are related to the issue.
+If you believe there is an issue, search through https://github.com/spring-projects/spring-security/issues[existing issues] trying a few different ways to find discussions, past or current, that are related to the issue.
 Reading those discussions helps you to learn about the issue, and helps us to make a decision.
 
 [[find-an-issue]]
@@ -94,7 +94,7 @@ Don't worry if you don't get them all correct the first time, we will help you.
 
 1. [[sign-cla]] All commits must include a __Signed-off-by__ trailer at the end of each commit message to indicate that the contributor agrees to the Developer Certificate of Origin.
 For additional details, please refer to the blog post https://spring.io/blog/2025/01/06/hello-dco-goodbye-cla-simplifying-contributions-to-spring[Hello DCO, Goodbye CLA: Simplifying Contributions to Spring].
-2. [[create-an-issue-list]] Must you https://github.com/spring-projects/spring-security/issues/new/choose[create an issue] first? No, but it is recommended for features and larger bug fixes. It's easier discuss with the team first to determine the right fix or enhancement.
+2. [[create-an-issue-list]] Must you https://github.com/spring-projects/spring-security/issues/new/choose[create an issue] first? No, but it is recommended for features and larger bug fixes. It's easier to discuss with the team first to determine the right fix or enhancement.
 For typos and straightforward bug fixes, starting with a pull request is encouraged.
 Please include a description for context and motivation.
 Note that the team may close your pull request if it's not a fit for the project.

README.adoc

@@ -68,6 +68,27 @@ The https://github.com/spring-projects/spring-security/tree/docs-build[playbook
 
 Discover more commands with `./gradlew tasks`.
 
+=== IDE setup (IntelliJ)
+
+No special steps are needed to open Spring Security in IntelliJ.
+
+=== IDE setup (Eclipse and VS Code)
+
+To work in Eclipse or VS Code, first generate Eclipse metadata so you can import the project into Eclipse or VS Code:
+
+[indent=0]
+----
+./gradlew cleanEclipse eclipse
+----
+
+If you have not built the project yet, run `./gradlew publishToMavenLocal` first so dependencies are resolved.
+
+*VS Code:* Open the repository root as a folder. The repository includes `.vscode/settings.json` which disables automatic Gradle import so that the generated Eclipse metadata (`.classpath`, `.project`) is used. Do not use the Gradle for Java extension to import the project.
+
+*Eclipse:* File → Import → General → Existing Projects into Workspace, then select the repository root.
+
+The build uses a custom Eclipse plugin to work around Gradle dependency cycles that confuse IDE metadata generation. You may see Eclipse warnings about `xml-apis` from some test dependencies; those are excluded in the build and can be ignored.
+
 == Getting Support
 Check out the https://stackoverflow.com/questions/tagged/spring-security[Spring Security tags on Stack Overflow].
 https://spring.io/support[Commercial support] is available too.

access/spring-security-access.gradle

@@ -1,3 +1,8 @@
+plugins {
+	id 'compile-warnings-error'
+	id 'javadoc-warnings-error'
+}
+
 apply plugin: 'io.spring.convention.spring-module'
 
 dependencies {

access/src/main/java/org/springframework/security/access/annotation/Jsr250MethodSecurityMetadataSource.java

@@ -31,6 +31,7 @@ import org.jspecify.annotations.Nullable;
 import org.springframework.core.annotation.AnnotationUtils;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource;
+import org.springframework.util.StringUtils;
 
 /**
  * Sources method security metadata from major JSR 250 security annotations.
@@ -108,7 +109,7 @@ public class Jsr250MethodSecurityMetadataSource extends AbstractFallbackMethodSe
 		if (role == null) {
 			return role;
 		}
-		if (this.defaultRolePrefix == null || this.defaultRolePrefix.length() == 0) {
+		if (!StringUtils.hasLength(this.defaultRolePrefix)) {
 			return role;
 		}
 		if (role.startsWith(this.defaultRolePrefix)) {

access/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java

@@ -53,7 +53,9 @@ import org.springframework.util.CollectionUtils;
  *
  * @author Ben Alex
  * @author Luke Taylor
- * @deprecated Use {@link EnableMethodSecurity} or publish interceptors directly
+ * @deprecated Use
+ * <code>org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity</code>
+ * or publish interceptors directly
  */
 @NullUnmarked
 @Deprecated

acl/spring-security-acl.gradle

@@ -1,3 +1,9 @@
+plugins {
+	id 'compile-warnings-error'
+	id 'javadoc-warnings-error'
+	id 'security-nullability'
+}
+
 apply plugin: 'io.spring.convention.spring-module'
 
 dependencies {

acl/src/main/java/org/springframework/security/acls/AclPermissionEvaluator.java

@@ -23,6 +23,7 @@ import java.util.Locale;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.core.log.LogMessage;
 import org.springframework.security.access.PermissionEvaluator;
@@ -44,7 +45,7 @@ import org.springframework.security.core.Authentication;
 /**
  * Used by Spring Security's expression-based access control implementation to evaluate
  * permissions for a particular object using the ACL module. Similar in behaviour to
- * {@link org.springframework.security.acls.AclEntryVoter AclEntryVoter}.
+ * <code> org.springframework.security.acls.AclEntryVoter AclEntryVoter </code>
  *
  * @author Luke Taylor
  * @since 3.0
@@ -73,7 +74,7 @@ public class AclPermissionEvaluator implements PermissionEvaluator {
 	 * be overridden using a null check in the expression itself).
 	 */
 	@Override
-	public boolean hasPermission(Authentication authentication, Object domainObject, Object permission) {
+	public boolean hasPermission(Authentication authentication, @Nullable Object domainObject, Object permission) {
 		if (domainObject == null) {
 			return false;
 		}

acl/src/main/java/org/springframework/security/acls/aot/hint/AclRuntimeHints.java

@@ -0,0 +1,79 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.acls.aot.hint;
+
+import java.util.stream.Stream;
+
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.aot.hint.MemberCategory;
+import org.springframework.aot.hint.RuntimeHints;
+import org.springframework.aot.hint.RuntimeHintsRegistrar;
+import org.springframework.aot.hint.TypeReference;
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
+import org.springframework.security.acls.domain.AclImpl;
+import org.springframework.security.acls.domain.AuditLogger;
+import org.springframework.security.acls.domain.BasePermission;
+import org.springframework.security.acls.domain.GrantedAuthoritySid;
+import org.springframework.security.acls.domain.ObjectIdentityImpl;
+import org.springframework.security.acls.domain.PrincipalSid;
+import org.springframework.security.acls.model.AccessControlEntry;
+import org.springframework.security.acls.model.Acl;
+import org.springframework.security.acls.model.AuditableAccessControlEntry;
+import org.springframework.security.acls.model.ObjectIdentity;
+import org.springframework.security.acls.model.Sid;
+
+/**
+ * {@link RuntimeHintsRegistrar} for ACL (Access Control List) classes.
+ *
+ * @author Josh Long
+ */
+class AclRuntimeHints implements RuntimeHintsRegistrar {
+
+	@Override
+	public void registerHints(RuntimeHints hints, @Nullable ClassLoader classLoader) {
+		registerAclDomainHints(hints);
+		registerJdbcSchemaHints(hints);
+	}
+
+	private void registerAclDomainHints(RuntimeHints hints) {
+		// Register core ACL domain types
+		Stream
+			.of(Acl.class, AccessControlEntry.class, AuditableAccessControlEntry.class, ObjectIdentity.class, Sid.class,
+					AclImpl.class, AccessControlEntry.class, AuditLogger.class, ObjectIdentityImpl.class,
+					PrincipalSid.class, GrantedAuthoritySid.class, BasePermission.class)
+			.forEach((c) -> hints.reflection()
+				.registerType(TypeReference.of(c),
+						(builder) -> builder.withMembers(MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
+								MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.ACCESS_DECLARED_FIELDS)));
+
+	}
+
+	private void registerJdbcSchemaHints(RuntimeHints hints) {
+		String[] sqlFiles = new String[] { "createAclSchema.sql", "createAclSchemaMySQL.sql",
+				"createAclSchemaOracle.sql", "createAclSchemaPostgres.sql", "createAclSchemaSqlServer.sql",
+				"createAclSchemaWithAclClassIdType.sql", "select.sql" };
+		for (String sqlFile : sqlFiles) {
+			Resource sqlResource = new ClassPathResource(sqlFile);
+			if (sqlResource.exists()) {
+				hints.resources().registerResource(sqlResource);
+			}
+		}
+	}
+
+}

acl/src/main/java/org/springframework/security/acls/aot/hint/package-info.java

@@ -0,0 +1,23 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * AOT and native image hint support for ACLs.
+ */
+@NullMarked
+package org.springframework.security.acls.aot.hint;
+
+import org.jspecify.annotations.NullMarked;

acl/src/main/java/org/springframework/security/acls/domain/AccessControlEntryImpl.java

@@ -18,6 +18,8 @@ package org.springframework.security.acls.domain;
 
 import java.io.Serializable;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.acls.model.AccessControlEntry;
 import org.springframework.security.acls.model.Acl;
 import org.springframework.security.acls.model.AuditableAccessControlEntry;
@@ -36,7 +38,7 @@ public class AccessControlEntryImpl implements AccessControlEntry, AuditableAcce
 
 	private Permission permission;
 
-	private final Serializable id;
+	private final @Nullable Serializable id;
 
 	private final Sid sid;
 
@@ -46,7 +48,7 @@ public class AccessControlEntryImpl implements AccessControlEntry, AuditableAcce
 
 	private final boolean granting;
 
-	public AccessControlEntryImpl(Serializable id, Acl acl, Sid sid, Permission permission, boolean granting,
+	public AccessControlEntryImpl(@Nullable Serializable id, Acl acl, Sid sid, Permission permission, boolean granting,
 			boolean auditSuccess, boolean auditFailure) {
 		Assert.notNull(acl, "Acl required");
 		Assert.notNull(sid, "Sid required");
@@ -133,7 +135,7 @@ public class AccessControlEntryImpl implements AccessControlEntry, AuditableAcce
 	}
 
 	@Override
-	public Serializable getId() {
+	public @Nullable Serializable getId() {
 		return this.id;
 	}
 

acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java

@@ -99,7 +99,8 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
 		Authentication authentication = context.getAuthentication();
 		// Check if authorized by virtue of ACL ownership
 		Sid currentUser = createCurrentUser(authentication);
-		if (currentUser.equals(acl.getOwner())
+		Sid owner = acl.getOwner();
+		if (owner != null && currentUser.equals(owner)
 				&& ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) {
 			return;
 		}
@@ -108,8 +109,8 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
 		Collection<? extends GrantedAuthority> reachableGrantedAuthorities = this.roleHierarchy
 			.getReachableGrantedAuthorities(authentication.getAuthorities());
 		Set<String> authorities = AuthorityUtils.authorityListToSet(reachableGrantedAuthorities);
-		if (acl.getOwner() instanceof GrantedAuthoritySid
-				&& authorities.contains(((GrantedAuthoritySid) acl.getOwner()).getGrantedAuthority())) {
+		if (owner instanceof GrantedAuthoritySid
+				&& authorities.contains(((GrantedAuthoritySid) owner).getGrantedAuthority())) {
 			return;
 		}
 

acl/src/main/java/org/springframework/security/acls/domain/AclImpl.java

@@ -20,6 +20,8 @@ import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.List;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.acls.model.AccessControlEntry;
 import org.springframework.security.acls.model.Acl;
 import org.springframework.security.acls.model.AuditableAcl;
@@ -41,7 +43,7 @@ import org.springframework.util.ObjectUtils;
  */
 public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
 
-	private Acl parentAcl;
+	private @Nullable Acl parentAcl;
 
 	private transient AclAuthorizationStrategy aclAuthorizationStrategy;
 
@@ -54,10 +56,10 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
 	private Serializable id;
 
 	// OwnershipAcl
-	private Sid owner;
+	private @Nullable Sid owner;
 
 	// includes all SIDs the WHERE clause covered, even if there was no ACE for a SID
-	private List<Sid> loadedSids = null;
+	private @Nullable List<Sid> loadedSids = null;
 
 	private boolean entriesInheriting = true;
 
@@ -97,8 +99,8 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
 	 * @param owner the owner (required)
 	 */
 	public AclImpl(ObjectIdentity objectIdentity, Serializable id, AclAuthorizationStrategy aclAuthorizationStrategy,
-			PermissionGrantingStrategy grantingStrategy, Acl parentAcl, List<Sid> loadedSids, boolean entriesInheriting,
-			Sid owner) {
+			PermissionGrantingStrategy grantingStrategy, @Nullable Acl parentAcl, @Nullable List<Sid> loadedSids,
+			boolean entriesInheriting, Sid owner) {
 		Assert.notNull(objectIdentity, "Object Identity required");
 		Assert.notNull(id, "Id required");
 		Assert.notNull(aclAuthorizationStrategy, "AclAuthorizationStrategy required");
@@ -117,7 +119,7 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
 	 * Private no-argument constructor for use by reflection-based persistence tools along
 	 * with field-level access.
 	 */
-	@SuppressWarnings("unused")
+	@SuppressWarnings({ "unused", "NullAway.Init" })
 	private AclImpl() {
 	}
 
