Polish oauth2-client tests with missing Content-Type header

Merge Add CredentialRecordOwnerAuthorizationManager

.github/dependabot.yml

@@ -1,12 +1,10 @@
 version: 2
 registries:
-  spring-milestones:
-    type: maven-repository
-    url: https://repo.spring.io/milestone
   shibboleth:
     type: maven-repository
     url: https://build.shibboleth.net/maven/releases
 updates:
+  # 6.5.x
   - package-ecosystem: gradle
     target-branch: 6.5.x
     directory: /
@@ -17,7 +15,6 @@ updates:
     labels:
       - 'type: dependency-upgrade'
     registries:
-      - spring-milestones
       - shibboleth
     ignore:
       - dependency-name: com.nimbusds:nimbus-jose-jwt
@@ -34,8 +31,28 @@ updates:
         update-types:
           - version-update:semver-major
           - version-update:semver-minor
+  - package-ecosystem: npm
+    target-branch: 6.5.x
+    directory: /docs
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+  - package-ecosystem: github-actions
+    target-branch: 6.5.x
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+
+  # 7.0.x
   - package-ecosystem: gradle
-    target-branch: 6.4.x
+    target-branch: 7.0.x
     directory: /
     schedule:
       interval: daily
@@ -44,10 +61,10 @@ updates:
     labels:
       - 'type: dependency-upgrade'
     registries:
-      - spring-milestones
       - shibboleth
     ignore:
       - dependency-name: com.nimbusds:nimbus-jose-jwt
+      - dependency-name: io.spring.nullability:*
       - dependency-name: org.python:jython
       - dependency-name: org.apache.directory.server:*
       - dependency-name: org.apache.directory.shared:*
@@ -57,11 +74,34 @@ updates:
       - dependency-name: org.mockito:mockito-bom
         update-types:
           - version-update:semver-major
+      - dependency-name: com.gradle.enterprise
+        update-types:
+          - version-update:semver-major
+          - version-update:semver-minor
       - dependency-name: '*'
         update-types:
           - version-update:semver-major
           - version-update:semver-minor
+  - package-ecosystem: npm
+    target-branch: 7.0.x
+    directory: /docs
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+  - package-ecosystem: github-actions
+    target-branch: 7.0.x
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
 
+  # main
   - package-ecosystem: gradle
     target-branch: main
     directory: /
@@ -72,7 +112,6 @@ updates:
     labels:
       - 'type: dependency-upgrade'
     registries:
-      - spring-milestones
       - shibboleth
     ignore:
       - dependency-name: com.nimbusds:nimbus-jose-jwt
@@ -92,17 +131,6 @@ updates:
       - dependency-name: '*'
         update-types:
           - version-update:semver-major
-          - version-update:semver-minor
-
-  - package-ecosystem: npm
-    target-branch: docs-build
-    directory: /
-    schedule:
-      interval: weekly
-    labels:
-      - 'type: task'
-      - 'in: build'
-
   - package-ecosystem: npm
     target-branch: main
     directory: /docs
@@ -110,4 +138,63 @@ updates:
       interval: weekly
     labels:
       - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+  - package-ecosystem: github-actions
+    target-branch: main
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+
+  # docs-build
+  - package-ecosystem: gradle
+    target-branch: docs-build
+    directory: /
+    schedule:
+      interval: daily
+      time: '03:00'
+      timezone: Etc/UTC
+    labels:
+      - 'type: dependency-upgrade'
+    registries:
+      - shibboleth
+    ignore:
+      - dependency-name: com.nimbusds:nimbus-jose-jwt
+      - dependency-name: org.python:jython
+      - dependency-name: org.apache.directory.server:*
+      - dependency-name: org.apache.directory.shared:*
+      - dependency-name: org.junit:junit-bom
+        update-types:
+          - version-update:semver-major
+      - dependency-name: org.mockito:mockito-bom
+        update-types:
+          - version-update:semver-major
+      - dependency-name: com.gradle.enterprise
+        update-types:
+          - version-update:semver-major
+          - version-update:semver-minor
+      - dependency-name: '*'
+        update-types:
+          - version-update:semver-major
+  - package-ecosystem: npm
+    target-branch: docs-build
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
+      - 'in: build'
+  - package-ecosystem: github-actions
+    target-branch: docs-build
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'type: dependency-upgrade'
       - 'in: build'

.github/workflows/auto-merge-dependabot.yml

@@ -0,0 +1,17 @@
+name: Merge Dependabot PR
+
+on:
+  pull_request:
+    branches:
+      - main
+      - '*.x'
+      - 'docs-build'
+
+run-name: Merge Dependabot PR ${{ github.ref_name }}
+
+jobs:
+  merge-dependabot-pr:
+    permissions: write-all
+    uses: spring-io/spring-github-workflows/.github/workflows/spring-merge-dependabot-pr.yml@v7
+    with:
+      mergeArguments: --auto --rebase

.github/workflows/check-snapshots.yml

@@ -14,14 +14,12 @@ permissions:
 jobs:
   snapshot-test:
     name: Test Against Snapshots
-    uses: spring-io/spring-security-release-tools/.github/workflows/test.yml@v1
+    uses: spring-io/spring-security-release-tools/.github/workflows/test.yml@b92832ecbc7cbe969201e6beafbde0ee400cf095 # v1.0.15
     strategy:
       matrix:
         include:
-          - java-version: 21-ea
-            toolchain: 21
-          - java-version: 17
-            toolchain: 17
+          - java-version: 25
+            toolchain: 25
     with:
       java-version: ${{ matrix.java-version }}
       test-args: --refresh-dependencies -PforceMavenRepositories=snapshot,https://oss.sonatype.org/content/repositories/snapshots -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=7.+ -PreactorVersion=2025.+ -PspringDataVersion=2025.+ --stacktrace
@@ -33,6 +31,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Send Notification
-        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
+        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@b92832ecbc7cbe969201e6beafbde0ee400cf095 # v1.0.15
         with:
           webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}

.github/workflows/continuous-integration-workflow.yml

@@ -21,7 +21,7 @@ jobs:
     strategy:
       matrix:
         os: [ ubuntu-latest, windows-latest ]
-        jdk: [ 17 ]
+        jdk: [ 25 ]
     with:
       runs-on: ${{ matrix.os }}
       java-version: ${{ matrix.jdk }}
@@ -34,6 +34,7 @@ jobs:
     with:
       should-deploy-artifacts: ${{ needs.build.outputs.should-deploy-artifacts }}
       default-publish-milestones-central: true
+      java-version: 25
     secrets: inherit
   deploy-schema:
     name: Deploy Schema
@@ -41,6 +42,7 @@ jobs:
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml@b92832ecbc7cbe969201e6beafbde0ee400cf095 # v1.0.15
     with:
       should-deploy-schema: ${{ needs.build.outputs.should-deploy-artifacts }}
+      java-version: 25
     secrets: inherit
   perform-release:
     name: Perform Release
@@ -53,6 +55,7 @@ jobs:
       release-repo-url: https://repo1.maven.org/maven2
       artifact-path: org/springframework/security/spring-security-core
       slack-announcing-id: spring-security-announcing
+      java-version: 25
     secrets: inherit
   send-notification:
     name: Send Notification

.github/workflows/finalize-release.yml

@@ -16,7 +16,7 @@ permissions:
 jobs:
   perform-release:
     name: Perform Release
-    uses: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml@v1
+    uses: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml@b92832ecbc7cbe969201e6beafbde0ee400cf095 # v1.0.15
     with:
       should-perform-release: true
       project-version: ${{ inputs.version }}

.github/workflows/gradle-wrapper-upgrade-execution.yml

@@ -9,6 +9,7 @@ permissions:
 jobs:
   upgrade_wrapper:
     name: Execution
+    if: ${{ github.repository == 'spring-projects/spring-security' }}
     runs-on: ubuntu-latest
     steps:
       - name: Set up Git configuration
@@ -20,10 +21,10 @@ jobs:
           git config --global user.email 'github-actions[bot]@users.noreply.github.com'
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Set up JDK 17
+      - name: Set up JDK 25
         uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
-          java-version: '17'
+          java-version: '25'
           distribution: 'temurin'
       - name: Set up Gradle
         uses: gradle/setup-gradle@f29f5a9d7b09a7c6b29859002d29d24e1674c884 # v5.0.1

.github/workflows/milestone-spring-releasetrain.yml

@@ -30,6 +30,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Send Notification
-        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
+        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@b92832ecbc7cbe969201e6beafbde0ee400cf095 # v1.0.15
         with:
           webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}

.github/workflows/pr-build-workflow.yml

@@ -13,9 +13,9 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up gradle
-        uses: spring-io/spring-gradle-build-action@efc55f07f4dfa22f2afd97f9ea1be4212eeed737 # v2.0.5
+        uses: spring-io/spring-gradle-build-action@c8668747d7c264864c8c7f7026d0d277d14a78dc # v2.0.6
         with:
-          java-version: '17'
+          java-version: '25'
           distribution: 'temurin'
       - name: Build with Gradle
         run: ./gradlew clean build -PskipCheckExpectedBranchVersion --continue --scan
@@ -26,9 +26,9 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up gradle
-        uses: spring-io/spring-gradle-build-action@efc55f07f4dfa22f2afd97f9ea1be4212eeed737 # v2.0.5
+        uses: spring-io/spring-gradle-build-action@c8668747d7c264864c8c7f7026d0d277d14a78dc # v2.0.6
         with:
-          java-version: '17'
+          java-version: '25'
           distribution: 'temurin'
       - name: Run Antora
         run: ./gradlew -PbuildSrc.skipTests=true :spring-security-docs:antora
@@ -46,6 +46,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Send Notification
-        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
+        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@b92832ecbc7cbe969201e6beafbde0ee400cf095 # v1.0.15
         with:
           webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}