@@ -199,7 +201,7 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
 	}
 
 	@Override
-	public boolean isSidLoaded(List<Sid> sids) {
+	public boolean isSidLoaded(@Nullable List<Sid> sids) {
 		// If loadedSides is null, this indicates all SIDs were loaded
 		// Also return true if the caller didn't specify a SID to find
 		if ((this.loadedSids == null) || (sids == null) || sids.isEmpty()) {
@@ -238,19 +240,19 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
 	}
 
 	@Override
-	public Sid getOwner() {
+	public @Nullable Sid getOwner() {
 		return this.owner;
 	}
 
 	@Override
-	public void setParent(Acl newParent) {
+	public void setParent(@Nullable Acl newParent) {
 		this.aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL);
 		Assert.isTrue(newParent == null || !newParent.equals(this), "Cannot be the parent of yourself");
 		this.parentAcl = newParent;
 	}
 
 	@Override
-	public Acl getParentAcl() {
+	public @Nullable Acl getParentAcl() {
 		return this.parentAcl;
 	}
 

acl/src/main/java/org/springframework/security/acls/domain/SpringCacheBasedAclCache.java

@@ -18,6 +18,8 @@ package org.springframework.security.acls.domain;
 
 import java.io.Serializable;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.cache.Cache;
 import org.springframework.security.acls.model.AclCache;
 import org.springframework.security.acls.model.MutableAcl;
@@ -78,13 +80,13 @@ public class SpringCacheBasedAclCache implements AclCache {
 	}
 
 	@Override
-	public MutableAcl getFromCache(ObjectIdentity objectIdentity) {
+	public @Nullable MutableAcl getFromCache(ObjectIdentity objectIdentity) {
 		Assert.notNull(objectIdentity, "ObjectIdentity required");
 		return getFromCache((Object) objectIdentity);
 	}
 
 	@Override
-	public MutableAcl getFromCache(Serializable pk) {
+	public @Nullable MutableAcl getFromCache(Serializable pk) {
 		Assert.notNull(pk, "Primary key (identifier) required");
 		return getFromCache((Object) pk);
 	}
@@ -101,12 +103,16 @@ public class SpringCacheBasedAclCache implements AclCache {
 		this.cache.put(acl.getId(), acl);
 	}
 
-	private MutableAcl getFromCache(Object key) {
+	private @Nullable MutableAcl getFromCache(Object key) {
 		Cache.ValueWrapper element = this.cache.get(key);
 		if (element == null) {
 			return null;
 		}
-		return initializeTransientFields((MutableAcl) element.get());
+		Object value = element.get();
+		if (value == null) {
+			return null;
+		}
+		return initializeTransientFields((MutableAcl) value);
 	}
 
 	private MutableAcl initializeTransientFields(MutableAcl value) {

acl/src/main/java/org/springframework/security/acls/domain/package-info.java

@@ -17,4 +17,7 @@
 /**
  * Basic implementation of access control lists (ACLs) interfaces.
  */
+@NullMarked
 package org.springframework.security.acls.domain;
+
+import org.jspecify.annotations.NullMarked;

acl/src/main/java/org/springframework/security/acls/jdbc/AclClassIdUtils.java

@@ -23,6 +23,7 @@ import java.util.UUID;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.core.convert.ConversionFailedException;
 import org.springframework.core.convert.ConversionService;
@@ -67,10 +68,10 @@ class AclClassIdUtils {
 	 * @return The identifier in the appropriate target Java type. Typically Long or UUID.
 	 * @throws SQLException
 	 */
-	Serializable identifierFrom(Serializable identifier, ResultSet resultSet) throws SQLException {
-		if (isString(identifier) && hasValidClassIdType(resultSet)
-				&& canConvertFromStringTo(classIdTypeFrom(resultSet))) {
-			return convertFromStringTo((String) identifier, classIdTypeFrom(resultSet));
+	@Nullable Serializable identifierFrom(Serializable identifier, ResultSet resultSet) throws SQLException {
+		Class<? extends Serializable> classIdType = classIdTypeFrom(resultSet);
+		if (isString(identifier) && classIdType != null && canConvertFromStringTo(classIdType)) {
+			return convertFromStringTo((String) identifier, classIdType);
 		}
 		// Assume it should be a Long type
 		return convertToLong(identifier);
@@ -86,28 +87,38 @@ class AclClassIdUtils {
 		}
 	}
 
-	private <T extends Serializable> Class<T> classIdTypeFrom(ResultSet resultSet) throws SQLException {
-		return classIdTypeFrom(resultSet.getString(DEFAULT_CLASS_ID_TYPE_COLUMN_NAME));
+	private @Nullable Class<? extends Serializable> classIdTypeFrom(ResultSet resultSet) throws SQLException {
+		try {
+			return classIdTypeFrom(resultSet.getString(DEFAULT_CLASS_ID_TYPE_COLUMN_NAME));
+		}
+		catch (SQLException ex) {
+			log.debug("Unable to obtain the class id type", ex);
+			return null;
+		}
 	}
 
-	private <T extends Serializable> Class<T> classIdTypeFrom(String className) {
+	private @Nullable Class<? extends Serializable> classIdTypeFrom(String className) {
 		if (className == null) {
 			return null;
 		}
 		try {
-			return (Class) Class.forName(className);
+			return Class.forName(className).asSubclass(Serializable.class);
 		}
 		catch (ClassNotFoundException ex) {
 			log.debug("Unable to find class id type on classpath", ex);
 			return null;
 		}
+		catch (ClassCastException ex) {
+			log.debug("Class id type is not a Serializable type", ex);
+			return null;
+		}
 	}
 
 	private <T> boolean canConvertFromStringTo(Class<T> targetType) {
 		return this.conversionService.canConvert(String.class, targetType);
 	}
 
-	private <T extends Serializable> T convertFromStringTo(String identifier, Class<T> targetType) {
+	private <T extends Serializable> @Nullable T convertFromStringTo(String identifier, Class<T> targetType) {
 		return this.conversionService.convert(identifier, targetType);
 	}
 
@@ -121,7 +132,7 @@ class AclClassIdUtils {
 	 * exception occurred
 	 * @throws IllegalArgumentException if targetType is null
 	 */
-	private Long convertToLong(Serializable identifier) {
+	private @Nullable Long convertToLong(Serializable identifier) {
 		if (this.conversionService.canConvert(identifier.getClass(), Long.class)) {
 			return this.conversionService.convert(identifier, Long.class);
 		}
@@ -140,10 +151,10 @@ class AclClassIdUtils {
 	private static class StringToLongConverter implements Converter<String, Long> {
 
 		@Override
-		public Long convert(String identifierAsString) {
+		public Long convert(@Nullable String identifierAsString) {
 			if (identifierAsString == null) {
 				throw new ConversionFailedException(TypeDescriptor.valueOf(String.class),
-						TypeDescriptor.valueOf(Long.class), null, null);
+						TypeDescriptor.valueOf(Long.class), identifierAsString, new NullPointerException());
 
 			}
 			return Long.parseLong(identifierAsString);
@@ -154,10 +165,10 @@ class AclClassIdUtils {
 	private static class StringToUUIDConverter implements Converter<String, UUID> {
 
 		@Override
-		public UUID convert(String identifierAsString) {
+		public UUID convert(@Nullable String identifierAsString) {
 			if (identifierAsString == null) {
 				throw new ConversionFailedException(TypeDescriptor.valueOf(String.class),
-						TypeDescriptor.valueOf(UUID.class), null, null);
+						TypeDescriptor.valueOf(UUID.class), identifierAsString, new NullPointerException());
 
 			}
 			return UUID.fromString(identifierAsString);

acl/src/main/java/org/springframework/security/acls/jdbc/BasicLookupStrategy.java

@@ -31,6 +31,8 @@ import java.util.Set;
 
 import javax.sql.DataSource;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.core.convert.ConversionException;
 import org.springframework.core.convert.ConversionService;
 import org.springframework.jdbc.core.JdbcTemplate;
@@ -224,7 +226,8 @@ public class BasicLookupStrategy implements LookupStrategy {
 	 * @param findNow Long-based primary keys to retrieve
 	 * @param sids
 	 */
-	private void lookupPrimaryKeys(final Map<Serializable, Acl> acls, final Set<Long> findNow, final List<Sid> sids) {
+	private void lookupPrimaryKeys(final Map<Serializable, Acl> acls, final Set<Long> findNow,
+			final @Nullable List<Sid> sids) {
 		Assert.notNull(acls, "ACLs are required");
 		Assert.notEmpty(findNow, "Items to find now required");
 		String sql = computeRepeatingSql(this.lookupPrimaryKeysWhereClause, findNow.size());
@@ -264,7 +267,7 @@ public class BasicLookupStrategy implements LookupStrategy {
 	 * automatically create entries if required)
 	 */
 	@Override
-	public final Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids) {
+	public final Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, @Nullable List<Sid> sids) {
 		Assert.isTrue(this.batchSize >= 1, "BatchSize must be >= 1");
 		Assert.notEmpty(objects, "Objects to lookup required");
 		// Map<ObjectIdentity,Acl>
@@ -323,7 +326,7 @@ public class BasicLookupStrategy implements LookupStrategy {
 	 * properly-configured parent ACLs.
 	 */
 	private Map<ObjectIdentity, Acl> lookupObjectIdentities(final Collection<ObjectIdentity> objectIdentities,
-			List<Sid> sids) {
+			@Nullable List<Sid> sids) {
 		Assert.notEmpty(objectIdentities, "Must provide identities to lookup");
 
 		// contains Acls with StubAclParents
@@ -399,8 +402,10 @@ public class BasicLookupStrategy implements LookupStrategy {
 		}
 
 		// Now we have the parent (if there is one), create the true AclImpl
+		Sid owner = inputAcl.getOwner();
+		Assert.isTrue(owner != null, "Owner is required");
 		AclImpl result = new AclImpl(inputAcl.getObjectIdentity(), inputAcl.getId(), this.aclAuthorizationStrategy,
-				this.grantingStrategy, parent, null, inputAcl.isEntriesInheriting(), inputAcl.getOwner());
+				this.grantingStrategy, parent, null, inputAcl.isEntriesInheriting(), owner);
 
 		// Copy the "aces" from the input to the destination
 
@@ -506,9 +511,9 @@ public class BasicLookupStrategy implements LookupStrategy {
 
 		private final Map<Serializable, Acl> acls;
 
-		private final List<Sid> sids;
+		private final @Nullable List<Sid> sids;
 
-		ProcessResultSet(Map<Serializable, Acl> acls, List<Sid> sids) {
+		ProcessResultSet(Map<Serializable, Acl> acls, @Nullable List<Sid> sids) {
 			Assert.notNull(acls, "ACLs cannot be null");
 			this.acls = acls;
 			this.sids = sids; // can be null
@@ -579,6 +584,9 @@ public class BasicLookupStrategy implements LookupStrategy {
 				// target id type, e.g. UUID.
 				Serializable identifier = (Serializable) rs.getObject("object_id_identity");
 				identifier = BasicLookupStrategy.this.aclClassIdUtils.identifierFrom(identifier, rs);
+				if (identifier == null) {
+					throw new IllegalStateException("Identifier cannot be null");
+				}
 				ObjectIdentity objectIdentity = BasicLookupStrategy.this.objectIdentityGenerator
 					.createObjectIdentity(identifier, rs.getString("class"));
 
@@ -670,7 +678,7 @@ public class BasicLookupStrategy implements LookupStrategy {
 		}
 
 		@Override
-		public boolean isSidLoaded(List<Sid> sids) {
+		public boolean isSidLoaded(@Nullable List<Sid> sids) {
 			throw new UnsupportedOperationException("Stub only");
 		}
 

acl/src/main/java/org/springframework/security/acls/jdbc/JdbcAclService.java

@@ -27,6 +27,7 @@ import javax.sql.DataSource;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.core.convert.ConversionService;
 import org.springframework.jdbc.core.JdbcOperations;
@@ -98,7 +99,7 @@ public class JdbcAclService implements AclService {
 	}
 
 	@Override
-	public List<ObjectIdentity> findChildren(ObjectIdentity parentIdentity) {
+	public @Nullable List<ObjectIdentity> findChildren(ObjectIdentity parentIdentity) {
 		Object[] args = { parentIdentity.getIdentifier().toString(), parentIdentity.getType() };
 		List<ObjectIdentity> objects = this.jdbcOperations.query(this.findChildrenSql,
 				(rs, rowNum) -> mapObjectIdentityRow(rs), args);
@@ -109,11 +110,14 @@ public class JdbcAclService implements AclService {
 		String javaType = rs.getString("class");
 		Serializable identifier = (Serializable) rs.getObject("obj_id");
 		identifier = this.aclClassIdUtils.identifierFrom(identifier, rs);
+		if (identifier == null) {
+			throw new IllegalStateException("Identifier cannot be null");
+		}
 		return this.objectIdentityGenerator.createObjectIdentity(identifier, javaType);
 	}
 