.github/workflows/release-scheduler.yml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       matrix:
         # List of active maintenance branches.
-        branch: [ main, 6.5.x, 6.4.x, 6.3.x ]
+        branch: [ main, 7.0.x, 6.5.x, 6.4.x, 6.3.x ]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout

.github/workflows/update-antora-ui-spring.yml

@@ -12,11 +12,12 @@ permissions:
 
 jobs:
   update-antora-ui-spring:
-    runs-on: ubuntu-latest
     name: Update on Supported Branches
+    if: ${{ github.repository == 'spring-projects/spring-security' }}
+    runs-on: ubuntu-latest
     strategy:
       matrix:
-        branch: [ '6.4.x', '6.5.x', 'main' ]
+        branch: [ '6.5.x', '7.0.x', 'main' ]
     steps:
       - uses: spring-io/spring-doc-actions/update-antora-spring-ui@415e2b11a766ba64799fffb5c97a4f7e17f677cf
         name: Update
@@ -25,8 +26,9 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
           antora-file-path: 'docs/antora-playbook.yml'
   update-antora-ui-spring-docs-build:
-    runs-on: ubuntu-latest
     name: Update on docs-build
+    if: ${{ github.repository == 'spring-projects/spring-security' }}
+    runs-on: ubuntu-latest
     steps:
       - uses: spring-io/spring-doc-actions/update-antora-spring-ui@415e2b11a766ba64799fffb5c97a4f7e17f677cf
         name: Update

.github/workflows/update-scheduled-release-version.yml

@@ -9,7 +9,7 @@ permissions:
 jobs:
   update-scheduled-release-version:
     name: Update Scheduled Release Version
-    uses: spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
+    uses: spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml@b92832ecbc7cbe969201e6beafbde0ee400cf095 # v1.0.15
     secrets: inherit
   send-notification:
     name: Send Notification
@@ -18,6 +18,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Send Notification
-        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
+        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@b92832ecbc7cbe969201e6beafbde0ee400cf095 # v1.0.15
         with:
           webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}

.sdkmanrc

@@ -3,4 +3,4 @@
 # See https://sdkman.io/usage#config
 # A summary is to add the following to ~/.sdkman/etc/config
 # sdkman_auto_env=true
-java=17.0.3-tem
+java=25-librca

.vscode/settings.json

@@ -1,3 +1,3 @@
 {
-	"java.import.gradle.enabled": false
+  "java.gradle.buildServer.enabled": "off"
 }

CONTRIBUTING.adoc

@@ -31,7 +31,7 @@ If you have a question, check Stack Overflow using
 https://stackoverflow.com/questions/tagged/spring-security+or+spring-ldap+or+spring-authorization-server+or+spring-session?tab=Newest[this list of tags].
 Find an existing discussion, or start a new one if necessary.
 
-If you believe there is an issue, search through https://github.com/spring-projects/spring-security/issues[existing issues] trying a  few different ways to find discussions, past or current, that are related to the issue.
+If you believe there is an issue, search through https://github.com/spring-projects/spring-security/issues[existing issues] trying a few different ways to find discussions, past or current, that are related to the issue.
 Reading those discussions helps you to learn about the issue, and helps us to make a decision.
 
 [[find-an-issue]]
@@ -94,7 +94,7 @@ Don't worry if you don't get them all correct the first time, we will help you.
 
 1. [[sign-cla]] All commits must include a __Signed-off-by__ trailer at the end of each commit message to indicate that the contributor agrees to the Developer Certificate of Origin.
 For additional details, please refer to the blog post https://spring.io/blog/2025/01/06/hello-dco-goodbye-cla-simplifying-contributions-to-spring[Hello DCO, Goodbye CLA: Simplifying Contributions to Spring].
-2. [[create-an-issue-list]] Must you https://github.com/spring-projects/spring-security/issues/new/choose[create an issue] first? No, but it is recommended for features and larger bug fixes. It's easier discuss with the team first to determine the right fix or enhancement.
+2. [[create-an-issue-list]] Must you https://github.com/spring-projects/spring-security/issues/new/choose[create an issue] first? No, but it is recommended for features and larger bug fixes. It's easier to discuss with the team first to determine the right fix or enhancement.
 For typos and straightforward bug fixes, starting with a pull request is encouraged.
 Please include a description for context and motivation.
 Note that the team may close your pull request if it's not a fit for the project.

access/spring-security-access.gradle

@@ -1,3 +1,8 @@
+plugins {
+	id 'compile-warnings-error'
+	id 'javadoc-warnings-error'
+}
+
 apply plugin: 'io.spring.convention.spring-module'
 
 dependencies {

access/src/main/java/org/springframework/security/access/SecurityConfig.java

@@ -20,6 +20,8 @@ import java.io.Serial;
 import java.util.ArrayList;
 import java.util.List;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.annotation.SecurityAnnotationScanner;
 import org.springframework.util.Assert;
@@ -50,7 +52,7 @@ public class SecurityConfig implements ConfigAttribute {
 	}
 
 	@Override
-	public boolean equals(Object obj) {
+	public boolean equals(@Nullable Object obj) {
 		if (obj instanceof ConfigAttribute attr) {
 			return this.attrib.equals(attr.getAttribute());
 		}

access/src/main/java/org/springframework/security/access/annotation/Jsr250MethodSecurityMetadataSource.java

@@ -31,6 +31,7 @@ import org.jspecify.annotations.Nullable;
 import org.springframework.core.annotation.AnnotationUtils;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource;
+import org.springframework.util.StringUtils;
 
 /**
  * Sources method security metadata from major JSR 250 security annotations.
@@ -108,7 +109,7 @@ public class Jsr250MethodSecurityMetadataSource extends AbstractFallbackMethodSe
 		if (role == null) {
 			return role;
 		}
-		if (this.defaultRolePrefix == null || this.defaultRolePrefix.length() == 0) {
+		if (!StringUtils.hasLength(this.defaultRolePrefix)) {
 			return role;
 		}
 		if (role.startsWith(this.defaultRolePrefix)) {

access/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java

@@ -53,7 +53,9 @@ import org.springframework.util.CollectionUtils;
  *
  * @author Ben Alex
  * @author Luke Taylor
- * @deprecated Use {@link EnableMethodSecurity} or publish interceptors directly
+ * @deprecated Use
+ * <code>org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity</code>
+ * or publish interceptors directly
  */
 @NullUnmarked
 @Deprecated

access/src/main/java/org/springframework/security/access/method/DelegatingMethodSecurityMetadataSource.java

@@ -114,8 +114,10 @@ public final class DelegatingMethodSecurityMetadataSource extends AbstractMethod
 		}
 
 		@Override
-		public boolean equals(Object other) {
-			DefaultCacheKey otherKey = (DefaultCacheKey) other;
+		public boolean equals(@Nullable Object other) {
+			if (!(other instanceof DefaultCacheKey otherKey)) {
+				return false;
+			}
 			return (this.method.equals(otherKey.method)
 					&& ObjectUtils.nullSafeEquals(this.targetClass, otherKey.targetClass));
 		}

access/src/main/java/org/springframework/security/access/method/MapBasedMethodSecurityMetadataSource.java

@@ -265,7 +265,7 @@ public class MapBasedMethodSecurityMetadataSource extends AbstractFallbackMethod
 		}
 
 		@Override
-		public boolean equals(Object obj) {
+		public boolean equals(@Nullable Object obj) {
 			if (this == obj) {
 				return true;
 			}

access/src/main/java/org/springframework/security/access/prepost/PrePostAdviceReactiveMethodInterceptor.java

@@ -145,6 +145,7 @@ public class PrePostAdviceReactiveMethodInterceptor implements MethodInterceptor
 			.map((r) -> (attr != null) ? this.postAdvice.after(auth, invocation, attr, r) : r));
 	}
 
+	@SuppressWarnings("unchecked")
 	private static <T extends Publisher<?>> @Nullable T proceed(final MethodInvocation invocation) {
 		try {
 			return (T) invocation.proceed();

access/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationCollectionFilteringProvider.java

@@ -111,6 +111,7 @@ public class AclEntryAfterInvocationCollectionFilteringProvider extends Abstract
 		return returnedObject;
 	}
 
+	@SuppressWarnings({ "unchecked", "rawtypes" })
 	private Filterer getFilterer(Object returnedObject) {
 		if (returnedObject instanceof Collection) {
 			return new CollectionFilterer((Collection) returnedObject);

access/src/main/java/org/springframework/security/messaging/access/expression/MessageExpressionConfigAttribute.java

@@ -50,6 +50,7 @@ class MessageExpressionConfigAttribute implements ConfigAttribute, EvaluationCon
 	 * @param authorizeExpression the {@link Expression} to use. Cannot be null
 	 * @param matcher the {@link MessageMatcher} used to match the messages.
 	 */
+	@SuppressWarnings("unchecked")
 	MessageExpressionConfigAttribute(Expression authorizeExpression, MessageMatcher<?> matcher) {
 		Assert.notNull(authorizeExpression, "authorizeExpression cannot be null");
 		Assert.notNull(matcher, "matcher cannot be null");

access/src/main/java/org/springframework/security/web/access/expression/DefaultWebSecurityExpressionHandler.java

@@ -41,6 +41,7 @@ public class DefaultWebSecurityExpressionHandler extends AbstractSecurityExpress
 	private String defaultRolePrefix = DEFAULT_ROLE_PREFIX;
 