 	@Override
-	public Acl readAclById(ObjectIdentity object, List<Sid> sids) throws NotFoundException {
+	public Acl readAclById(ObjectIdentity object, @Nullable List<Sid> sids) throws NotFoundException {
 		Map<ObjectIdentity, Acl> map = readAclsById(Collections.singletonList(object), sids);
 		Assert.isTrue(map.containsKey(object),
 				() -> "There should have been an Acl entry for ObjectIdentity " + object);
@@ -131,7 +135,7 @@ public class JdbcAclService implements AclService {
 	}
 
 	@Override
-	public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids)
+	public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, @Nullable List<Sid> sids)
 			throws NotFoundException {
 		Map<ObjectIdentity, Acl> result = this.lookupStrategy.readAclsById(objects, sids);
 		// Check every requested object identity was found (throw NotFoundException if

acl/src/main/java/org/springframework/security/acls/jdbc/JdbcMutableAclService.java

@@ -22,6 +22,8 @@ import java.util.List;
 
 import javax.sql.DataSource;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.dao.DataAccessException;
 import org.springframework.jdbc.core.BatchPreparedStatementSetter;
 import org.springframework.security.acls.domain.AccessControlEntryImpl;
@@ -120,6 +122,7 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 		// Need to retrieve the current principal, in order to know who "owns" this ACL
 		// (can be changed later on)
 		Authentication auth = this.securityContextHolderStrategy.getContext().getAuthentication();
+		Assert.isTrue(auth != null, "Authentication required");
 		PrincipalSid sid = new PrincipalSid(auth);
 
 		// Create the acl_object_identity row
@@ -155,9 +158,12 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 				Assert.isTrue(entry_ instanceof AccessControlEntryImpl, "Unknown ACE class");
 				AccessControlEntryImpl entry = (AccessControlEntryImpl) entry_;
 
+				Assert.state(acl.getId() != null, "ACL ID cannot be null");
 				stmt.setLong(1, (Long) acl.getId());
 				stmt.setInt(2, i);
-				stmt.setLong(3, createOrRetrieveSidPrimaryKey(entry.getSid(), true));
+				Long sidPrimaryKey = createOrRetrieveSidPrimaryKey(entry.getSid(), true);
+				Assert.state(sidPrimaryKey != null, "SID primary key cannot be null");
+				stmt.setLong(3, sidPrimaryKey);
 				stmt.setInt(4, entry.getPermission().getMask());
 				stmt.setBoolean(5, entry.isGranting());
 				stmt.setBoolean(6, entry.isAuditSuccess());
@@ -189,11 +195,14 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 	 * @param allowCreate true if creation is permitted if not found
 	 * @return the primary key or null if not found
 	 */
-	protected Long createOrRetrieveClassPrimaryKey(String type, boolean allowCreate, Class idType) {
-		List<Long> classIds = this.jdbcOperations.queryForList(this.selectClassPrimaryKey, Long.class, type);
+	protected @Nullable Long createOrRetrieveClassPrimaryKey(String type, boolean allowCreate, Class idType) {
+		List<@Nullable Long> classIds = this.jdbcOperations.queryForList(this.selectClassPrimaryKey, Long.class, type);
 
 		if (!classIds.isEmpty()) {
-			return classIds.get(0);
+			Long result = classIds.get(0);
+			if (result != null) {
+				return result;
+			}
 		}
 
 		if (allowCreate) {
@@ -204,7 +213,9 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 				this.jdbcOperations.update(this.insertClass, type, idType.getCanonicalName());
 			}
 			Assert.isTrue(TransactionSynchronizationManager.isSynchronizationActive(), "Transaction must be running");
-			return this.jdbcOperations.queryForObject(this.classIdentityQuery, Long.class);
+			Long result = this.jdbcOperations.queryForObject(this.classIdentityQuery, Long.class);
+			Assert.state(result != null, "Failed to retrieve class primary key");
+			return result;
 		}
 
 		return null;
@@ -219,7 +230,7 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 	 * @throws IllegalArgumentException if the <tt>Sid</tt> is not a recognized
 	 * implementation.
 	 */
-	protected Long createOrRetrieveSidPrimaryKey(Sid sid, boolean allowCreate) {
+	protected @Nullable Long createOrRetrieveSidPrimaryKey(Sid sid, boolean allowCreate) {
 		Assert.notNull(sid, "Sid required");
 		if (sid instanceof PrincipalSid) {
 			String sidName = ((PrincipalSid) sid).getPrincipal();
@@ -240,16 +251,22 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 	 * @param allowCreate true if creation is permitted if not found
 	 * @return the primary key or null if not found
 	 */
-	protected Long createOrRetrieveSidPrimaryKey(String sidName, boolean sidIsPrincipal, boolean allowCreate) {
-		List<Long> sidIds = this.jdbcOperations.queryForList(this.selectSidPrimaryKey, Long.class, sidIsPrincipal,
-				sidName);
+	protected @Nullable Long createOrRetrieveSidPrimaryKey(String sidName, boolean sidIsPrincipal,
+			boolean allowCreate) {
+		List<@Nullable Long> sidIds = this.jdbcOperations.queryForList(this.selectSidPrimaryKey, Long.class,
+				sidIsPrincipal, sidName);
 		if (!sidIds.isEmpty()) {
-			return sidIds.get(0);
+			Long result = sidIds.get(0);
+			if (result != null) {
+				return result;
+			}
 		}
 		if (allowCreate) {
 			this.jdbcOperations.update(this.insertSid, sidIsPrincipal, sidName);
 			Assert.isTrue(TransactionSynchronizationManager.isSynchronizationActive(), "Transaction must be running");
-			return this.jdbcOperations.queryForObject(this.sidIdentityQuery, Long.class);
+			Long result = this.jdbcOperations.queryForObject(this.sidIdentityQuery, Long.class);
+			Assert.state(result != null, "Failed to retrieve sid primary key");
+			return result;
 		}
 		return null;
 	}
@@ -279,6 +296,9 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 		}
 
 		Long oidPrimaryKey = retrieveObjectIdentityPrimaryKey(objectIdentity);
+		if (oidPrimaryKey == null) {
+			throw new NotFoundException("Object identity not found: " + objectIdentity);
+		}
 
 		// Delete this ACL's ACEs in the acl_entry table
 		deleteEntries(oidPrimaryKey);
@@ -319,10 +339,11 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 	 * @param oid to find
 	 * @return the object identity or null if not found
 	 */
-	protected Long retrieveObjectIdentityPrimaryKey(ObjectIdentity oid) {
+	protected @Nullable Long retrieveObjectIdentityPrimaryKey(ObjectIdentity oid) {
 		try {
-			return this.jdbcOperations.queryForObject(this.selectObjectIdentityPrimaryKey, Long.class, oid.getType(),
-					oid.getIdentifier().toString());
+			Long result = this.jdbcOperations.queryForObject(this.selectObjectIdentityPrimaryKey, Long.class,
+					oid.getType(), oid.getIdentifier().toString());
+			return result;
 		}
 		catch (DataAccessException notFound) {
 			return null;
@@ -340,7 +361,11 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 		Assert.notNull(acl.getId(), "Object Identity doesn't provide an identifier");
 
 		// Delete this ACL's ACEs in the acl_entry table
-		deleteEntries(retrieveObjectIdentityPrimaryKey(acl.getObjectIdentity()));
+		Long oidPrimaryKey = retrieveObjectIdentityPrimaryKey(acl.getObjectIdentity());
+		if (oidPrimaryKey == null) {
+			throw new NotFoundException("Object identity not found for ACL: " + acl.getObjectIdentity());
+		}
+		deleteEntries(oidPrimaryKey);
 
 		// Create this ACL's ACEs in the acl_entry table
 		createEntries(acl);

acl/src/main/java/org/springframework/security/acls/jdbc/LookupStrategy.java

@@ -19,6 +19,8 @@ package org.springframework.security.acls.jdbc;
 import java.util.List;
 import java.util.Map;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.acls.model.Acl;
 import org.springframework.security.acls.model.NotFoundException;
 import org.springframework.security.acls.model.ObjectIdentity;
@@ -42,6 +44,6 @@ public interface LookupStrategy {
 	 * {@link NotFoundException}, as a chain of {@link LookupStrategy}s may be used to
 	 * automatically create entries if required)
 	 */
-	Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids);
+	Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, @Nullable List<Sid> sids);
 
 }

acl/src/main/java/org/springframework/security/acls/jdbc/package-info.java

@@ -17,4 +17,7 @@
 /**
  * JDBC-based persistence of ACL information
  */
+@NullMarked
 package org.springframework.security.acls.jdbc;
+
+import org.jspecify.annotations.NullMarked;

acl/src/main/java/org/springframework/security/acls/model/AccessControlEntry.java

@@ -18,6 +18,8 @@ package org.springframework.security.acls.model;
 
 import java.io.Serializable;
 
+import org.jspecify.annotations.Nullable;
+
 /**
  * Represents an individual permission assignment within an {@link Acl}.
  *
@@ -36,7 +38,7 @@ public interface AccessControlEntry extends Serializable {
 	 * Obtains an identifier that represents this ACE.
 	 * @return the identifier, or <code>null</code> if unsaved
 	 */
-	Serializable getId();
+	@Nullable Serializable getId();
 
 	Permission getPermission();
 

acl/src/main/java/org/springframework/security/acls/model/Acl.java

@@ -19,6 +19,8 @@ package org.springframework.security.acls.model;
 import java.io.Serializable;
 import java.util.List;
 
+import org.jspecify.annotations.Nullable;
+
 /**
  * Represents an access control list (ACL) for a domain object.
  *
@@ -82,7 +84,7 @@ public interface Acl extends Serializable {
 	 * @return the owner (may be <tt>null</tt> if the implementation does not use
 	 * ownership concepts)
 	 */
-	Sid getOwner();
+	@Nullable Sid getOwner();
 
 	/**
 	 * A domain object may have a parent for the purpose of ACL inheritance. If there is a
@@ -103,7 +105,7 @@ public interface Acl extends Serializable {
 	 * @return the parent <tt>Acl</tt> (may be <tt>null</tt> if this <tt>Acl</tt> does not
 	 * have a parent)
 	 */
-	Acl getParentAcl();
+	@Nullable Acl getParentAcl();
 
 	/**
 	 * Indicates whether the ACL entries from the {@link #getParentAcl()} should flow down
@@ -189,6 +191,6 @@ public interface Acl extends Serializable {
 	 * @return <tt>true</tt> if every passed <tt>Sid</tt> is represented by this
 	 * <tt>Acl</tt> instance
 	 */
-	boolean isSidLoaded(List<Sid> sids);
+	boolean isSidLoaded(@Nullable List<Sid> sids);
 
 }

acl/src/main/java/org/springframework/security/acls/model/AclCache.java

@@ -18,6 +18,8 @@ package org.springframework.security.acls.model;
 
 import java.io.Serializable;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.acls.jdbc.JdbcAclService;
 
 /**
@@ -31,9 +33,9 @@ public interface AclCache {
 
 	void evictFromCache(ObjectIdentity objectIdentity);
 
-	MutableAcl getFromCache(ObjectIdentity objectIdentity);
+	@Nullable MutableAcl getFromCache(ObjectIdentity objectIdentity);
 
-	MutableAcl getFromCache(Serializable pk);
+	@Nullable MutableAcl getFromCache(Serializable pk);
 
 	void putInCache(MutableAcl acl);
 

acl/src/main/java/org/springframework/security/acls/model/AclService.java

@@ -19,6 +19,8 @@ package org.springframework.security.acls.model;
 import java.util.List;
 import java.util.Map;
 
+import org.jspecify.annotations.Nullable;
+
 /**
  * Provides retrieval of {@link Acl} instances.
  *
@@ -32,7 +34,7 @@ public interface AclService {
 	 * @param parentIdentity to locate children of
 	 * @return the children (or <tt>null</tt> if none were found)
 	 */
-	List<ObjectIdentity> findChildren(ObjectIdentity parentIdentity);
+	@Nullable List<ObjectIdentity> findChildren(ObjectIdentity parentIdentity);
 
 	/**
 	 * Same as {@link #readAclsById(List)} except it returns only a single Acl.
@@ -59,7 +61,7 @@ public interface AclService {
 	 * @throws NotFoundException if an {@link Acl} was not found for the requested
 	 * {@link ObjectIdentity}
 	 */
-	Acl readAclById(ObjectIdentity object, List<Sid> sids) throws NotFoundException;
+	Acl readAclById(ObjectIdentity object, @Nullable List<Sid> sids) throws NotFoundException;
 
 	/**
 	 * Obtains all the <tt>Acl</tt>s that apply for the passed <tt>Object</tt>s.
@@ -98,6 +100,7 @@ public interface AclService {
 	 * @throws NotFoundException if an {@link Acl} was not found for each requested
 	 * {@link ObjectIdentity}
 	 */
-	Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids) throws NotFoundException;
+	Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, @Nullable List<Sid> sids)
+			throws NotFoundException;
 
 }

acl/src/main/java/org/springframework/security/acls/model/package-info.java

@@ -18,4 +18,7 @@
  * Interfaces and shared classes to manage access control lists (ACLs) for domain object
  * instances.
  */
+@NullMarked
 package org.springframework.security.acls.model;
+
+import org.jspecify.annotations.NullMarked;

acl/src/main/java/org/springframework/security/acls/package-info.java

@@ -24,4 +24,7 @@
  * older and more verbose attribute/voter/after-invocation approach from versions before
  * Spring Security 3.0.
  */
+@NullMarked
 package org.springframework.security.acls;
+
+import org.jspecify.annotations.NullMarked;

acl/src/main/resources/META-INF/spring/aot.factories

@@ -0,0 +1,2 @@
+org.springframework.aot.hint.RuntimeHintsRegistrar=\
+org.springframework.security.acls.aot.hint.AclRuntimeHints

acl/src/test/java/org/springframework/security/acls/domain/AclImplTests.java

@@ -478,6 +478,7 @@ public class AclImplTests {
 	}
 
 	@Test
+	@SuppressWarnings("unchecked")
 	public void hashCodeWithoutStackOverFlow() throws Exception {
 		Sid sid = new PrincipalSid("pSid");
 		ObjectIdentity oid = new ObjectIdentityImpl("type", 1);

acl/src/test/java/org/springframework/security/acls/jdbc/JdbcAclServiceTests.java

@@ -29,6 +29,7 @@ import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.ArgumentMatchers;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 
@@ -46,7 +47,6 @@ import org.springframework.security.acls.model.Sid;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
-import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyList;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.ArgumentMatchers.eq;
@@ -109,7 +109,8 @@ public class JdbcAclServiceTests {
 		List<ObjectIdentity> result = new ArrayList<>();
 		result.add(new ObjectIdentityImpl(Object.class, "5577"));
 		Object[] args = { "1", "org.springframework.security.acls.jdbc.JdbcAclServiceTests$MockLongIdDomainObject" };
-		given(this.jdbcOperations.query(anyString(), any(RowMapper.class), eq(args))).willReturn(result);
+		given(this.jdbcOperations.query(anyString(), ArgumentMatchers.<RowMapper<ObjectIdentity>>any(), eq(args)))
+			.willReturn(result);
 		ObjectIdentity objectIdentity = new ObjectIdentityImpl(MockLongIdDomainObject.class, 1L);
 		List<ObjectIdentity> objectIdentities = this.aclService.findChildren(objectIdentity);
 		assertThat(objectIdentities).hasSize(1);

acl/src/test/java/org/springframework/security/acls/jdbc/SpringCacheBasedAclCacheTests.java

@@ -80,11 +80,10 @@ public class SpringCacheBasedAclCacheTests {
 		assertThatIllegalArgumentException().isThrownBy(() -> new SpringCacheBasedAclCache(null, null, null));
 	}
 
-	@SuppressWarnings("rawtypes")
 	@Test
 	public void cacheOperationsAclWithoutParent() {
 		Cache cache = getCache();
-		Map realCache = (Map) cache.getNativeCache();
+		Map<?, ?> realCache = (Map<?, ?>) cache.getNativeCache();
 		ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100L);
 		AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
 				new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"),
@@ -116,11 +115,10 @@ public class SpringCacheBasedAclCacheTests {
 		assertThat(realCache).isEmpty();
 	}
 
-	@SuppressWarnings("rawtypes")
 	@Test
 	public void cacheOperationsAclWithParent() throws Exception {
 		Cache cache = getCache();
-		Map realCache = (Map) cache.getNativeCache();
+		Map<?, ?> realCache = (Map<?, ?>) cache.getNativeCache();
 		Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
 		auth.setAuthenticated(true);
 		SecurityContextHolder.getContext().setAuthentication(auth);

aspects/spring-security-aspects.gradle

@@ -1,13 +1,16 @@
 apply plugin: 'io.spring.convention.spring-module'
 apply plugin: 'io.freefair.aspectj'
+apply plugin: 'compile-warnings-error'
 
 compileAspectj {
 	sourceCompatibility = "17"
 	targetCompatibility = "17"
+	ajcOptions.compilerArgs += ['-Xlint:ignore']
 }
 compileTestAspectj {
 	sourceCompatibility = "17"
 	targetCompatibility = "17"
+	ajcOptions.compilerArgs += ['-Xlint:ignore']
 }
 
 dependencies {

bom/spring-security-bom.gradle

@@ -1,6 +1,7 @@
 import io.spring.gradle.convention.SpringModulePlugin
 
 apply plugin: 'io.spring.convention.bom'
+apply plugin: 'compile-warnings-error'
 
 dependencies {
 	constraints {

build.gradle

@@ -1,5 +1,7 @@
 import io.spring.gradle.IncludeRepoTask
+import org.jetbrains.kotlin.gradle.dsl.JvmTarget
 import trang.RncToXsd
+import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
 
 buildscript {
 	dependencies {

buildSrc/src/main/groovy/compile-warnings-error.gradle

@@ -0,0 +1,11 @@
+import org.gradle.api.tasks.compile.JavaCompile
+import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
+
+tasks.withType(JavaCompile) {
+    options.compilerArgs += "-Werror"
+}
+
+tasks.withType(KotlinCompile) {
+    kotlinOptions.allWarningsAsErrors = true
+}
+

buildSrc/src/main/groovy/io/spring/gradle/convention/JacocoPlugin.groovy

@@ -34,7 +34,7 @@ class JacocoPlugin implements Plugin<Project> {
 			project.tasks.check.dependsOn project.tasks.jacocoTestReport
 
 			project.jacoco {
-				toolVersion = '0.8.9'
+				toolVersion = '0.8.14'
 			}
 		}
 	}

buildSrc/src/main/groovy/java-toolchain.gradle

@@ -5,7 +5,7 @@ def toolchainVersion() {
 	if (project.hasProperty('testToolchain')) {
 		return project.property('testToolchain').toString().toInteger()
 	}
-	return 17
+	return 25
 }
 
 java {

buildSrc/src/main/groovy/javadoc-warnings-error.gradle

@@ -0,0 +1,7 @@
+import org.gradle.api.tasks.javadoc.Javadoc
+
+project.tasks.withType(Javadoc).configureEach {
+	options.addBooleanOption('Werror', true)
+	// temporarily disable missing to get build to pass with JDK 25
+	options.addStringOption('Xdoclint:all,-missing')
+}

buildSrc/src/main/groovy/test-compile-target-jdk25.gradle

@@ -0,0 +1,30 @@
+import org.gradle.api.tasks.compile.JavaCompile
+import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
+
+/**
+ * We need to compile with JDK 25 for nullability support, but using JDK 25 means that our tests will fail due to the
+ * <a href="https://docs.oracle.com/en/java/javase/25/security/security-manager-is-permanently-disabled.html">removal
+ * of the Java Security Manager</a>. For example, in JDK 25 {@code Subject.getSubject(AccessControlContext)} throws an
+ * {@code UnsupportedOperationException}.
+ *
+ * To resolve this, we must migrate tests to use the new APIs (e.g. {@code Subject.current()}) but those APIs are not
+ * available in the JDK 17 source, so compiling with JDK 25 and release 17 fails. The plugin overrides the test
+ * compilation to use release 25.
+ *
+ * @see <a href="https://docs.oracle.com/en/java/javase/25/security/security-manager-is-permanently-disabled.html">The
+ * Security Manager Is Permanently Disabled</a>
+ * @see <a href="https://inside.java/2024/07/08/quality-heads-up/">Quality Outreach Heads-up - JDK 23: Re-Specified
+ * Subject.getSubject API</a>
+ */
+
+tasks.withType(JavaCompile).configureEach { task ->
+	if (task.name == 'compileTestJava' || task.name == 'compileIntegrationTestJava') {
+		task.options.release.set(25)
+	}
+}
+
+tasks.withType(KotlinCompile).configureEach { task ->
+	if (task.name == 'compileTestKotlin' || task.name == 'compileIntegrationTestKotlin') {
+		task.kotlinOptions.jvmTarget = '25'
+	}
+}

cas/spring-security-cas.gradle

@@ -1,5 +1,7 @@
 plugins {
 	id 'security-nullability'
+	id 'javadoc-warnings-error'
+	id 'compile-warnings-error'
 }
 
 apply plugin: 'io.spring.convention.spring-module'

cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationProvider.java

@@ -24,7 +24,6 @@ import org.apache.commons.logging.LogFactory;
 import org.apereo.cas.client.validation.Assertion;
 import org.apereo.cas.client.validation.TicketValidationException;
 import org.apereo.cas.client.validation.TicketValidator;
-import org.jspecify.annotations.NullUnmarked;
 import org.jspecify.annotations.Nullable;
 
 import org.springframework.beans.factory.InitializingBean;
@@ -166,7 +165,6 @@ public class CasAuthenticationProvider implements AuthenticationProvider, Initia
 	 * @param authentication
 	 * @return
 	 */
-	@NullUnmarked
 	private @Nullable String getServiceUrl(Authentication authentication) {
 		String serviceUrl;
 		if (authentication.getDetails() instanceof ServiceAuthenticationDetails) {

cas/src/main/java/org/springframework/security/cas/jackson/package-info.java

@@ -17,4 +17,7 @@
 /**
  * Jackson 3+ serialization support for CAS.
  */
+@NullMarked
 package org.springframework.security.cas.jackson;
+
+import org.jspecify.annotations.NullMarked;

cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationEntryPoint.java

@@ -91,7 +91,8 @@ public class CasAuthenticationEntryPoint implements AuthenticationEntryPoint, In
 	 */
 	protected String createServiceUrl(HttpServletRequest request, HttpServletResponse response) {
 		return WebUtils.constructServiceUrl(null, response, this.serviceProperties.getService(), null,
-				this.serviceProperties.getArtifactParameter(), this.encodeServiceUrlWithSessionId);
+				this.serviceProperties.getServiceParameter(), this.serviceProperties.getArtifactParameter(),
+				this.encodeServiceUrlWithSessionId);
 	}
 
 	/**

cas/src/main/java/org/springframework/security/cas/web/authentication/DefaultServiceAuthenticationDetails.java

@@ -34,6 +34,7 @@ import org.springframework.util.Assert;
  * and using the current URL minus the artifact and the corresponding value.
  *
  * @author Rob Winch
+ * @author Ngoc Nhan
  */
 final class DefaultServiceAuthenticationDetails extends WebAuthenticationDetails
 		implements ServiceAuthenticationDetails {
@@ -74,10 +75,9 @@ final class DefaultServiceAuthenticationDetails extends WebAuthenticationDetails
 		if (this == obj) {
 			return true;
 		}
-		if (!super.equals(obj) || !(obj instanceof DefaultServiceAuthenticationDetails)) {
+		if (!super.equals(obj) || !(obj instanceof DefaultServiceAuthenticationDetails that)) {
 			return false;
 		}
-		ServiceAuthenticationDetails that = (ServiceAuthenticationDetails) obj;
 		return this.serviceUrl.equals(that.getServiceUrl());
 	}
 
@@ -101,7 +101,11 @@ final class DefaultServiceAuthenticationDetails extends WebAuthenticationDetails
 	/**
 	 * If present, removes the artifactParameterName and the corresponding value from the
 	 * query String.
-	 * @param request
+	 * @param request the current {@link HttpServletRequest} to obtain the
+	 * {@link #getServiceUrl()} from.
+	 * @param artifactPattern the {@link Pattern} that will be used to clean up the query
+	 * string from containing the artifact name and value. This can be created using
+	 * {@link #createArtifactPattern(String)}.
 	 * @return the query String minus the artifactParameterName and the corresponding
 	 * value.
 	 */
@@ -111,7 +115,7 @@ final class DefaultServiceAuthenticationDetails extends WebAuthenticationDetails
 			return null;
 		}
 		String result = artifactPattern.matcher(query).replaceFirst("");
-		if (result.length() == 0) {
+		if (result.isEmpty()) {
 			return null;
 		}
 		// strip off the trailing & only if the artifact was the first query param
@@ -122,8 +126,9 @@ final class DefaultServiceAuthenticationDetails extends WebAuthenticationDetails
 	 * Creates a {@link Pattern} that can be passed into the constructor. This allows the
 	 * {@link Pattern} to be reused for every instance of
 	 * {@link DefaultServiceAuthenticationDetails}.
-	 * @param artifactParameterName
-	 * @return
+	 * @param artifactParameterName the artifactParameterName that is removed from the
+	 * current URL. The result becomes the service url. Cannot be null or an empty String.
+	 * @return a {@link Pattern}
 	 */
 	static Pattern createArtifactPattern(String artifactParameterName) {
 		Assert.hasLength(artifactParameterName, "artifactParameterName is expected to have a length");

config/spring-security-config.gradle

@@ -4,6 +4,9 @@ import trang.RncToXsd
 apply plugin: 'io.spring.convention.spring-module'
 apply plugin: 'trang'
 apply plugin: 'security-kotlin'
+apply plugin: 'test-compile-target-jdk25'
+apply plugin: 'compile-warnings-error'
+apply plugin:  'javadoc-warnings-error'
 
 configurations {
 	opensaml5 {

config/src/integration-test/java/org/springframework/security/config/ldap/LdapBindAuthenticationManagerFactoryITests.java