 	@Override
+	@SuppressWarnings("deprecation")
 	protected SecurityExpressionOperations createSecurityExpressionRoot(@Nullable Authentication authentication,
 			FilterInvocation fi) {
 		FilterInvocationExpressionRoot root = new FilterInvocationExpressionRoot(() -> authentication, fi);

access/src/test/java/org/springframework/security/access/AuthenticationCredentialsNotFoundEventTests.java

@@ -29,6 +29,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class AuthenticationCredentialsNotFoundEventTests {
 
 	@Test

access/src/test/java/org/springframework/security/access/AuthorizationFailureEventTests.java

@@ -32,6 +32,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class AuthorizationFailureEventTests {
 
 	private final UsernamePasswordAuthenticationToken foo = UsernamePasswordAuthenticationToken.unauthenticated("foo",

access/src/test/java/org/springframework/security/access/AuthorizedEventTests.java

@@ -29,6 +29,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class AuthorizedEventTests {
 
 	@Test

access/src/test/java/org/springframework/security/access/SecurityConfigTests.java

@@ -27,6 +27,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class SecurityConfigTests {
 
 	@Test

access/src/test/java/org/springframework/security/access/annotation/Jsr250MethodSecurityMetadataSourceTests.java

@@ -32,6 +32,7 @@ import static org.assertj.core.api.Assertions.assertThat;
  * @author Luke Taylor
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class Jsr250MethodSecurityMetadataSourceTests {
 
 	Jsr250MethodSecurityMetadataSource mds;

access/src/test/java/org/springframework/security/access/annotation/Jsr250VoterTests.java

@@ -31,6 +31,7 @@ import static org.assertj.core.api.Assertions.assertThat;
 /**
  * @author Luke Taylor
  */
+@SuppressWarnings("deprecation")
 public class Jsr250VoterTests {
 
 	// SEC-1443

access/src/test/java/org/springframework/security/access/annotation/SecuredAnnotationSecurityMetadataSourceTests.java

@@ -46,6 +46,7 @@ import static org.assertj.core.api.Assertions.fail;
  * @author Ben Alex
  * @author Luke Taylor
  */
+@SuppressWarnings("deprecation")
 public class SecuredAnnotationSecurityMetadataSourceTests {
 
 	private SecuredAnnotationSecurityMetadataSource mds = new SecuredAnnotationSecurityMetadataSource();

access/src/test/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandlerTests.java

@@ -79,11 +79,13 @@ public class DefaultMethodSecurityExpressionHandlerTests {
 	}
 
 	@Test
+	@SuppressWarnings("deprecation")
 	public void setTrustResolverNull() {
 		assertThatIllegalArgumentException().isThrownBy(() -> this.handler.setTrustResolver(null));
 	}
 
 	@Test
+	@SuppressWarnings("deprecation")
 	public void createEvaluationContextCustomTrustResolver() {
 		setupMocks();
 		this.handler.setTrustResolver(this.trustResolver);
@@ -175,7 +177,7 @@ public class DefaultMethodSecurityExpressionHandlerTests {
 	@Test
 	public void createEvaluationContextSupplierAuthentication() {
 		setupMocks();
-		Supplier<Authentication> mockAuthenticationSupplier = mock(Supplier.class);
+		Supplier<Authentication> mockAuthenticationSupplier = mock();
 		given(mockAuthenticationSupplier.get()).willReturn(this.authentication);
 		EvaluationContext context = this.handler.createEvaluationContext(mockAuthenticationSupplier,
 				this.methodInvocation);

access/src/test/java/org/springframework/security/access/expression/method/ExpressionBasedPreInvocationAdviceTests.java

@@ -39,6 +39,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
  * @since 5.2
  */
 @ExtendWith(MockitoExtension.class)
+@SuppressWarnings("deprecation")
 public class ExpressionBasedPreInvocationAdviceTests {
 
 	@Mock

access/src/test/java/org/springframework/security/access/expression/method/MethodExpressionVoterTests.java

@@ -34,7 +34,7 @@ import org.springframework.security.util.SimpleMethodInvocation;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
 
-@SuppressWarnings("unchecked")
+@SuppressWarnings({ "unchecked", "deprecation" })
 public class MethodExpressionVoterTests {
 
 	private TestingAuthenticationToken joe = new TestingAuthenticationToken("joe", "joespass", "ROLE_blah");

access/src/test/java/org/springframework/security/access/expression/method/MethodSecurityExpressionRootTests.java

@@ -27,6 +27,7 @@ import org.springframework.expression.spel.support.StandardEvaluationContext;
 import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.access.expression.ExpressionUtils;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
 import org.springframework.security.core.Authentication;
 
 import static org.mockito.ArgumentMatchers.any;
@@ -58,7 +59,9 @@ public class MethodSecurityExpressionRootTests {
 		this.ctx = new StandardEvaluationContext();
 		this.ctx.setRootObject(this.root);
 		this.trustResolver = mock(AuthenticationTrustResolver.class);
-		this.root.setTrustResolver(this.trustResolver);
+		DefaultAuthorizationManagerFactory<MethodInvocation> authorizationManagerFactory = new DefaultAuthorizationManagerFactory<>();
+		authorizationManagerFactory.setTrustResolver(this.trustResolver);
+		this.root.setAuthorizationManagerFactory(authorizationManagerFactory);
 	}
 
 	@Test

access/src/test/java/org/springframework/security/access/expression/method/PrePostAnnotationSecurityMetadataSourceTests.java

@@ -44,6 +44,7 @@ import static org.assertj.core.api.Assertions.assertThat;
  * @author Luke Taylor
  * @since 3.0
  */
+@SuppressWarnings("deprecation")
 public class PrePostAnnotationSecurityMetadataSourceTests {
 
 	private PrePostAnnotationSecurityMetadataSource mds = new PrePostAnnotationSecurityMetadataSource(

access/src/test/java/org/springframework/security/access/intercept/AbstractSecurityInterceptorTests.java

@@ -32,6 +32,7 @@ import static org.mockito.Mockito.mock;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class AbstractSecurityInterceptorTests {
 
 	@Test

access/src/test/java/org/springframework/security/access/intercept/AfterInvocationProviderManagerTests.java

@@ -38,7 +38,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
  *
  * @author Ben Alex
  */
-@SuppressWarnings("unchecked")
+@SuppressWarnings({ "unchecked", "deprecation" })
 public class AfterInvocationProviderManagerTests {
 
 	@Test

access/src/test/java/org/springframework/security/access/intercept/InterceptorStatusTokenTests.java

@@ -34,6 +34,7 @@ import static org.assertj.core.api.Assertions.assertThat;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class InterceptorStatusTokenTests {
 
 	@Test

access/src/test/java/org/springframework/security/access/intercept/NullRunAsManagerTests.java

@@ -27,6 +27,7 @@ import static org.assertj.core.api.Assertions.assertThat;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class NullRunAsManagerTests {
 
 	@Test

access/src/test/java/org/springframework/security/access/intercept/RunAsImplAuthenticationProviderTests.java

@@ -31,6 +31,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
 /**
  * Tests {@link RunAsImplAuthenticationProvider}.
  */
+@SuppressWarnings("deprecation")
 public class RunAsImplAuthenticationProviderTests {
 
 	@Test

access/src/test/java/org/springframework/security/access/intercept/RunAsManagerImplTests.java

@@ -34,6 +34,7 @@ import static org.assertj.core.api.Assertions.fail;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class RunAsManagerImplTests {
 
 	@Test

access/src/test/java/org/springframework/security/access/intercept/RunAsUserTokenTests.java

@@ -29,6 +29,7 @@ import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class RunAsUserTokenTests {
 
 	@Test

access/src/test/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityInterceptorTests.java

@@ -65,7 +65,7 @@ import static org.mockito.Mockito.verifyNoMoreInteractions;
  * @author Ben Alex
  * @author Rob Winch
  */
-@SuppressWarnings("unchecked")
+@SuppressWarnings({ "unchecked", "deprecation" })
 public class MethodSecurityInterceptorTests {
 
 	private TestingAuthenticationToken token;

access/src/test/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisorTests.java

@@ -33,6 +33,7 @@ import static org.mockito.Mockito.mock;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class MethodSecurityMetadataSourceAdvisorTests {
 
 	@Test

access/src/test/java/org/springframework/security/access/intercept/aspectj/AspectJMethodSecurityInterceptorTests.java

@@ -62,6 +62,7 @@ import static org.mockito.Mockito.verifyNoMoreInteractions;
  * @author Luke Taylor
  * @author Rob Winch
  */
+@SuppressWarnings("deprecation")
 public class AspectJMethodSecurityInterceptorTests {
 
 	private TestingAuthenticationToken token;

access/src/test/java/org/springframework/security/access/intercept/method/MapBasedMethodSecurityMetadataSourceTests.java

@@ -34,6 +34,7 @@ import static org.assertj.core.api.Assertions.assertThat;
  * @author Luke Taylor
  * @since 2.0.4
  */
+@SuppressWarnings("deprecation")
 public class MapBasedMethodSecurityMetadataSourceTests {
 
 	private final List<ConfigAttribute> ROLE_A = SecurityConfig.createList("ROLE_A");

access/src/test/java/org/springframework/security/access/intercept/method/MethodInvocationPrivilegeEvaluatorTests.java

@@ -49,6 +49,7 @@ import static org.mockito.Mockito.mock;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class MethodInvocationPrivilegeEvaluatorTests {
 
 	private TestingAuthenticationToken token;

access/src/test/java/org/springframework/security/access/method/DelegatingMethodSecurityMetadataSourceTests.java

@@ -36,7 +36,7 @@ import static org.mockito.Mockito.mock;
 /**
  * @author Luke Taylor
  */
-@SuppressWarnings({ "unchecked" })
+@SuppressWarnings({ "unchecked", "deprecation" })
 public class DelegatingMethodSecurityMetadataSourceTests {
 
 	DelegatingMethodSecurityMetadataSource mds;

access/src/test/java/org/springframework/security/access/prepost/PostInvocationAdviceProviderTests.java

@@ -29,6 +29,7 @@ import org.springframework.security.access.intercept.aspectj.MethodInvocationAda
 import static org.assertj.core.api.Assertions.assertThat;
 
 @ExtendWith(MockitoExtension.class)
+@SuppressWarnings("deprecation")
 public class PostInvocationAdviceProviderTests {
 
 	@Mock

access/src/test/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoterTests.java

@@ -29,6 +29,7 @@ import org.springframework.security.access.intercept.aspectj.MethodInvocationAda
 import static org.assertj.core.api.Assertions.assertThat;
 
 @ExtendWith(MockitoExtension.class)
+@SuppressWarnings("deprecation")
 public class PreInvocationAuthorizationAdviceVoterTests {
 
 	@Mock

access/src/test/java/org/springframework/security/access/vote/AbstractAccessDecisionManagerTests.java

@@ -36,7 +36,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
  *
  * @author Ben Alex
  */
-@SuppressWarnings("unchecked")
+@SuppressWarnings({ "unchecked", "deprecation" })
 public class AbstractAccessDecisionManagerTests {
 
 	@Test

access/src/test/java/org/springframework/security/access/vote/AbstractAclVoterTests.java

@@ -31,6 +31,7 @@ import static org.assertj.core.api.Assertions.assertThat;
 /**
  * @author Luke Taylor
  */
+@SuppressWarnings("deprecation")
 public class AbstractAclVoterTests {
 
 	private AbstractAclVoter voter = new AbstractAclVoter() {

access/src/test/java/org/springframework/security/access/vote/AffirmativeBasedTests.java

@@ -40,6 +40,7 @@ import static org.mockito.Mockito.mock;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class AffirmativeBasedTests {
 
 	private final List<ConfigAttribute> attrs = new ArrayList<>();

access/src/test/java/org/springframework/security/access/vote/AuthenticatedVoterTests.java

@@ -37,6 +37,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class AuthenticatedVoterTests {
 
 	private Authentication createAnonymous() {

access/src/test/java/org/springframework/security/access/vote/ConsensusBasedTests.java

@@ -35,6 +35,7 @@ import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class ConsensusBasedTests {
 
 	@Test

access/src/test/java/org/springframework/security/access/vote/DenyAgainVoter.java

@@ -32,6 +32,7 @@ import org.springframework.security.core.Authentication;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class DenyAgainVoter implements AccessDecisionVoter<Object> {
 
 	@Override

access/src/test/java/org/springframework/security/access/vote/DenyVoter.java

@@ -34,6 +34,7 @@ import org.springframework.security.core.Authentication;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class DenyVoter implements AccessDecisionVoter<Object> {
 
 	@Override

access/src/test/java/org/springframework/security/access/vote/RoleHierarchyVoterTests.java

@@ -25,6 +25,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
+@SuppressWarnings("deprecation")
 public class RoleHierarchyVoterTests {
 
 	@Test

access/src/test/java/org/springframework/security/access/vote/RoleVoterTests.java

@@ -28,6 +28,7 @@ import static org.assertj.core.api.Assertions.assertThat;
 /**
  * @author Luke Taylor
  */
+@SuppressWarnings("deprecation")
 public class RoleVoterTests {
 
 	@Test

access/src/test/java/org/springframework/security/access/vote/UnanimousBasedTests.java

@@ -35,6 +35,7 @@ import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class UnanimousBasedTests {
 
 	private UnanimousBased makeDecisionManager() {

access/src/test/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationCollectionFilteringProviderTests.java

@@ -44,7 +44,7 @@ import static org.mockito.Mockito.verify;
 /**
  * @author Luke Taylor
  */
-@SuppressWarnings({ "unchecked" })
+@SuppressWarnings({ "unchecked", "deprecation" })
 public class AclEntryAfterInvocationCollectionFilteringProviderTests {
 
 	@Test

access/src/test/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationProviderTests.java

@@ -48,7 +48,7 @@ import static org.mockito.Mockito.verify;
 /**
  * @author Luke Taylor
  */
-@SuppressWarnings({ "unchecked" })
+@SuppressWarnings({ "unchecked", "deprecation" })
 public class AclEntryAfterInvocationProviderTests {
 
 	@Test

access/src/test/java/org/springframework/security/messaging/access/expression/ExpressionBasedMessageSecurityMetadataSourceFactoryTests.java

@@ -35,6 +35,7 @@ import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.BDDMockito.given;
 
 @ExtendWith(MockitoExtension.class)
+@SuppressWarnings("deprecation")
 public class ExpressionBasedMessageSecurityMetadataSourceFactoryTests {
 
 	@Mock
@@ -57,7 +58,7 @@ public class ExpressionBasedMessageSecurityMetadataSourceFactoryTests {
 
 	MessageSecurityMetadataSource source;
 
-	MessageSecurityExpressionRoot rootObject;
+	MessageSecurityExpressionRoot<Object> rootObject;
 
 	@BeforeEach
 	public void setup() {
@@ -68,7 +69,7 @@ public class ExpressionBasedMessageSecurityMetadataSourceFactoryTests {
 		this.matcherToExpression.put(this.matcher2, this.expression2);
 		this.source = ExpressionBasedMessageSecurityMetadataSourceFactory
 			.createExpressionMessageMetadataSource(this.matcherToExpression);
-		this.rootObject = new MessageSecurityExpressionRoot(this.authentication, this.message);
+		this.rootObject = new MessageSecurityExpressionRoot<>(this.authentication, this.message);
 	}
 
 	@Test

access/src/test/java/org/springframework/security/messaging/access/expression/MessageExpressionConfigAttributeTests.java

@@ -37,6 +37,7 @@ import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 
 @ExtendWith(MockitoExtension.class)
+@SuppressWarnings("deprecation")
 public class MessageExpressionConfigAttributeTests {
 
 	@Mock

access/src/test/java/org/springframework/security/messaging/access/expression/MessageExpressionVoterTests.java

@@ -44,6 +44,7 @@ import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 
 @ExtendWith(MockitoExtension.class)
+@SuppressWarnings("deprecation")
 public class MessageExpressionVoterTests {
 
 	@Mock
@@ -76,6 +77,7 @@ public class MessageExpressionVoterTests {
 	}
 
 	@Test
+	@SuppressWarnings("unchecked")
 	public void voteGranted() {
 		given(this.expression.getValue(any(EvaluationContext.class), eq(Boolean.class))).willReturn(true);
 		given(this.matcher.matcher(any())).willCallRealMethod();
@@ -84,6 +86,7 @@ public class MessageExpressionVoterTests {
 	}
 
 	@Test
+	@SuppressWarnings("unchecked")
 	public void voteDenied() {
 		given(this.expression.getValue(any(EvaluationContext.class), eq(Boolean.class))).willReturn(false);
 		given(this.matcher.matcher(any())).willCallRealMethod();
@@ -92,6 +95,7 @@ public class MessageExpressionVoterTests {
 	}
 
 	@Test
+	@SuppressWarnings("unchecked")
 	public void voteAbstain() {
 		this.attributes = Arrays.<ConfigAttribute>asList(new SecurityConfig("ROLE_USER"));
 		assertThat(this.voter.vote(this.authentication, this.message, this.attributes))
@@ -99,11 +103,13 @@ public class MessageExpressionVoterTests {
 	}
 
 	@Test
+	@SuppressWarnings("unchecked")
 	public void supportsObjectClassFalse() {
 		assertThat(this.voter.supports(Object.class)).isFalse();
 	}
 
 	@Test
+	@SuppressWarnings("unchecked")
 	public void supportsMessageClassTrue() {
 		assertThat(this.voter.supports(Message.class)).isTrue();
 	}
@@ -119,11 +125,13 @@ public class MessageExpressionVoterTests {
 	}
 
 	@Test
+	@SuppressWarnings("unchecked")
 	public void setExpressionHandlerNull() {
 		assertThatIllegalArgumentException().isThrownBy(() -> this.voter.setExpressionHandler(null));
 	}
 
 	@Test
+	@SuppressWarnings("unchecked")
 	public void customExpressionHandler() {
 		this.voter.setExpressionHandler(this.expressionHandler);
 		given(this.expressionHandler.createEvaluationContext(this.authentication, this.message))
@@ -136,6 +144,7 @@ public class MessageExpressionVoterTests {
 	}
 
 	@Test
+	@SuppressWarnings("unchecked")
 	public void postProcessEvaluationContext() {
 		final MessageExpressionConfigAttribute configAttribute = mock(MessageExpressionConfigAttribute.class);
 		this.voter.setExpressionHandler(this.expressionHandler);

access/src/test/java/org/springframework/security/messaging/access/intercept/ChannelSecurityInterceptorTests.java

@@ -47,6 +47,7 @@ import static org.mockito.BDDMockito.given;
 import static org.mockito.BDDMockito.willThrow;
 
 @ExtendWith(MockitoExtension.class)
+@SuppressWarnings("deprecation")
 public class ChannelSecurityInterceptorTests {
 
 	@Mock

access/src/test/java/org/springframework/security/messaging/access/intercept/DefaultMessageSecurityMetadataSourceTests.java

@@ -36,6 +36,7 @@ import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.BDDMockito.given;
 
 @ExtendWith(MockitoExtension.class)
+@SuppressWarnings("deprecation")
 public class DefaultMessageSecurityMetadataSourceTests {
 