@@ -20,6 +20,7 @@ import java.util.Collection;
 import java.util.HashSet;
 import java.util.Set;
 
+import org.jspecify.annotations.NullMarked;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
@@ -98,12 +99,14 @@ public class LdapBindAuthenticationManagerFactoryITests {
 	public void authenticationManagerFactoryWhenCustomUserDetailsContextMapperThenUsed() throws Exception {
 		CustomUserDetailsContextMapperConfig.CONTEXT_MAPPER = new UserDetailsContextMapper() {
 			@Override
+			@NullMarked
 			public UserDetails mapUserFromContext(DirContextOperations ctx, String username,
 					Collection<? extends GrantedAuthority> authorities) {
 				return User.withUsername("other").password("password").roles("USER").build();
 			}
 
 			@Override
+			@NullMarked
 			public void mapUserToContext(UserDetails user, DirContextAdapter ctx) {
 			}
 		};

config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java

@@ -94,7 +94,7 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
 	public BeanDefinition parse(Element element, ParserContext pc) {
 		if (!namespaceMatchesVersion(element)) {
 			pc.getReaderContext()
-				.fatal("You cannot use any XSD older than spring-security-7.0.xsd. Either change to spring-security.xsd or spring-security-7.0.xsd",
+				.fatal("You cannot use any XSD older than spring-security-7.1.xsd. Either change to spring-security.xsd or spring-security-7.1.xsd",
 						element);
 		}
 		String name = pc.getDelegate().getLocalName(element);
@@ -219,7 +219,7 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
 
 	private boolean matchesVersionInternal(Element element) {
 		String schemaLocation = element.getAttributeNS("http://www.w3.org/2001/XMLSchema-instance", "schemaLocation");
-		return schemaLocation.matches("(?m).*spring-security-7\\.0.*.xsd.*")
+		return schemaLocation.matches("(?m).*spring-security-7\\.1.*.xsd.*")
 				|| schemaLocation.matches("(?m).*spring-security.xsd.*")
 				|| !schemaLocation.matches("(?m).*spring-security.*");
 	}

config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java

@@ -36,6 +36,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.core.annotation.AnnotationAwareOrderComparator;
 import org.springframework.core.log.LogMessage;
+import org.springframework.lang.Contract;
 import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
@@ -302,6 +303,7 @@ public class AuthenticationConfiguration {
 		}
 
 		@Override
+		@Contract("!null -> !null; null -> null")
 		public String encode(CharSequence rawPassword) {
 			return getPasswordEncoder().encode(rawPassword);
 		}

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -1881,7 +1881,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * <p>
 	 * Invoking {@link #securityMatchers(Customizer)} will not override previous
-	 * invocations of {@link #securityMatchers()}}, {@link #securityMatchers(Customizer)}
+	 * invocations of {@link #securityMatchers(Customizer)}
 	 * {@link #securityMatcher(String...)} and {@link #securityMatcher(RequestMatcher)}
 	 * </p>
 	 *
@@ -2004,8 +2004,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * <p>
 	 * Invoking {@link #securityMatcher(RequestMatcher)} will override previous
 	 * invocations of {@link #securityMatcher(RequestMatcher)},
-	 * {@link #securityMatcher(String...)}, {@link #securityMatchers(Customizer)} and
-	 * {@link #securityMatchers()}
+	 * {@link #securityMatcher(String...)} and {@link #securityMatchers(Customizer)}
 	 * </p>
 	 * @param requestMatcher the {@link RequestMatcher} to use, for example,
 	 * {@code PathPatternRequestMatcher.pathPattern(HttpMethod.GET, "/admin/**")}
@@ -2024,9 +2023,8 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 *
 	 * <p>
 	 * Invoking {@link #securityMatcher(String...)} will override previous invocations of
-	 * {@link #securityMatcher(String...)} (String)}},
-	 * {@link #securityMatcher(RequestMatcher)} ()}, {@link #securityMatchers(Customizer)}
-	 * (String)} and {@link #securityMatchers()} (String)}.
+	 * {@link #securityMatcher(String...)}, {@link #securityMatcher(RequestMatcher)} and
+	 * {@link #securityMatchers(Customizer)}.
 	 * </p>
 	 * @param patterns the pattern to match on (i.e. "/admin/**")
 	 * @return the {@link HttpSecurity} for further customizations

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

@@ -226,7 +226,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 	 *
 	 * <p>
 	 * Typically this method is invoked automatically within the framework from
-	 * {@link WebSecurityConfiguration#springSecurityFilterChain()}
+	 * {@link WebSecurityConfiguration#springSecurityFilterChain(ObjectProvider)}
 	 * </p>
 	 * @param securityFilterChainBuilder the builder to use to create the
 	 * {@link SecurityFilterChain} instances

config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java

@@ -30,6 +30,7 @@ import org.springframework.context.annotation.Scope;
 import org.springframework.core.MethodParameter;
 import org.springframework.core.ResolvableType;
 import org.springframework.core.io.support.SpringFactoriesLoader;
+import org.springframework.lang.Contract;
 import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
@@ -293,6 +294,7 @@ class HttpSecurityConfiguration {
 		}
 
 		@Override
+		@Contract("!null -> !null; null -> null")
 		public String encode(CharSequence rawPassword) {
 			return getPasswordEncoder().encode(rawPassword);
 		}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurer.java

@@ -39,6 +39,7 @@ import org.springframework.security.web.authentication.AnonymousAuthenticationFi
  * other than applying this {@link SecurityConfigurer}.
  *
  * @author Rob Winch
+ * @author DingHao
  * @since 3.2
  */
 public final class AnonymousConfigurer<H extends HttpSecurityBuilder<H>>
@@ -158,7 +159,7 @@ public final class AnonymousConfigurer<H extends HttpSecurityBuilder<H>>
 		}
 		this.authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
 		this.authenticationFilter.afterPropertiesSet();
-		http.addFilter(this.authenticationFilter);
+		http.addFilter(postProcess(this.authenticationFilter));
 	}
 
 	private String getKey() {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java

@@ -47,8 +47,8 @@ import org.springframework.util.Assert;
  * The following configuration options are available:
  *
  * <ul>
- * <li>{@link #authorizationCodeGrant()} - support for the OAuth 2.0 Authorization Code
- * Grant</li>
+ * <li>{@link #authorizationCodeGrant(Customizer)} - support for the OAuth 2.0
+ * Authorization Code Grant</li>
  * </ul>
  *
  * <p>
@@ -59,7 +59,8 @@ import org.springframework.util.Assert;
  *
  * <h2>Security Filters</h2>
  *
- * The following {@code Filter}'s are populated for {@link #authorizationCodeGrant()}:
+ * The following {@code Filter}'s are populated for
+ * {@link #authorizationCodeGrant(Customizer)}:
  *
  * <ul>
  * <li>{@link OAuth2AuthorizationRequestRedirectFilter}</li>

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java

@@ -521,8 +521,10 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 		public OpaqueTokenConfigurer introspectionUri(String introspectionUri) {
 			Assert.notNull(introspectionUri, "introspectionUri cannot be null");
 			this.introspectionUri = introspectionUri;
-			this.introspector = () -> new SpringOpaqueTokenIntrospector(this.introspectionUri, this.clientId,
-					this.clientSecret);
+			this.introspector = () -> SpringOpaqueTokenIntrospector.withIntrospectionUri(this.introspectionUri)
+				.clientId(this.clientId)
+				.clientSecret(this.clientSecret)
+				.build();
 			return this;
 		}
 
@@ -531,8 +533,10 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 			Assert.notNull(clientSecret, "clientSecret cannot be null");
 			this.clientId = clientId;
 			this.clientSecret = clientSecret;
-			this.introspector = () -> new SpringOpaqueTokenIntrospector(this.introspectionUri, this.clientId,
-					this.clientSecret);
+			this.introspector = () -> SpringOpaqueTokenIntrospector.withIntrospectionUri(this.introspectionUri)
+				.clientId(this.clientId)
+				.clientSecret(this.clientSecret)
+				.build();
 			return this;
 		}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2MetadataConfigurer.java

@@ -21,6 +21,7 @@ import java.util.function.Function;
 import org.opensaml.core.Version;
 
 import org.springframework.context.ApplicationContext;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
@@ -42,7 +43,8 @@ import org.springframework.util.Assert;
  *
  * <p>
  * Defaults are provided for all configuration options with the only required
- * configuration being a {@link Saml2LoginConfigurer#relyingPartyRegistrationRepository}.
+ * configuration being a
+ * {@link Saml2LoginConfigurer#relyingPartyRegistrationRepository(HttpSecurityBuilder)}.
  * Alternatively, a {@link RelyingPartyRegistrationRepository} {@code @Bean} may be
  * registered instead.
  *
@@ -67,7 +69,7 @@ import org.springframework.util.Assert;
  * </ul>
  *
  * @since 6.1
- * @see HttpSecurity#saml2Metadata()
+ * @see HttpSecurity#saml2Metadata(Customizer)
  * @see Saml2MetadataFilter
  * @see RelyingPartyRegistrationRepository
  */

config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java

@@ -124,6 +124,10 @@ class AuthorizationFilterParser implements BeanDefinitionParser {
 		List<Element> interceptMessages = DomUtils.getChildElementsByTagName(element, Elements.INTERCEPT_URL);
 		for (Element interceptMessage : interceptMessages) {
 			String accessExpression = interceptMessage.getAttribute(ATT_ACCESS);
+			if (!StringUtils.hasText(accessExpression)) {
+				parserContext.getReaderContext().error("access attribute cannot be empty or null", interceptMessage);
+				continue;
+			}
 			BeanDefinitionBuilder authorizationManager = BeanDefinitionBuilder
 				.rootBeanDefinition(WebExpressionAuthorizationManager.class);
 			authorizationManager.addPropertyReference("expressionHandler", expressionHandlerRef);

config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java

@@ -142,10 +142,11 @@ public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinit
 		ManagedMap<BeanMetadataElement, BeanDefinition> filterInvocationDefinitionMap = new ManagedMap<>();
 		for (Element urlElt : urlElts) {
 			String access = urlElt.getAttribute(ATT_ACCESS);
+			String path = urlElt.getAttribute(ATT_PATTERN);
 			if (!StringUtils.hasText(access)) {
+				parserContext.getReaderContext().error("access attribute cannot be empty or null", urlElt);
 				continue;
 			}
-			String path = urlElt.getAttribute(ATT_PATTERN);
 			String matcherRef = urlElt.getAttribute(HttpSecurityBeanDefinitionParser.ATT_REQUEST_MATCHER_REF);
 			boolean hasMatcherRef = StringUtils.hasText(matcherRef);
 			if (!hasMatcherRef && !StringUtils.hasText(path)) {

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -2162,7 +2162,7 @@ public class ServerHttpSecurity {
 	 *
 	 * @author Evgeniy Cheban
 	 * @since 5.6
-	 * @see #passwordManagement()
+	 * @see #passwordManagement(Customizer)
 	 */
 	public final class PasswordManagementSpec {
 
@@ -2663,7 +2663,7 @@ public class ServerHttpSecurity {
 		/**
 		 * Configures cache control headers
 		 *
-		 * @see #cache()
+		 * @see HeaderSpec#cache(Customizer)
 		 */
 		public final class CacheSpec {
 
@@ -2684,7 +2684,7 @@ public class ServerHttpSecurity {
 		/**
 		 * The content type headers
 		 *
-		 * @see #contentTypeOptions()
+		 * @see HeaderSpec#contentTypeOptions(Customizer)
 		 */
 		public final class ContentTypeOptionsSpec {
 
@@ -2705,7 +2705,7 @@ public class ServerHttpSecurity {
 		/**
 		 * Configures frame options response header
 		 *
-		 * @see #frameOptions()
+		 * @see HeaderSpec#frameOptions(Customizer)
 		 */
 		public final class FrameOptionsSpec {
 
@@ -2737,7 +2737,7 @@ public class ServerHttpSecurity {
 		/**
 		 * Configures Strict Transport Security response header
 		 *
-		 * @see #hsts()
+		 * @see HeaderSpec#hsts(Customizer)
 		 */
 		public final class HstsSpec {
 
@@ -2796,7 +2796,7 @@ public class ServerHttpSecurity {
 		/**
 		 * Configures x-xss-protection response header
 		 *
-		 * @see #xssProtection()
+		 * @see HeaderSpec#xssProtection(Customizer)
 		 */
 		public final class XssProtectionSpec {
 
@@ -2830,7 +2830,7 @@ public class ServerHttpSecurity {
 		 * Configures {@code Content-Security-Policy} response header.
 		 *
 		 * @since 5.1
-		 * @see #contentSecurityPolicy(String)
+		 * @see HeaderSpec#contentSecurityPolicy(Customizer)
 		 */
 		public final class ContentSecurityPolicySpec {
 
@@ -2884,8 +2884,7 @@ public class ServerHttpSecurity {
 			 * Allows method chaining to continue configuring the
 			 * {@link ServerHttpSecurity}.
 			 * @return the {@link HeaderSpec} to continue configuring
-			 * @deprecated For removal in 7.0. Use {@link #featurePolicy(Customizer)}
-			 * instead
+			 * @deprecated For removal in 7.0. Use {@link #featurePolicy(String)} instead
 			 */
 			@Deprecated(since = "6.1", forRemoval = true)
 			public HeaderSpec and() {
@@ -2898,7 +2897,7 @@ public class ServerHttpSecurity {
 		 * Configures {@code Permissions-Policy} response header.
 		 *
 		 * @since 5.5
-		 * @see #permissionsPolicy()
+		 * @see HeaderSpec#permissionsPolicy(Customizer)
 		 */
 		public final class PermissionsPolicySpec {
 
@@ -2921,8 +2920,7 @@ public class ServerHttpSecurity {
 		 * Configures {@code Referrer-Policy} response header.
 		 *
 		 * @since 5.1
-		 * @see #referrerPolicy()
-		 * @see #referrerPolicy(ReferrerPolicy)
+		 * @see HeaderSpec#referrerPolicy(Customizer)
 		 */
 		public final class ReferrerPolicySpec {
 

config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java

@@ -23,9 +23,7 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import java.util.function.Supplier;
 
-import org.jspecify.annotations.Nullable;
 import org.w3c.dom.Element;
 
 import org.springframework.beans.BeansException;
@@ -44,25 +42,18 @@ import org.springframework.beans.factory.support.RootBeanDefinition;
 import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.beans.factory.xml.XmlReaderContext;
-import org.springframework.expression.EvaluationContext;
-import org.springframework.expression.Expression;
 import org.springframework.messaging.Message;
 import org.springframework.messaging.simp.SimpMessageType;
 import org.springframework.messaging.simp.annotation.support.SimpAnnotationMethodMessageHandler;
-import org.springframework.security.access.expression.ExpressionUtils;
-import org.springframework.security.access.expression.SecurityExpressionHandler;
 import org.springframework.security.access.vote.ConsensusBased;
-import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
-import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.config.Elements;
 import org.springframework.security.config.http.MessageMatcherFactoryBean;
 import org.springframework.security.config.web.messaging.PathPatternMessageMatcherBuilderFactoryBean;
-import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.messaging.access.expression.ExpressionBasedMessageSecurityMetadataSourceFactory;
-import org.springframework.security.messaging.access.expression.MessageAuthorizationContextSecurityExpressionHandler;
+import org.springframework.security.messaging.access.expression.MessageExpressionAuthorizationManager;
 import org.springframework.security.messaging.access.expression.MessageExpressionVoter;
 import org.springframework.security.messaging.access.intercept.AuthorizationChannelInterceptor;
 import org.springframework.security.messaging.access.intercept.ChannelSecurityInterceptor;
@@ -75,7 +66,6 @@ import org.springframework.security.messaging.util.matcher.SimpMessageTypeMatche
 import org.springframework.security.messaging.web.csrf.XorCsrfChannelInterceptor;
 import org.springframework.security.messaging.web.socket.server.CsrfTokenHandshakeInterceptor;
 import org.springframework.util.AntPathMatcher;
-import org.springframework.util.Assert;
 import org.springframework.util.PathMatcher;
 import org.springframework.util.StringUtils;
 import org.springframework.util.xml.DomUtils;
@@ -219,9 +209,15 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
 			String messageType = interceptMessage.getAttribute(TYPE_ATTR);
 			BeanDefinition matcher = createMatcher(matcherPattern, messageType, parserContext, interceptMessage);
 			BeanDefinitionBuilder authorizationManager = BeanDefinitionBuilder
-				.rootBeanDefinition(ExpressionBasedAuthorizationManager.class);
+				.rootBeanDefinition(MessageExpressionAuthorizationManager.class);
 			if (StringUtils.hasText(expressionHandlerRef)) {
-				authorizationManager.addConstructorArgReference(expressionHandlerRef);
+				BeanDefinitionBuilder authorizationManagerBuilder = BeanDefinitionBuilder
+					.rootBeanDefinition(MessageExpressionAuthorizationManager.class);
+				authorizationManagerBuilder.setFactoryMethod("withSecurityExpressionHandler");
+				authorizationManagerBuilder.addConstructorArgReference(expressionHandlerRef);
+				String authorizationManagerBuilderRef = context
+					.registerWithGeneratedName(authorizationManagerBuilder.getBeanDefinition());
+				authorizationManager.setFactoryMethodOnBean("expression", authorizationManagerBuilderRef);
 			}
 			authorizationManager.addConstructorArgValue(accessExpression);
 			matcherToExpression.put(matcher, authorizationManager.getBeanDefinition());
@@ -439,35 +435,6 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
 
 	}
 
-	private static final class ExpressionBasedAuthorizationManager
-			implements AuthorizationManager<MessageAuthorizationContext<?>> {
-
-		private final SecurityExpressionHandler<MessageAuthorizationContext<?>> expressionHandler;
-
-		private final Expression expression;
-
-		private ExpressionBasedAuthorizationManager(String expression) {
-			this(new MessageAuthorizationContextSecurityExpressionHandler(), expression);
-		}
-
-		private ExpressionBasedAuthorizationManager(
-				SecurityExpressionHandler<MessageAuthorizationContext<?>> expressionHandler, String expression) {
-			Assert.notNull(expressionHandler, "expressionHandler cannot be null");
-			Assert.notNull(expression, "expression cannot be null");
-			this.expressionHandler = expressionHandler;
-			this.expression = this.expressionHandler.getExpressionParser().parseExpression(expression);
-		}
-
-		@Override
-		public AuthorizationResult authorize(Supplier<? extends @Nullable Authentication> authentication,
-				MessageAuthorizationContext<?> object) {
-			EvaluationContext context = this.expressionHandler.createEvaluationContext(authentication, object);
-			boolean granted = ExpressionUtils.evaluateAsBoolean(this.expression, context);
-			return new AuthorizationDecision(granted);
-		}
-
-	}
-
 	private static class MessageMatcherDelegatingAuthorizationManagerFactory {
 
 		private static AuthorizationManager<Message<?>> createMessageMatcherDelegatingAuthorizationManager(

config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt

@@ -286,7 +286,7 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl {
         if (factoryOfRequestAuthorizationContext != null) {
             return factoryOfRequestAuthorizationContext
         }
-        val factoryOfObjectType = ResolvableType.forClassWithGenerics(AuthorizationManagerFactory::class.java, Object::class.java)
+        val factoryOfObjectType = ResolvableType.forClassWithGenerics(AuthorizationManagerFactory::class.java, Any::class.java)
         val factoryOfAny = context.getBeanProvider<AuthorizationManagerFactory<Any>>(factoryOfObjectType).getIfUnique()
         if (factoryOfAny != null) {
             return factoryOfAny
@@ -303,20 +303,20 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl {
         return defaultFactory
     }
 
-    private fun resolveRolePrefix(context: ApplicationContext): String {
+    private fun resolveRolePrefix(context: ApplicationContext): String? {
         val beanNames = context.getBeanNamesForType(GrantedAuthorityDefaults::class.java)
         if (beanNames.isNotEmpty()) {
             return context.getBean(GrantedAuthorityDefaults::class.java).rolePrefix
         }
-        return "ROLE_";
+        return null
     }
 
-    private fun resolveRoleHierarchy(context: ApplicationContext): RoleHierarchy {
+    private fun resolveRoleHierarchy(context: ApplicationContext): RoleHierarchy? {
         val beanNames = context.getBeanNamesForType(RoleHierarchy::class.java)
         if (beanNames.isNotEmpty()) {
             return context.getBean(RoleHierarchy::class.java)
         }
-        return NullRoleHierarchy()
+        return null
     }
 
 }

config/src/main/kotlin/org/springframework/security/config/annotation/web/HeadersDsl.kt

@@ -37,9 +37,11 @@ class HeadersDsl {
     private var cacheControl: ((HeadersConfigurer<HttpSecurity>.CacheControlConfig) -> Unit)? = null
     private var hsts: ((HeadersConfigurer<HttpSecurity>.HstsConfig) -> Unit)? = null
     private var frameOptions: ((HeadersConfigurer<HttpSecurity>.FrameOptionsConfig) -> Unit)? = null
+    @Suppress("DEPRECATION")
     private var hpkp: ((HeadersConfigurer<HttpSecurity>.HpkpConfig) -> Unit)? = null
     private var contentSecurityPolicy: ((HeadersConfigurer<HttpSecurity>.ContentSecurityPolicyConfig) -> Unit)? = null
     private var referrerPolicy: ((HeadersConfigurer<HttpSecurity>.ReferrerPolicyConfig) -> Unit)? = null
+    @Suppress("DEPRECATION")
     private var featurePolicyDirectives: String? = null
     private var permissionsPolicy: ((HeadersConfigurer<HttpSecurity>.PermissionsPolicyConfig) -> Unit)? = null
     private var crossOriginOpenerPolicy: ((HeadersConfigurer<HttpSecurity>.CrossOriginOpenerPolicyConfig) -> Unit)? = null
@@ -120,6 +122,7 @@ class HeadersDsl {
      * @deprecated see <a href="https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate and Public Key Pinning</a> for more context
      */
     @Deprecated(message = "as of 5.8 with no replacement")
+    @Suppress("DEPRECATION")
     fun httpPublicKeyPinning(hpkpConfig: HttpPublicKeyPinningDsl.() -> Unit) {
         this.hpkp = HttpPublicKeyPinningDsl().apply(hpkpConfig).get()
     }
@@ -167,6 +170,7 @@ class HeadersDsl {
      * @param policyDirectives policyDirectives the security policy directive(s)
      */
     @Deprecated("Use 'permissionsPolicy { }' instead.")
+    @Suppress("DEPRECATION")
     fun featurePolicy(policyDirectives: String) {
         this.featurePolicyDirectives = policyDirectives
     }

config/src/main/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDsl.kt

@@ -614,6 +614,7 @@ class HttpSecurityDsl(private val http: HttpSecurity, private val init: HttpSecu
      * @see [RequiresChannelDsl]
      * @deprecated please use [redirectToHttps] instead
      */
+    @Suppress("DEPRECATION")
     @Deprecated(message="since 6.5 use redirectToHttps instead")
     fun requiresChannel(requiresChannelConfiguration: RequiresChannelDsl.() -> Unit) {
         val requiresChannelCustomizer = RequiresChannelDsl().apply(requiresChannelConfiguration).get()

config/src/main/kotlin/org/springframework/security/config/annotation/web/RequiresChannelDsl.kt

@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+@file:Suppress("DEPRECATION")
+
 package org.springframework.security.config.annotation.web
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity

config/src/main/kotlin/org/springframework/security/config/annotation/web/X509Dsl.kt

@@ -62,6 +62,7 @@ class X509Dsl {
             authenticationDetailsSource?.also { x509.authenticationDetailsSource(authenticationDetailsSource) }
             userDetailsService?.also { x509.userDetailsService(userDetailsService) }
             authenticationUserDetailsService?.also { x509.authenticationUserDetailsService(authenticationUserDetailsService) }
+            @Suppress("DEPRECATION")
             subjectPrincipalRegex?.also { x509.subjectPrincipalRegex(subjectPrincipalRegex) }
         }
     }

config/src/main/kotlin/org/springframework/security/config/annotation/web/headers/HttpPublicKeyPinningDsl.kt

@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+@file:Suppress("DEPRECATION")
+
 package org.springframework.security.config.annotation.web.headers
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity

config/src/main/kotlin/org/springframework/security/config/annotation/web/session/SessionFixationDsl.kt