 	@Mock

access/src/test/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluatorTests.java

@@ -43,6 +43,7 @@ import org.springframework.security.web.access.intercept.FilterSecurityIntercept
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class DefaultWebInvocationPrivilegeEvaluatorTests {
 
 	private AccessDecisionManager adm;

access/src/test/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImplTests.java

@@ -42,7 +42,7 @@ import static org.mockito.Mockito.mock;
  *
  * @author Ben Alex
  */
-@SuppressWarnings("unchecked")
+@SuppressWarnings({ "unchecked", "deprecation" })
 public class ChannelDecisionManagerImplTests {
 
 	@Test

access/src/test/java/org/springframework/security/web/access/channel/ChannelProcessingFilterTests.java

@@ -39,6 +39,7 @@ import static org.mockito.Mockito.mock;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class ChannelProcessingFilterTests {
 
 	@Test

access/src/test/java/org/springframework/security/web/access/channel/InsecureChannelProcessorTests.java

@@ -35,6 +35,7 @@ import static org.mockito.Mockito.mock;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class InsecureChannelProcessorTests {
 
 	@Test

access/src/test/java/org/springframework/security/web/access/channel/RetryWithHttpEntryPointTests.java

@@ -36,6 +36,7 @@ import static org.mockito.Mockito.mock;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class RetryWithHttpEntryPointTests {
 
 	@Test

access/src/test/java/org/springframework/security/web/access/channel/RetryWithHttpsEntryPointTests.java

@@ -33,6 +33,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class RetryWithHttpsEntryPointTests {
 
 	@Test

access/src/test/java/org/springframework/security/web/access/channel/SecureChannelProcessorTests.java

@@ -35,6 +35,7 @@ import static org.mockito.Mockito.mock;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class SecureChannelProcessorTests {
 
 	@Test

access/src/test/java/org/springframework/security/web/access/expression/DefaultWebSecurityExpressionHandlerTests.java

@@ -64,6 +64,7 @@ public class DefaultWebSecurityExpressionHandlerTests {
 	}
 
 	@Test
+	@SuppressWarnings("deprecation")
 	public void expressionPropertiesAreResolvedAgainstAppContextBeans() {
 		StaticApplicationContext appContext = new StaticApplicationContext();
 		RootBeanDefinition bean = new RootBeanDefinition(SecurityConfig.class);
@@ -78,11 +79,13 @@ public class DefaultWebSecurityExpressionHandlerTests {
 	}
 
 	@Test
+	@SuppressWarnings("deprecation")
 	public void setTrustResolverNull() {
 		assertThatIllegalArgumentException().isThrownBy(() -> this.handler.setTrustResolver(null));
 	}
 
 	@Test
+	@SuppressWarnings("deprecation")
 	public void createEvaluationContextCustomTrustResolver() {
 		this.handler.setTrustResolver(this.trustResolver);
 		Expression expression = this.handler.getExpressionParser().parseExpression("anonymous");

access/src/test/java/org/springframework/security/web/access/expression/ExpressionBasedFilterInvocationSecurityMetadataSourceTests.java

@@ -33,6 +33,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
 /**
  * @author Luke Taylor
  */
+@SuppressWarnings("deprecation")
 public class ExpressionBasedFilterInvocationSecurityMetadataSourceTests {
 
 	@Test

access/src/test/java/org/springframework/security/web/access/expression/WebExpressionVoterTests.java

@@ -41,7 +41,7 @@ import static org.mockito.Mockito.mock;
 /**
  * @author Luke Taylor
  */
-@SuppressWarnings({ "unchecked" })
+@SuppressWarnings({ "unchecked", "deprecation" })
 public class WebExpressionVoterTests {
 
 	private Authentication user = new TestingAuthenticationToken("user", "pass", "X");

access/src/test/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSourceTests.java

@@ -40,6 +40,7 @@ import static org.mockito.Mockito.mock;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class DefaultFilterInvocationSecurityMetadataSourceTests {
 
 	private DefaultFilterInvocationSecurityMetadataSource fids;

access/src/test/java/org/springframework/security/web/access/intercept/FilterSecurityInterceptorTests.java

@@ -62,6 +62,7 @@ import static org.mockito.Mockito.verifyNoMoreInteractions;
  * @author Luke Taylor
  * @author Rob Winch
  */
+@SuppressWarnings("deprecation")
 public class FilterSecurityInterceptorTests {
 
 	private AuthenticationManager am;

acl/spring-security-acl.gradle

@@ -1,3 +1,9 @@
+plugins {
+	id 'compile-warnings-error'
+	id 'javadoc-warnings-error'
+	id 'security-nullability'
+}
+
 apply plugin: 'io.spring.convention.spring-module'
 
 dependencies {

acl/src/main/java/org/springframework/security/acls/AclPermissionEvaluator.java

@@ -23,6 +23,7 @@ import java.util.Locale;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.core.log.LogMessage;
 import org.springframework.security.access.PermissionEvaluator;
@@ -44,7 +45,7 @@ import org.springframework.security.core.Authentication;
 /**
  * Used by Spring Security's expression-based access control implementation to evaluate
  * permissions for a particular object using the ACL module. Similar in behaviour to
- * {@link org.springframework.security.acls.AclEntryVoter AclEntryVoter}.
+ * <code> org.springframework.security.acls.AclEntryVoter AclEntryVoter </code>
  *
  * @author Luke Taylor
  * @since 3.0
@@ -73,7 +74,7 @@ public class AclPermissionEvaluator implements PermissionEvaluator {
 	 * be overridden using a null check in the expression itself).
 	 */
 	@Override
-	public boolean hasPermission(Authentication authentication, Object domainObject, Object permission) {
+	public boolean hasPermission(Authentication authentication, @Nullable Object domainObject, Object permission) {
 		if (domainObject == null) {
 			return false;
 		}

acl/src/main/java/org/springframework/security/acls/aot/hint/AclRuntimeHints.java

@@ -0,0 +1,79 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.acls.aot.hint;
+
+import java.util.stream.Stream;
+
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.aot.hint.MemberCategory;
+import org.springframework.aot.hint.RuntimeHints;
+import org.springframework.aot.hint.RuntimeHintsRegistrar;
+import org.springframework.aot.hint.TypeReference;
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
+import org.springframework.security.acls.domain.AclImpl;
+import org.springframework.security.acls.domain.AuditLogger;
+import org.springframework.security.acls.domain.BasePermission;
+import org.springframework.security.acls.domain.GrantedAuthoritySid;
+import org.springframework.security.acls.domain.ObjectIdentityImpl;
+import org.springframework.security.acls.domain.PrincipalSid;
+import org.springframework.security.acls.model.AccessControlEntry;
+import org.springframework.security.acls.model.Acl;
+import org.springframework.security.acls.model.AuditableAccessControlEntry;
+import org.springframework.security.acls.model.ObjectIdentity;
+import org.springframework.security.acls.model.Sid;
+
+/**
+ * {@link RuntimeHintsRegistrar} for ACL (Access Control List) classes.
+ *
+ * @author Josh Long
+ */
+class AclRuntimeHints implements RuntimeHintsRegistrar {
+
+	@Override
+	public void registerHints(RuntimeHints hints, @Nullable ClassLoader classLoader) {
+		registerAclDomainHints(hints);
+		registerJdbcSchemaHints(hints);
+	}
+
+	private void registerAclDomainHints(RuntimeHints hints) {
+		// Register core ACL domain types
+		Stream
+			.of(Acl.class, AccessControlEntry.class, AuditableAccessControlEntry.class, ObjectIdentity.class, Sid.class,
+					AclImpl.class, AccessControlEntry.class, AuditLogger.class, ObjectIdentityImpl.class,
+					PrincipalSid.class, GrantedAuthoritySid.class, BasePermission.class)
+			.forEach((c) -> hints.reflection()
+				.registerType(TypeReference.of(c),
+						(builder) -> builder.withMembers(MemberCategory.INVOKE_DECLARED_CONSTRUCTORS,
+								MemberCategory.INVOKE_DECLARED_METHODS, MemberCategory.ACCESS_DECLARED_FIELDS)));
+
+	}
+
+	private void registerJdbcSchemaHints(RuntimeHints hints) {
+		String[] sqlFiles = new String[] { "createAclSchema.sql", "createAclSchemaMySQL.sql",
+				"createAclSchemaOracle.sql", "createAclSchemaPostgres.sql", "createAclSchemaSqlServer.sql",
+				"createAclSchemaWithAclClassIdType.sql", "select.sql" };
+		for (String sqlFile : sqlFiles) {
+			Resource sqlResource = new ClassPathResource(sqlFile);
+			if (sqlResource.exists()) {
+				hints.resources().registerResource(sqlResource);
+			}
+		}
+	}
+
+}

acl/src/main/java/org/springframework/security/acls/aot/hint/package-info.java

@@ -0,0 +1,23 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * AOT and native image hint support for ACLs.
+ */
+@NullMarked
+package org.springframework.security.acls.aot.hint;
+
+import org.jspecify.annotations.NullMarked;

acl/src/main/java/org/springframework/security/acls/domain/AbstractPermission.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.acls.domain;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.acls.model.Permission;
 
 /**
@@ -52,7 +54,7 @@ public abstract class AbstractPermission implements Permission {
 	}
 
 	@Override
-	public final boolean equals(Object obj) {
+	public final boolean equals(@Nullable Object obj) {
 		if (obj == null) {
 			return false;
 		}

acl/src/main/java/org/springframework/security/acls/domain/AccessControlEntryImpl.java

@@ -18,6 +18,8 @@ package org.springframework.security.acls.domain;
 
 import java.io.Serializable;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.acls.model.AccessControlEntry;
 import org.springframework.security.acls.model.Acl;
 import org.springframework.security.acls.model.AuditableAccessControlEntry;
@@ -36,7 +38,7 @@ public class AccessControlEntryImpl implements AccessControlEntry, AuditableAcce
 
 	private Permission permission;
 
-	private final Serializable id;
+	private final @Nullable Serializable id;
 
 	private final Sid sid;
 
@@ -46,7 +48,7 @@ public class AccessControlEntryImpl implements AccessControlEntry, AuditableAcce
 
 	private final boolean granting;
 
-	public AccessControlEntryImpl(Serializable id, Acl acl, Sid sid, Permission permission, boolean granting,
+	public AccessControlEntryImpl(@Nullable Serializable id, Acl acl, Sid sid, Permission permission, boolean granting,
 			boolean auditSuccess, boolean auditFailure) {
 		Assert.notNull(acl, "Acl required");
 		Assert.notNull(sid, "Sid required");
@@ -61,7 +63,7 @@ public class AccessControlEntryImpl implements AccessControlEntry, AuditableAcce
 	}
 
 	@Override
-	public boolean equals(Object arg0) {
+	public boolean equals(@Nullable Object arg0) {
 		if (!(arg0 instanceof AccessControlEntryImpl)) {
 			return false;
 		}
@@ -133,7 +135,7 @@ public class AccessControlEntryImpl implements AccessControlEntry, AuditableAcce
 	}
 
 	@Override
-	public Serializable getId() {
+	public @Nullable Serializable getId() {
 		return this.id;
 	}
 

acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java

@@ -99,7 +99,8 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
 		Authentication authentication = context.getAuthentication();
 		// Check if authorized by virtue of ACL ownership
 		Sid currentUser = createCurrentUser(authentication);
-		if (currentUser.equals(acl.getOwner())
+		Sid owner = acl.getOwner();
+		if (owner != null && currentUser.equals(owner)
 				&& ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) {
 			return;
 		}
@@ -108,8 +109,8 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
 		Collection<? extends GrantedAuthority> reachableGrantedAuthorities = this.roleHierarchy
 			.getReachableGrantedAuthorities(authentication.getAuthorities());
 		Set<String> authorities = AuthorityUtils.authorityListToSet(reachableGrantedAuthorities);
-		if (acl.getOwner() instanceof GrantedAuthoritySid
-				&& authorities.contains(((GrantedAuthoritySid) acl.getOwner()).getGrantedAuthority())) {
+		if (owner instanceof GrantedAuthoritySid
+				&& authorities.contains(((GrantedAuthoritySid) owner).getGrantedAuthority())) {
 			return;
 		}
 

acl/src/main/java/org/springframework/security/acls/domain/AclImpl.java

@@ -20,6 +20,8 @@ import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.List;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.acls.model.AccessControlEntry;
 import org.springframework.security.acls.model.Acl;
 import org.springframework.security.acls.model.AuditableAcl;
@@ -41,7 +43,7 @@ import org.springframework.util.ObjectUtils;
  */
 public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
 
-	private Acl parentAcl;
+	private @Nullable Acl parentAcl;
 
 	private transient AclAuthorizationStrategy aclAuthorizationStrategy;
 
@@ -54,10 +56,10 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
 	private Serializable id;
 
 	// OwnershipAcl
-	private Sid owner;
+	private @Nullable Sid owner;
 
 	// includes all SIDs the WHERE clause covered, even if there was no ACE for a SID
-	private List<Sid> loadedSids = null;
+	private @Nullable List<Sid> loadedSids = null;
 
 	private boolean entriesInheriting = true;
 
@@ -97,8 +99,8 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
 	 * @param owner the owner (required)
 	 */
 	public AclImpl(ObjectIdentity objectIdentity, Serializable id, AclAuthorizationStrategy aclAuthorizationStrategy,
-			PermissionGrantingStrategy grantingStrategy, Acl parentAcl, List<Sid> loadedSids, boolean entriesInheriting,
-			Sid owner) {
+			PermissionGrantingStrategy grantingStrategy, @Nullable Acl parentAcl, @Nullable List<Sid> loadedSids,
+			boolean entriesInheriting, Sid owner) {
 		Assert.notNull(objectIdentity, "Object Identity required");
 		Assert.notNull(id, "Id required");
 		Assert.notNull(aclAuthorizationStrategy, "AclAuthorizationStrategy required");
@@ -117,7 +119,7 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
 	 * Private no-argument constructor for use by reflection-based persistence tools along
 	 * with field-level access.
 	 */
-	@SuppressWarnings("unused")
+	@SuppressWarnings({ "unused", "NullAway.Init" })
 	private AclImpl() {
 	}
 
@@ -199,7 +201,7 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
 	}
 
 	@Override
-	public boolean isSidLoaded(List<Sid> sids) {
+	public boolean isSidLoaded(@Nullable List<Sid> sids) {
 		// If loadedSides is null, this indicates all SIDs were loaded
 		// Also return true if the caller didn't specify a SID to find
 		if ((this.loadedSids == null) || (sids == null) || sids.isEmpty()) {
@@ -238,19 +240,19 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
 	}
 
 	@Override
-	public Sid getOwner() {
+	public @Nullable Sid getOwner() {
 		return this.owner;
 	}
 
 	@Override
-	public void setParent(Acl newParent) {
+	public void setParent(@Nullable Acl newParent) {
 		this.aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL);
 		Assert.isTrue(newParent == null || !newParent.equals(this), "Cannot be the parent of yourself");
 		this.parentAcl = newParent;
 	}
 
 	@Override
-	public Acl getParentAcl() {
+	public @Nullable Acl getParentAcl() {
 		return this.parentAcl;
 	}
 
@@ -276,7 +278,7 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
 	}
 
 	@Override
-	public boolean equals(Object obj) {
+	public boolean equals(@Nullable Object obj) {
 		if (obj == this) {
 			return true;
 		}

acl/src/main/java/org/springframework/security/acls/domain/GrantedAuthoritySid.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.acls.domain;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.acls.model.Sid;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.util.Assert;
@@ -47,7 +49,7 @@ public class GrantedAuthoritySid implements Sid {
 	}
 
 	@Override
-	public boolean equals(Object object) {
+	public boolean equals(@Nullable Object object) {
 		if ((object == null) || !(object instanceof GrantedAuthoritySid)) {
 			return false;
 		}

acl/src/main/java/org/springframework/security/acls/domain/ObjectIdentityImpl.java

@@ -19,6 +19,8 @@ package org.springframework.security.acls.domain;
 import java.io.Serializable;
 import java.lang.reflect.Method;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.acls.model.ObjectIdentity;
 import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;
@@ -97,7 +99,7 @@ public class ObjectIdentityImpl implements ObjectIdentity {
 	 * @return <code>true</code> if the presented object matches this object
 	 */
 	@Override
-	public boolean equals(Object obj) {
+	public boolean equals(@Nullable Object obj) {
 		if (obj == null || !(obj instanceof ObjectIdentityImpl)) {
 			return false;
 		}

acl/src/main/java/org/springframework/security/acls/domain/PrincipalSid.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.acls.domain;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.acls.model.Sid;
 import org.springframework.security.core.Authentication;
 import org.springframework.util.Assert;
@@ -46,7 +48,7 @@ public class PrincipalSid implements Sid {
 	}
 
 	@Override
-	public boolean equals(Object object) {
+	public boolean equals(@Nullable Object object) {
 		if ((object == null) || !(object instanceof PrincipalSid)) {
 			return false;
 		}

acl/src/main/java/org/springframework/security/acls/domain/SpringCacheBasedAclCache.java

@@ -18,6 +18,8 @@ package org.springframework.security.acls.domain;
 
 import java.io.Serializable;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.cache.Cache;
 import org.springframework.security.acls.model.AclCache;
 import org.springframework.security.acls.model.MutableAcl;
@@ -78,13 +80,13 @@ public class SpringCacheBasedAclCache implements AclCache {
 	}
 
 	@Override
-	public MutableAcl getFromCache(ObjectIdentity objectIdentity) {
+	public @Nullable MutableAcl getFromCache(ObjectIdentity objectIdentity) {
 		Assert.notNull(objectIdentity, "ObjectIdentity required");
 		return getFromCache((Object) objectIdentity);
 	}
 
 	@Override
-	public MutableAcl getFromCache(Serializable pk) {
+	public @Nullable MutableAcl getFromCache(Serializable pk) {
 		Assert.notNull(pk, "Primary key (identifier) required");
 		return getFromCache((Object) pk);
 	}
@@ -101,12 +103,16 @@ public class SpringCacheBasedAclCache implements AclCache {
 		this.cache.put(acl.getId(), acl);
 	}
 