@@ -68,12 +68,11 @@ class SessionFixationDsl {
     internal fun get(): (SessionManagementConfigurer<HttpSecurity>.SessionFixationConfigurer) -> Unit {
         return { sessionFixation ->
             strategy?.also {
-                when (strategy) {
+                when (it) {
                     SessionFixationStrategy.NEW -> sessionFixation.newSession()
                     SessionFixationStrategy.MIGRATE -> sessionFixation.migrateSession()
                     SessionFixationStrategy.CHANGE_ID -> sessionFixation.changeSessionId()
                     SessionFixationStrategy.NONE -> sessionFixation.none()
-                    null -> null
                 }
             }
         }

config/src/main/resources/META-INF/spring.schemas

@@ -14,6 +14,8 @@
 # limitations under the License.
 #
 
+http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-7.1.xsd
+http\://www.springframework.org/schema/security/spring-security-7.0.xsd=org/springframework/security/config/spring-security-7.1.xsd
 http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-7.0.xsd
 http\://www.springframework.org/schema/security/spring-security-7.0.xsd=org/springframework/security/config/spring-security-7.0.xsd
 http\://www.springframework.org/schema/security/spring-security-6.5.xsd=org/springframework/security/config/spring-security-6.5.xsd
@@ -42,7 +44,8 @@ http\://www.springframework.org/schema/security/spring-security-2.0.xsd=org/spri
 http\://www.springframework.org/schema/security/spring-security-2.0.1.xsd=org/springframework/security/config/spring-security-2.0.1.xsd
 http\://www.springframework.org/schema/security/spring-security-2.0.2.xsd=org/springframework/security/config/spring-security-2.0.2.xsd
 http\://www.springframework.org/schema/security/spring-security-2.0.4.xsd=org/springframework/security/config/spring-security-2.0.4.xsd
-https\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-7.0.xsd
+https\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-7.1.xsd
+https\://www.springframework.org/schema/security/spring-security-7.1.xsd=org/springframework/security/config/spring-security-7.1.xsd
 https\://www.springframework.org/schema/security/spring-security-7.0.xsd=org/springframework/security/config/spring-security-7.0.xsd
 https\://www.springframework.org/schema/security/spring-security-6.5.xsd=org/springframework/security/config/spring-security-6.5.xsd
 https\://www.springframework.org/schema/security/spring-security-6.4.xsd=org/springframework/security/config/spring-security-6.4.xsd

config/src/main/resources/org/springframework/security/config/spring-security-7.0.rnc

@@ -12,8 +12,8 @@ base64 =
 	## Whether a string should be base64 encoded
 	attribute base64 {xsd:boolean}
 request-matcher =
-	## Defines the strategy use for matching incoming requests. Currently the options are 'mvc' (for Spring MVC matcher), 'ant' (for ant path patterns), 'regex' for regular expressions and 'ciRegex' for case-insensitive regular expressions.
-	attribute request-matcher {"mvc" | "ant" | "regex" | "ciRegex"}
+	## Defines the strategy use for matching incoming requests. Currently the options are 'path' (for PathPatternRequestMatcher), 'regex' for regular expressions and 'ciRegex' for case-insensitive regular expressions.
+	attribute request-matcher {"path" | "regex" | "ciRegex"}
 port =
 	## Specifies an IP port number. Used to configure an embedded LDAP server, for example.
 	attribute port { xsd:nonNegativeInteger }

config/src/main/resources/org/springframework/security/config/spring-security-7.0.xsd

@@ -27,15 +27,14 @@
   <xs:attributeGroup name="request-matcher">
       <xs:attribute name="request-matcher" use="required">
          <xs:annotation>
-            <xs:documentation>Defines the strategy use for matching incoming requests. Currently the options are 'mvc'
-                (for Spring MVC matcher), 'ant' (for ant path patterns), 'regex' for regular expressions
-                and 'ciRegex' for case-insensitive regular expressions.
+            <xs:documentation>Defines the strategy use for matching incoming requests. Currently the options are 'path'
+                (for PathPatternRequestMatcher), 'regex' for regular expressions and 'ciRegex' for
+                case-insensitive regular expressions.
                 </xs:documentation>
          </xs:annotation>
          <xs:simpleType>
             <xs:restriction base="xs:token">
-               <xs:enumeration value="mvc"/>
-               <xs:enumeration value="ant"/>
+               <xs:enumeration value="path"/>
                <xs:enumeration value="regex"/>
                <xs:enumeration value="ciRegex"/>
             </xs:restriction>
@@ -1306,15 +1305,14 @@
       </xs:attribute>
       <xs:attribute name="request-matcher">
          <xs:annotation>
-            <xs:documentation>Defines the strategy use for matching incoming requests. Currently the options are 'mvc'
-                (for Spring MVC matcher), 'ant' (for ant path patterns), 'regex' for regular expressions
-                and 'ciRegex' for case-insensitive regular expressions.
+            <xs:documentation>Defines the strategy use for matching incoming requests. Currently the options are 'path'
+                (for PathPatternRequestMatcher), 'regex' for regular expressions and 'ciRegex' for
+                case-insensitive regular expressions.
                 </xs:documentation>
          </xs:annotation>
          <xs:simpleType>
             <xs:restriction base="xs:token">
-               <xs:enumeration value="mvc"/>
-               <xs:enumeration value="ant"/>
+               <xs:enumeration value="path"/>
                <xs:enumeration value="regex"/>
                <xs:enumeration value="ciRegex"/>
             </xs:restriction>
@@ -2474,15 +2472,14 @@
   <xs:attributeGroup name="filter-chain-map.attlist">
       <xs:attribute name="request-matcher">
          <xs:annotation>
-            <xs:documentation>Defines the strategy use for matching incoming requests. Currently the options are 'mvc'
-                (for Spring MVC matcher), 'ant' (for ant path patterns), 'regex' for regular expressions
-                and 'ciRegex' for case-insensitive regular expressions.
+            <xs:documentation>Defines the strategy use for matching incoming requests. Currently the options are 'path'
+                (for PathPatternRequestMatcher), 'regex' for regular expressions and 'ciRegex' for
+                case-insensitive regular expressions.
                 </xs:documentation>
          </xs:annotation>
          <xs:simpleType>
             <xs:restriction base="xs:token">
-               <xs:enumeration value="mvc"/>
-               <xs:enumeration value="ant"/>
+               <xs:enumeration value="path"/>
                <xs:enumeration value="regex"/>
                <xs:enumeration value="ciRegex"/>
             </xs:restriction>
@@ -2580,15 +2577,14 @@
       </xs:attribute>
       <xs:attribute name="request-matcher">
          <xs:annotation>
-            <xs:documentation>Defines the strategy use for matching incoming requests. Currently the options are 'mvc'
-                (for Spring MVC matcher), 'ant' (for ant path patterns), 'regex' for regular expressions
-                and 'ciRegex' for case-insensitive regular expressions.
+            <xs:documentation>Defines the strategy use for matching incoming requests. Currently the options are 'path'
+                (for PathPatternRequestMatcher), 'regex' for regular expressions and 'ciRegex' for
+                case-insensitive regular expressions.
                 </xs:documentation>
          </xs:annotation>
          <xs:simpleType>
             <xs:restriction base="xs:token">
-               <xs:enumeration value="mvc"/>
-               <xs:enumeration value="ant"/>
+               <xs:enumeration value="path"/>
                <xs:enumeration value="regex"/>
                <xs:enumeration value="ciRegex"/>
             </xs:restriction>

config/src/test/java/org/springframework/security/SerializationSamples.java

@@ -20,6 +20,7 @@ import java.io.IOException;
 import java.io.Serializable;
 import java.lang.reflect.Field;
 import java.security.Principal;
+import java.time.Duration;
 import java.time.Instant;
 import java.util.Collection;
 import java.util.Date;
@@ -245,12 +246,15 @@ import org.springframework.security.web.savedrequest.SimpleSavedRequest;
 import org.springframework.security.web.server.firewall.ServerExchangeRejectedException;
 import org.springframework.security.web.session.HttpSessionCreatedEvent;
 import org.springframework.security.web.session.HttpSessionIdChangedEvent;
+import org.springframework.security.web.webauthn.api.AttestationConveyancePreference;
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientInputs;
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientOutputs;
 import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
 import org.springframework.security.web.webauthn.api.AuthenticatorAttachment;
+import org.springframework.security.web.webauthn.api.AuthenticatorSelectionCriteria;
 import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
 import org.springframework.security.web.webauthn.api.Bytes;
+import org.springframework.security.web.webauthn.api.COSEAlgorithmIdentifier;
 import org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput;
 import org.springframework.security.web.webauthn.api.CredentialPropertiesOutput;
 import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput;
@@ -258,12 +262,17 @@ import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExte
 import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs;
 import org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity;
 import org.springframework.security.web.webauthn.api.PublicKeyCredential;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialCreationOptions;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialParameters;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialRpEntity;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialType;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialUserEntity;
+import org.springframework.security.web.webauthn.api.ResidentKeyRequirement;
 import org.springframework.security.web.webauthn.api.TestAuthenticationAssertionResponses;
 import org.springframework.security.web.webauthn.api.TestBytes;
+import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialCreationOptions;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialRequestOptions;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialUserEntities;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredentials;
@@ -271,6 +280,7 @@ import org.springframework.security.web.webauthn.api.UserVerificationRequirement
 import org.springframework.security.web.webauthn.authentication.WebAuthnAuthentication;
 import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken;
 import org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest;
+import org.springframework.security.web.webauthn.management.TestPublicKeyCredentialRpEntities;
 import org.springframework.util.ReflectionUtils;
 
 final class SerializationSamples {
@@ -284,6 +294,14 @@ final class SerializationSamples {
 		Authentication authentication = TestAuthentication.authenticated(user);
 		SecurityContext securityContext = new SecurityContextImpl(authentication);
 
+		instancioByClassName.put(OneTimeTokenAuthenticationToken.class, () -> {
+			@SuppressWarnings("removal")
+			InstancioOfClassApi<?> instancio = Instancio.of(OneTimeTokenAuthenticationToken.class);
+			instancio.supply(Select.all(OneTimeTokenAuthenticationToken.class),
+					(r) -> applyDetails(new OneTimeTokenAuthenticationToken("token")));
+			return instancio;
+		});
+
 		// oauth2-core
 		generatorByClassName.put(DefaultOAuth2User.class, (r) -> TestOAuth2Users.create());
 		generatorByClassName.put(OAuth2AuthorizationRequest.class,
@@ -597,8 +615,7 @@ final class SerializationSamples {
 			token.setDetails(details);
 			return token;
 		});
-		generatorByClassName.put(OneTimeTokenAuthenticationToken.class,
-				(r) -> applyDetails(new OneTimeTokenAuthenticationToken("username", "token")));
+
 		generatorByClassName.put(OneTimeTokenAuthentication.class,
 				(r) -> applyDetails(new OneTimeTokenAuthentication("username", authentication.getAuthorities())));
 		generatorByClassName.put(AccessDeniedException.class,
@@ -879,6 +896,36 @@ final class SerializationSamples {
 		generatorByClassName.put(CredentialPropertiesOutput.ExtensionOutput.class,
 				(r) -> new CredentialPropertiesOutput(true).getOutput());
 
+		AttestationConveyancePreference attestationConveyancePreference = AttestationConveyancePreference.DIRECT;
+		ResidentKeyRequirement residentKeyRequirement = ResidentKeyRequirement.REQUIRED;
+		AuthenticatorSelectionCriteria authenticatorSelectionCriteria = AuthenticatorSelectionCriteria.builder()
+			.authenticatorAttachment(AuthenticatorAttachment.PLATFORM)
+			.residentKey(residentKeyRequirement)
+			.userVerification(UserVerificationRequirement.REQUIRED)
+			.build();
+		PublicKeyCredentialParameters publicKeyCredentialParameters = PublicKeyCredentialParameters.RS256;
+		PublicKeyCredentialRpEntity publicKeyCredentialRpEntity = TestPublicKeyCredentialRpEntities.createRpEntity()
+			.build();
+
+		generatorByClassName.put(AttestationConveyancePreference.class, (r) -> attestationConveyancePreference);
+		generatorByClassName.put(ResidentKeyRequirement.class, (r) -> residentKeyRequirement);
+		generatorByClassName.put(AuthenticatorSelectionCriteria.class, (r) -> authenticatorSelectionCriteria);
+		generatorByClassName.put(COSEAlgorithmIdentifier.class, ((r) -> COSEAlgorithmIdentifier.RS256));
+		generatorByClassName.put(PublicKeyCredentialParameters.class, (r) -> publicKeyCredentialParameters);
+		generatorByClassName.put(PublicKeyCredentialRpEntity.class, (r) -> publicKeyCredentialRpEntity);
+		generatorByClassName.put(PublicKeyCredentialCreationOptions.class,
+				(o) -> TestPublicKeyCredentialCreationOptions.createPublicKeyCredentialCreationOptions()
+					.extensions(inputs)
+					.attestation(attestationConveyancePreference)
+					.authenticatorSelection(authenticatorSelectionCriteria)
+					.challenge(TestBytes.get())
+					.excludeCredentials(List.of(descriptor))
+					.rp(publicKeyCredentialRpEntity)
+					.pubKeyCredParams(publicKeyCredentialParameters)
+					.timeout(Duration.ofMinutes(5))
+					.user(TestPublicKeyCredentialUserEntities.userEntity().id(TestBytes.get()).build())
+					.build());
+
 		// One-Time Token
 		DefaultOneTimeToken oneTimeToken = new DefaultOneTimeToken(UUID.randomUUID().toString(), "user",
 				Instant.now().plusSeconds(300));

config/src/test/java/org/springframework/security/config/SecurityNamespaceHandlerTests.java