-	private MutableAcl getFromCache(Object key) {
+	private @Nullable MutableAcl getFromCache(Object key) {
 		Cache.ValueWrapper element = this.cache.get(key);
 		if (element == null) {
 			return null;
 		}
-		return initializeTransientFields((MutableAcl) element.get());
+		Object value = element.get();
+		if (value == null) {
+			return null;
+		}
+		return initializeTransientFields((MutableAcl) value);
 	}
 
 	private MutableAcl initializeTransientFields(MutableAcl value) {

acl/src/main/java/org/springframework/security/acls/domain/package-info.java

@@ -17,4 +17,7 @@
 /**
  * Basic implementation of access control lists (ACLs) interfaces.
  */
+@NullMarked
 package org.springframework.security.acls.domain;
+
+import org.jspecify.annotations.NullMarked;

acl/src/main/java/org/springframework/security/acls/jdbc/AclClassIdUtils.java

@@ -23,6 +23,7 @@ import java.util.UUID;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.core.convert.ConversionFailedException;
 import org.springframework.core.convert.ConversionService;
@@ -67,10 +68,10 @@ class AclClassIdUtils {
 	 * @return The identifier in the appropriate target Java type. Typically Long or UUID.
 	 * @throws SQLException
 	 */
-	Serializable identifierFrom(Serializable identifier, ResultSet resultSet) throws SQLException {
-		if (isString(identifier) && hasValidClassIdType(resultSet)
-				&& canConvertFromStringTo(classIdTypeFrom(resultSet))) {
-			return convertFromStringTo((String) identifier, classIdTypeFrom(resultSet));
+	@Nullable Serializable identifierFrom(Serializable identifier, ResultSet resultSet) throws SQLException {
+		Class<? extends Serializable> classIdType = classIdTypeFrom(resultSet);
+		if (isString(identifier) && classIdType != null && canConvertFromStringTo(classIdType)) {
+			return convertFromStringTo((String) identifier, classIdType);
 		}
 		// Assume it should be a Long type
 		return convertToLong(identifier);
@@ -86,28 +87,38 @@ class AclClassIdUtils {
 		}
 	}
 
-	private <T extends Serializable> Class<T> classIdTypeFrom(ResultSet resultSet) throws SQLException {
-		return classIdTypeFrom(resultSet.getString(DEFAULT_CLASS_ID_TYPE_COLUMN_NAME));
+	private @Nullable Class<? extends Serializable> classIdTypeFrom(ResultSet resultSet) throws SQLException {
+		try {
+			return classIdTypeFrom(resultSet.getString(DEFAULT_CLASS_ID_TYPE_COLUMN_NAME));
+		}
+		catch (SQLException ex) {
+			log.debug("Unable to obtain the class id type", ex);
+			return null;
+		}
 	}
 
-	private <T extends Serializable> Class<T> classIdTypeFrom(String className) {
+	private @Nullable Class<? extends Serializable> classIdTypeFrom(String className) {
 		if (className == null) {
 			return null;
 		}
 		try {
-			return (Class) Class.forName(className);
+			return Class.forName(className).asSubclass(Serializable.class);
 		}
 		catch (ClassNotFoundException ex) {
 			log.debug("Unable to find class id type on classpath", ex);
 			return null;
 		}
+		catch (ClassCastException ex) {
+			log.debug("Class id type is not a Serializable type", ex);
+			return null;
+		}
 	}
 
 	private <T> boolean canConvertFromStringTo(Class<T> targetType) {
 		return this.conversionService.canConvert(String.class, targetType);
 	}
 
-	private <T extends Serializable> T convertFromStringTo(String identifier, Class<T> targetType) {
+	private <T extends Serializable> @Nullable T convertFromStringTo(String identifier, Class<T> targetType) {
 		return this.conversionService.convert(identifier, targetType);
 	}
 
@@ -121,7 +132,7 @@ class AclClassIdUtils {
 	 * exception occurred
 	 * @throws IllegalArgumentException if targetType is null
 	 */
-	private Long convertToLong(Serializable identifier) {
+	private @Nullable Long convertToLong(Serializable identifier) {
 		if (this.conversionService.canConvert(identifier.getClass(), Long.class)) {
 			return this.conversionService.convert(identifier, Long.class);
 		}
@@ -140,10 +151,10 @@ class AclClassIdUtils {
 	private static class StringToLongConverter implements Converter<String, Long> {
 
 		@Override
-		public Long convert(String identifierAsString) {
+		public Long convert(@Nullable String identifierAsString) {
 			if (identifierAsString == null) {
 				throw new ConversionFailedException(TypeDescriptor.valueOf(String.class),
-						TypeDescriptor.valueOf(Long.class), null, null);
+						TypeDescriptor.valueOf(Long.class), identifierAsString, new NullPointerException());
 
 			}
 			return Long.parseLong(identifierAsString);
@@ -154,10 +165,10 @@ class AclClassIdUtils {
 	private static class StringToUUIDConverter implements Converter<String, UUID> {
 
 		@Override
-		public UUID convert(String identifierAsString) {
+		public UUID convert(@Nullable String identifierAsString) {
 			if (identifierAsString == null) {
 				throw new ConversionFailedException(TypeDescriptor.valueOf(String.class),
-						TypeDescriptor.valueOf(UUID.class), null, null);
+						TypeDescriptor.valueOf(UUID.class), identifierAsString, new NullPointerException());
 
 			}
 			return UUID.fromString(identifierAsString);

acl/src/main/java/org/springframework/security/acls/jdbc/BasicLookupStrategy.java

@@ -31,6 +31,8 @@ import java.util.Set;
 
 import javax.sql.DataSource;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.core.convert.ConversionException;
 import org.springframework.core.convert.ConversionService;
 import org.springframework.jdbc.core.JdbcTemplate;
@@ -224,7 +226,8 @@ public class BasicLookupStrategy implements LookupStrategy {
 	 * @param findNow Long-based primary keys to retrieve
 	 * @param sids
 	 */
-	private void lookupPrimaryKeys(final Map<Serializable, Acl> acls, final Set<Long> findNow, final List<Sid> sids) {
+	private void lookupPrimaryKeys(final Map<Serializable, Acl> acls, final Set<Long> findNow,
+			final @Nullable List<Sid> sids) {
 		Assert.notNull(acls, "ACLs are required");
 		Assert.notEmpty(findNow, "Items to find now required");
 		String sql = computeRepeatingSql(this.lookupPrimaryKeysWhereClause, findNow.size());
@@ -264,7 +267,7 @@ public class BasicLookupStrategy implements LookupStrategy {
 	 * automatically create entries if required)
 	 */
 	@Override
-	public final Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids) {
+	public final Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, @Nullable List<Sid> sids) {
 		Assert.isTrue(this.batchSize >= 1, "BatchSize must be >= 1");
 		Assert.notEmpty(objects, "Objects to lookup required");
 		// Map<ObjectIdentity,Acl>
@@ -323,7 +326,7 @@ public class BasicLookupStrategy implements LookupStrategy {
 	 * properly-configured parent ACLs.
 	 */
 	private Map<ObjectIdentity, Acl> lookupObjectIdentities(final Collection<ObjectIdentity> objectIdentities,
-			List<Sid> sids) {
+			@Nullable List<Sid> sids) {
 		Assert.notEmpty(objectIdentities, "Must provide identities to lookup");
 
 		// contains Acls with StubAclParents
@@ -399,8 +402,10 @@ public class BasicLookupStrategy implements LookupStrategy {
 		}
 
 		// Now we have the parent (if there is one), create the true AclImpl
+		Sid owner = inputAcl.getOwner();
+		Assert.isTrue(owner != null, "Owner is required");
 		AclImpl result = new AclImpl(inputAcl.getObjectIdentity(), inputAcl.getId(), this.aclAuthorizationStrategy,
-				this.grantingStrategy, parent, null, inputAcl.isEntriesInheriting(), inputAcl.getOwner());
+				this.grantingStrategy, parent, null, inputAcl.isEntriesInheriting(), owner);
 
 		// Copy the "aces" from the input to the destination
 
@@ -506,9 +511,9 @@ public class BasicLookupStrategy implements LookupStrategy {
 
 		private final Map<Serializable, Acl> acls;
 
-		private final List<Sid> sids;
+		private final @Nullable List<Sid> sids;
 
-		ProcessResultSet(Map<Serializable, Acl> acls, List<Sid> sids) {
+		ProcessResultSet(Map<Serializable, Acl> acls, @Nullable List<Sid> sids) {
 			Assert.notNull(acls, "ACLs cannot be null");
 			this.acls = acls;
 			this.sids = sids; // can be null
@@ -579,6 +584,9 @@ public class BasicLookupStrategy implements LookupStrategy {
 				// target id type, e.g. UUID.
 				Serializable identifier = (Serializable) rs.getObject("object_id_identity");
 				identifier = BasicLookupStrategy.this.aclClassIdUtils.identifierFrom(identifier, rs);
+				if (identifier == null) {
+					throw new IllegalStateException("Identifier cannot be null");
+				}
 				ObjectIdentity objectIdentity = BasicLookupStrategy.this.objectIdentityGenerator
 					.createObjectIdentity(identifier, rs.getString("class"));
 
@@ -670,7 +678,7 @@ public class BasicLookupStrategy implements LookupStrategy {
 		}
 
 		@Override
-		public boolean isSidLoaded(List<Sid> sids) {
+		public boolean isSidLoaded(@Nullable List<Sid> sids) {
 			throw new UnsupportedOperationException("Stub only");
 		}
 

acl/src/main/java/org/springframework/security/acls/jdbc/JdbcAclService.java

@@ -27,6 +27,7 @@ import javax.sql.DataSource;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.core.convert.ConversionService;
 import org.springframework.jdbc.core.JdbcOperations;
@@ -98,7 +99,7 @@ public class JdbcAclService implements AclService {
 	}
 
 	@Override
-	public List<ObjectIdentity> findChildren(ObjectIdentity parentIdentity) {
+	public @Nullable List<ObjectIdentity> findChildren(ObjectIdentity parentIdentity) {
 		Object[] args = { parentIdentity.getIdentifier().toString(), parentIdentity.getType() };
 		List<ObjectIdentity> objects = this.jdbcOperations.query(this.findChildrenSql,
 				(rs, rowNum) -> mapObjectIdentityRow(rs), args);
@@ -109,11 +110,14 @@ public class JdbcAclService implements AclService {
 		String javaType = rs.getString("class");
 		Serializable identifier = (Serializable) rs.getObject("obj_id");
 		identifier = this.aclClassIdUtils.identifierFrom(identifier, rs);
+		if (identifier == null) {
+			throw new IllegalStateException("Identifier cannot be null");
+		}
 		return this.objectIdentityGenerator.createObjectIdentity(identifier, javaType);
 	}
 
 	@Override
-	public Acl readAclById(ObjectIdentity object, List<Sid> sids) throws NotFoundException {
+	public Acl readAclById(ObjectIdentity object, @Nullable List<Sid> sids) throws NotFoundException {
 		Map<ObjectIdentity, Acl> map = readAclsById(Collections.singletonList(object), sids);
 		Assert.isTrue(map.containsKey(object),
 				() -> "There should have been an Acl entry for ObjectIdentity " + object);
@@ -131,7 +135,7 @@ public class JdbcAclService implements AclService {
 	}
 
 	@Override
-	public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids)
+	public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, @Nullable List<Sid> sids)
 			throws NotFoundException {
 		Map<ObjectIdentity, Acl> result = this.lookupStrategy.readAclsById(objects, sids);
 		// Check every requested object identity was found (throw NotFoundException if

acl/src/main/java/org/springframework/security/acls/jdbc/JdbcMutableAclService.java

@@ -22,6 +22,8 @@ import java.util.List;
 
 import javax.sql.DataSource;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.dao.DataAccessException;
 import org.springframework.jdbc.core.BatchPreparedStatementSetter;
 import org.springframework.security.acls.domain.AccessControlEntryImpl;
@@ -120,6 +122,7 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 		// Need to retrieve the current principal, in order to know who "owns" this ACL
 		// (can be changed later on)
 		Authentication auth = this.securityContextHolderStrategy.getContext().getAuthentication();
+		Assert.isTrue(auth != null, "Authentication required");
 		PrincipalSid sid = new PrincipalSid(auth);
 
 		// Create the acl_object_identity row
@@ -155,9 +158,12 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 				Assert.isTrue(entry_ instanceof AccessControlEntryImpl, "Unknown ACE class");
 				AccessControlEntryImpl entry = (AccessControlEntryImpl) entry_;
 
+				Assert.state(acl.getId() != null, "ACL ID cannot be null");
 				stmt.setLong(1, (Long) acl.getId());
 				stmt.setInt(2, i);
-				stmt.setLong(3, createOrRetrieveSidPrimaryKey(entry.getSid(), true));
+				Long sidPrimaryKey = createOrRetrieveSidPrimaryKey(entry.getSid(), true);
+				Assert.state(sidPrimaryKey != null, "SID primary key cannot be null");
+				stmt.setLong(3, sidPrimaryKey);
 				stmt.setInt(4, entry.getPermission().getMask());
 				stmt.setBoolean(5, entry.isGranting());
 				stmt.setBoolean(6, entry.isAuditSuccess());
@@ -189,11 +195,14 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 	 * @param allowCreate true if creation is permitted if not found
 	 * @return the primary key or null if not found
 	 */
-	protected Long createOrRetrieveClassPrimaryKey(String type, boolean allowCreate, Class idType) {
-		List<Long> classIds = this.jdbcOperations.queryForList(this.selectClassPrimaryKey, Long.class, type);
+	protected @Nullable Long createOrRetrieveClassPrimaryKey(String type, boolean allowCreate, Class idType) {
+		List<@Nullable Long> classIds = this.jdbcOperations.queryForList(this.selectClassPrimaryKey, Long.class, type);
 
 		if (!classIds.isEmpty()) {
-			return classIds.get(0);
+			Long result = classIds.get(0);
+			if (result != null) {
+				return result;
+			}
 		}
 
 		if (allowCreate) {
@@ -204,7 +213,9 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 				this.jdbcOperations.update(this.insertClass, type, idType.getCanonicalName());
 			}
 			Assert.isTrue(TransactionSynchronizationManager.isSynchronizationActive(), "Transaction must be running");
-			return this.jdbcOperations.queryForObject(this.classIdentityQuery, Long.class);
+			Long result = this.jdbcOperations.queryForObject(this.classIdentityQuery, Long.class);
+			Assert.state(result != null, "Failed to retrieve class primary key");
+			return result;
 		}
 
 		return null;
@@ -219,7 +230,7 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 	 * @throws IllegalArgumentException if the <tt>Sid</tt> is not a recognized
 	 * implementation.
 	 */
-	protected Long createOrRetrieveSidPrimaryKey(Sid sid, boolean allowCreate) {
+	protected @Nullable Long createOrRetrieveSidPrimaryKey(Sid sid, boolean allowCreate) {
 		Assert.notNull(sid, "Sid required");
 		if (sid instanceof PrincipalSid) {
 			String sidName = ((PrincipalSid) sid).getPrincipal();
@@ -240,16 +251,22 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 	 * @param allowCreate true if creation is permitted if not found
 	 * @return the primary key or null if not found
 	 */
-	protected Long createOrRetrieveSidPrimaryKey(String sidName, boolean sidIsPrincipal, boolean allowCreate) {
-		List<Long> sidIds = this.jdbcOperations.queryForList(this.selectSidPrimaryKey, Long.class, sidIsPrincipal,
-				sidName);
+	protected @Nullable Long createOrRetrieveSidPrimaryKey(String sidName, boolean sidIsPrincipal,
+			boolean allowCreate) {
+		List<@Nullable Long> sidIds = this.jdbcOperations.queryForList(this.selectSidPrimaryKey, Long.class,
+				sidIsPrincipal, sidName);
 		if (!sidIds.isEmpty()) {
-			return sidIds.get(0);
+			Long result = sidIds.get(0);
+			if (result != null) {
+				return result;
+			}
 		}
 		if (allowCreate) {
 			this.jdbcOperations.update(this.insertSid, sidIsPrincipal, sidName);
 			Assert.isTrue(TransactionSynchronizationManager.isSynchronizationActive(), "Transaction must be running");
-			return this.jdbcOperations.queryForObject(this.sidIdentityQuery, Long.class);
+			Long result = this.jdbcOperations.queryForObject(this.sidIdentityQuery, Long.class);
+			Assert.state(result != null, "Failed to retrieve sid primary key");
+			return result;
 		}
 		return null;
 	}
@@ -279,6 +296,9 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 		}
 
 		Long oidPrimaryKey = retrieveObjectIdentityPrimaryKey(objectIdentity);
+		if (oidPrimaryKey == null) {
+			throw new NotFoundException("Object identity not found: " + objectIdentity);
+		}
 
 		// Delete this ACL's ACEs in the acl_entry table
 		deleteEntries(oidPrimaryKey);
@@ -319,10 +339,11 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 	 * @param oid to find
 	 * @return the object identity or null if not found
 	 */
-	protected Long retrieveObjectIdentityPrimaryKey(ObjectIdentity oid) {
+	protected @Nullable Long retrieveObjectIdentityPrimaryKey(ObjectIdentity oid) {
 		try {
-			return this.jdbcOperations.queryForObject(this.selectObjectIdentityPrimaryKey, Long.class, oid.getType(),
-					oid.getIdentifier().toString());
+			Long result = this.jdbcOperations.queryForObject(this.selectObjectIdentityPrimaryKey, Long.class,
+					oid.getType(), oid.getIdentifier().toString());
+			return result;
 		}
 		catch (DataAccessException notFound) {
 			return null;
@@ -340,7 +361,11 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
 		Assert.notNull(acl.getId(), "Object Identity doesn't provide an identifier");
 
 		// Delete this ACL's ACEs in the acl_entry table
-		deleteEntries(retrieveObjectIdentityPrimaryKey(acl.getObjectIdentity()));
+		Long oidPrimaryKey = retrieveObjectIdentityPrimaryKey(acl.getObjectIdentity());
+		if (oidPrimaryKey == null) {
+			throw new NotFoundException("Object identity not found for ACL: " + acl.getObjectIdentity());
+		}
+		deleteEntries(oidPrimaryKey);
 
 		// Create this ACL's ACEs in the acl_entry table
 		createEntries(acl);

acl/src/main/java/org/springframework/security/acls/jdbc/LookupStrategy.java

@@ -19,6 +19,8 @@ package org.springframework.security.acls.jdbc;
 import java.util.List;
 import java.util.Map;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.acls.model.Acl;
 import org.springframework.security.acls.model.NotFoundException;
 import org.springframework.security.acls.model.ObjectIdentity;
@@ -42,6 +44,6 @@ public interface LookupStrategy {
 	 * {@link NotFoundException}, as a chain of {@link LookupStrategy}s may be used to
 	 * automatically create entries if required)
 	 */
-	Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids);
+	Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, @Nullable List<Sid> sids);
 
 }

acl/src/main/java/org/springframework/security/acls/jdbc/package-info.java

@@ -17,4 +17,7 @@
 /**
  * JDBC-based persistence of ACL information
  */
+@NullMarked
 package org.springframework.security.acls.jdbc;
+
+import org.jspecify.annotations.NullMarked;

acl/src/main/java/org/springframework/security/acls/model/AccessControlEntry.java

@@ -18,6 +18,8 @@ package org.springframework.security.acls.model;
 
 import java.io.Serializable;
 
+import org.jspecify.annotations.Nullable;
+
 /**
  * Represents an individual permission assignment within an {@link Acl}.
  *
@@ -36,7 +38,7 @@ public interface AccessControlEntry extends Serializable {
 	 * Obtains an identifier that represents this ACE.
 	 * @return the identifier, or <code>null</code> if unsaved
 	 */
-	Serializable getId();
+	@Nullable Serializable getId();
 
 	Permission getPermission();