@@ -114,7 +114,7 @@ public class SecurityNamespaceHandlerTests {
 					"<user-service id='us'><user name='bob' password='bobspassword' authorities='ROLE_A' /></user-service>",
 					"3.0.3", null))
 			.withMessageContaining(
-					"You cannot use any XSD older than spring-security-7.0.xsd. Either change to spring-security.xsd or spring-security-7.0.xsd");
+					"You cannot use any XSD older than spring-security-7.1.xsd. Either change to spring-security.xsd or spring-security-7.1.xsd");
 	}
 
 	// SEC-1868

config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java

@@ -222,7 +222,8 @@ public class WebSecurityConfigurationTests {
 	// SEC-2773
 	@Test
 	public void getMethodDelegatingApplicationListenerWhenWebSecurityConfigurationThenIsStatic() {
-		Method method = ClassUtils.getMethod(WebSecurityConfiguration.class, "delegatingApplicationListener", null);
+		Method method = ClassUtils.getMethod(WebSecurityConfiguration.class, "delegatingApplicationListener",
+				(Class<?>[]) null);
 		assertThat(Modifier.isStatic(method.getModifiers())).isTrue();
 	}
 

config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java

@@ -16,6 +16,7 @@
 
 package org.springframework.security.config.annotation.web.configurers;
 
+import jakarta.servlet.http.HttpServletRequest;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
@@ -23,6 +24,8 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.authentication.AuthenticationDetailsSource;
+import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -34,11 +37,14 @@ import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.springframework.security.config.Customizer.withDefaults;
 import static org.springframework.security.config.annotation.SecurityContextChangedListenerArgumentMatchers.setAuthentication;
@@ -101,6 +107,45 @@ public class AnonymousConfigurerTests {
 		this.mockMvc.perform(get("/")).andExpect(status().isOk()).andExpect(content().string("myAnonymousUser"));
 	}
 
+	@Test
+	public void anonymousAuthenticationWhenUsingAuthenticationDetailsSourceRefThenMatchesNamespace() throws Exception {
+		this.spring.register(AuthenticationDetailsSourceAnonymousConfig.class).autowire();
+		AuthenticationDetailsSource<HttpServletRequest, ?> source = this.spring.getContext()
+			.getBean(AuthenticationDetailsSource.class);
+		this.mockMvc.perform(get("/"));
+		verify(source).buildDetails(any(HttpServletRequest.class));
+	}
+
+	@Configuration
+	@EnableWebSecurity
+	@EnableWebMvc
+	static class AuthenticationDetailsSourceAnonymousConfig {
+
+		AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = mock(
+				AuthenticationDetailsSource.class);
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			return http.anonymous((anonymous) -> anonymous
+				.withObjectPostProcessor(new ObjectPostProcessor<AnonymousAuthenticationFilter>() {
+
+					@Override
+					public <O extends AnonymousAuthenticationFilter> O postProcess(O object) {
+						object.setAuthenticationDetailsSource(
+								AuthenticationDetailsSourceAnonymousConfig.this.authenticationDetailsSource);
+						return object;
+					}
+
+				})).build();
+		}
+
+		@Bean
+		AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource() {
+			return this.authenticationDetailsSource;
+		}
+
+	}
+
 	@Configuration
 	@EnableWebSecurity
 	@EnableWebMvc

config/src/test/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerTests.java

@@ -1201,6 +1201,7 @@ public class HeadersConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@SuppressWarnings("removal")
 	static class PermissionsPolicyConfig {
 
 		@Bean
@@ -1221,6 +1222,7 @@ public class HeadersConfigurerTests {
 	static class PermissionsPolicyStringConfig {
 
 		@Bean
+		@SuppressWarnings("removal")
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
@@ -1235,6 +1237,7 @@ public class HeadersConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@SuppressWarnings("removal")
 	static class PermissionsPolicyInvalidConfig {
 
 		@Bean
@@ -1252,6 +1255,7 @@ public class HeadersConfigurerTests {
 
 	@Configuration
 	@EnableWebSecurity
+	@SuppressWarnings("removal")
 	static class PermissionsPolicyInvalidStringConfig {
 
 		@Bean

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java

@@ -1257,6 +1257,7 @@ public class OAuth2AuthorizationCodeGrantTests {
 		}
 
 		@Bean
+		@SuppressWarnings("removal")
 		RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
 			JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(
 					jdbcOperations);

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java

@@ -561,6 +561,7 @@ public class OAuth2ClientCredentialsGrantTests {
 		}
 
 		@Bean
+		@SuppressWarnings("removal")
 		RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
 			JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(
 					jdbcOperations);

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientRegistrationTests.java

@@ -647,6 +647,7 @@ public class OAuth2ClientRegistrationTests {
 		// @formatter:on
 
 		@Bean
+		@SuppressWarnings("removal")
 		RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
 			RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 			RegisteredClientParametersMapper registeredClientParametersMapper = new RegisteredClientParametersMapper();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java

@@ -469,6 +469,7 @@ public class OAuth2RefreshTokenGrantTests {
 		}
 
 		@Bean
+		@SuppressWarnings("removal")
 		RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
 			JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(
 					jdbcOperations);

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenIntrospectionTests.java

@@ -515,6 +515,7 @@ public class OAuth2TokenIntrospectionTests {
 		}
 
 		@Bean
+		@SuppressWarnings("removal")
 		RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
 			JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(
 					jdbcOperations);

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenRevocationTests.java

@@ -318,6 +318,7 @@ public class OAuth2TokenRevocationTests {
 		}
 
 		@Bean
+		@SuppressWarnings("removal")
 		RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
 			JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(
 					jdbcOperations);

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcClientRegistrationTests.java

@@ -778,6 +778,7 @@ public class OidcClientRegistrationTests {
 		// @formatter:on
 
 		@Bean
+		@SuppressWarnings("removal")
 		RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
 			RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 			RegisteredClientParametersMapper registeredClientParametersMapper = new RegisteredClientParametersMapper();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java

@@ -633,6 +633,7 @@ public class OidcTests {
 		}
 
 		@Bean
+		@SuppressWarnings("removal")
 		RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
 			JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(
 					jdbcOperations);

config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurerTests.java

@@ -409,7 +409,9 @@ public class Saml2LogoutConfigurerTests {
 		logoutRequest.setIssueInstant(Instant.now());
 		given(getBean(Saml2LogoutRequestValidator.class).validate(any()))
 			.willReturn(Saml2LogoutValidatorResult.success());
-		Saml2LogoutResponse logoutResponse = Saml2LogoutResponse.withRelyingPartyRegistration(registration).build();
+		Saml2LogoutResponse logoutResponse = Saml2LogoutResponse.withRelyingPartyRegistration(registration)
+			.samlResponse("samlResponse")
+			.build();
 		given(getBean(Saml2LogoutResponseResolver.class).resolve(any(), any())).willReturn(logoutResponse);
 		this.mvc.perform(post("/logout/saml2/slo").param("SAMLRequest", "samlRequest").with(authentication(this.user)))
 			.andReturn();

config/src/test/java/org/springframework/security/config/doc/XsdDocumentedTests.java

@@ -65,7 +65,7 @@ public class XsdDocumentedTests {
 
 	String schema31xDocumentLocation = "org/springframework/security/config/spring-security-3.1.xsd";
 
-	String schemaDocumentLocation = "org/springframework/security/config/spring-security-7.0.xsd";
+	String schemaDocumentLocation = "org/springframework/security/config/spring-security-7.1.xsd";
 
 	XmlSupport xml = new XmlSupport();
 
@@ -151,8 +151,8 @@ public class XsdDocumentedTests {
 				.list((dir, name) -> name.endsWith(".xsd"));
 		// @formatter:on
 		assertThat(schemas.length)
-			.withFailMessage("the count is equal to 28, if not then schemaDocument needs updating")
-			.isEqualTo(28);
+			.withFailMessage("the count is equal to 29, if not then schemaDocument needs updating")
+			.isEqualTo(29);
 	}
 
 	/**

config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java

@@ -337,6 +337,54 @@ public class InterceptUrlConfigTests {
 		assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
 	}
 
+	/**
+	 * gh-18503
+	 */
+	@Test
+	public void configWhenInterceptUrlMissingAccessThenException() {
+		assertThatExceptionOfType(BeanDefinitionParsingException.class)
+			.isThrownBy(() -> this.spring.configLocations(this.xml("MissingAccess")).autowire())
+			.withMessageContaining("access attribute cannot be empty or null");
+	}
+
+	/**
+	 * gh-18503
+	 */
+	@Test
+	public void configWhenInterceptUrlEmptyAccessThenException() {
+		assertThatExceptionOfType(BeanDefinitionParsingException.class)
+			.isThrownBy(() -> this.spring.configLocations(this.xml("EmptyAccess")).autowire())
+			.withMessageContaining("access attribute cannot be empty or null");
+	}
+
+	/**
+	 * gh-18503
+	 */
+	@Test
+	public void configWhenInterceptUrlValidAccessThenLoads() {
+		assertThatNoException().isThrownBy(() -> this.spring.configLocations(this.xml("ValidAccess")).autowire());
+	}
+
+	/**
+	 * gh-18503
+	 */
+	@Test
+	public void configWhenUseAuthorizationManagerFalseAndMissingAccessThenException() {
+		assertThatExceptionOfType(BeanDefinitionParsingException.class)
+			.isThrownBy(() -> this.spring.configLocations(this.xml("MissingAccessLegacy")).autowire())
+			.withMessageContaining("access attribute cannot be empty or null");
+	}
+
+	/**
+	 * gh-18503
+	 */
+	@Test
+	public void configWhenUseAuthorizationManagerFalseAndEmptyAccessThenException() {
+		assertThatExceptionOfType(BeanDefinitionParsingException.class)
+			.isThrownBy(() -> this.spring.configLocations(this.xml("EmptyAccessLegacy")).autowire())
+			.withMessageContaining("access attribute cannot be empty or null");
+	}
+
 	private static RequestPostProcessor adminCredentials() {
 		return httpBasic("admin", "password");
 	}

config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java

@@ -19,7 +19,6 @@ package org.springframework.security.config.http;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.OutputStream;
-import java.security.AccessController;
 import java.security.Principal;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
@@ -989,7 +988,7 @@ public class MiscHttpConfigTests {
 
 		@GetMapping("/username")
 		String username() {
-			Subject subject = Subject.getSubject(AccessController.getContext());
+			Subject subject = Subject.current();
 			return subject.getPrincipals().iterator().next().getName();
 		}
 

config/src/test/java/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParserTests.java

@@ -306,7 +306,9 @@ public class Saml2LogoutBeanDefinitionParserTests {
 		logoutRequest.setIssueInstant(Instant.now());
 		given(getBean(Saml2LogoutRequestValidator.class).validate(any()))
 			.willReturn(Saml2LogoutValidatorResult.success());
-		Saml2LogoutResponse logoutResponse = Saml2LogoutResponse.withRelyingPartyRegistration(registration).build();
+		Saml2LogoutResponse logoutResponse = Saml2LogoutResponse.withRelyingPartyRegistration(registration)
+			.samlResponse("samlResponse")
+			.build();
 		given(getBean(Saml2LogoutResponseResolver.class).resolve(any(), any())).willReturn(logoutResponse);
 		this.mvc
 			.perform(post("/logout/saml2/slo").param("SAMLRequest", "samlRequest").with(authentication(this.saml2User)))

config/src/test/java/org/springframework/security/config/web/server/LogoutSpecTests.java

@@ -278,7 +278,7 @@ public class LogoutSpecTests {
 
 	private static class InMemorySecurityContextRepository implements ServerSecurityContextRepository {
 
-		@Nullable private SecurityContext savedContext;
+		private @Nullable SecurityContext savedContext;
 
 		@Override
 		public Mono<Void> save(ServerWebExchange exchange, SecurityContext context) {
@@ -291,7 +291,7 @@ public class LogoutSpecTests {
 			return Mono.justOrEmpty(this.savedContext);
 		}
 
-		@Nullable private SecurityContext getSavedContext() {
+		private @Nullable SecurityContext getSavedContext() {
 			return this.savedContext;
 		}