.github/dependabot.yml

@@ -3,37 +3,7 @@ registries:
   spring-milestones:
     type: maven-repository
     url: https://repo.spring.io/milestone
-  shibboleth:
-    type: maven-repository
-    url: https://build.shibboleth.net/maven/releases
 updates:
-  - package-ecosystem: gradle
-    target-branch: 6.5.x
-    directory: /
-    schedule:
-      interval: daily
-      time: '03:00'
-      timezone: Etc/UTC
-    labels:
-      - 'type: dependency-upgrade'
-    registries:
-      - spring-milestones
-      - shibboleth
-    ignore:
-      - dependency-name: com.nimbusds:nimbus-jose-jwt
-      - dependency-name: org.python:jython
-      - dependency-name: org.apache.directory.server:*
-      - dependency-name: org.apache.directory.shared:*
-      - dependency-name: org.junit:junit-bom
-        update-types:
-          - version-update:semver-major
-      - dependency-name: org.mockito:mockito-bom
-        update-types:
-          - version-update:semver-major
-      - dependency-name: '*'
-        update-types:
-          - version-update:semver-major
-          - version-update:semver-minor
   - package-ecosystem: gradle
     target-branch: 6.4.x
     directory: /
@@ -45,7 +15,6 @@ updates:
       - 'type: dependency-upgrade'
     registries:
       - spring-milestones
-      - shibboleth
     ignore:
       - dependency-name: com.nimbusds:nimbus-jose-jwt
       - dependency-name: org.python:jython
@@ -61,7 +30,32 @@ updates:
         update-types:
           - version-update:semver-major
           - version-update:semver-minor
-
+  - package-ecosystem: gradle
+    target-branch: 6.3.x
+    directory: /
+    schedule:
+      interval: daily
+      time: '03:00'
+      timezone: Etc/UTC
+    labels:
+      - 'type: dependency-upgrade'
+    registries:
+      - spring-milestones
+    ignore:
+      - dependency-name: com.nimbusds:nimbus-jose-jwt
+      - dependency-name: org.python:jython
+      - dependency-name: org.apache.directory.server:*
+      - dependency-name: org.apache.directory.shared:*
+      - dependency-name: org.junit:junit-bom
+        update-types:
+          - version-update:semver-major
+      - dependency-name: org.mockito:mockito-bom
+        update-types:
+          - version-update:semver-major
+      - dependency-name: '*'
+        update-types:
+          - version-update:semver-major
+          - version-update:semver-minor
   - package-ecosystem: gradle
     target-branch: main
     directory: /
@@ -73,7 +67,6 @@ updates:
       - 'type: dependency-upgrade'
     registries:
       - spring-milestones
-      - shibboleth
     ignore:
       - dependency-name: com.nimbusds:nimbus-jose-jwt
       - dependency-name: org.python:jython
@@ -94,6 +87,25 @@ updates:
           - version-update:semver-major
           - version-update:semver-minor
 
+  - package-ecosystem: github-actions
+    target-branch: 6.3.x
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'in: build'
+    ignore:
+      - dependency-name: sjohnr/*
+  - package-ecosystem: github-actions
+    target-branch: docs-build
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'in: build'
+
   - package-ecosystem: npm
     target-branch: docs-build
     directory: /
@@ -111,3 +123,11 @@ updates:
     labels:
       - 'type: task'
       - 'in: build'
+  - package-ecosystem: npm
+    target-branch: 6.3.x
+    directory: /docs
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'in: build'

.github/workflows/check-snapshots.yml

@@ -1,38 +0,0 @@
-name: CI
-
-on:
-  schedule:
-    - cron: '0 10 * * *' # Once per day at 10am UTC
-  workflow_dispatch: # Manual trigger
-
-env:
-  DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
-
-permissions:
-  contents: read
-
-jobs:
-  snapshot-test:
-    name: Test Against Snapshots
-    uses: spring-io/spring-security-release-tools/.github/workflows/test.yml@v1
-    strategy:
-      matrix:
-        include:
-          - java-version: 21-ea
-            toolchain: 21
-          - java-version: 17
-            toolchain: 17
-    with:
-      java-version: ${{ matrix.java-version }}
-      test-args: --refresh-dependencies -PforceMavenRepositories=snapshot,https://oss.sonatype.org/content/repositories/snapshots -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=7.+ -PreactorVersion=2025.+ -PspringDataVersion=2025.+ --stacktrace
-    secrets: inherit
-  send-notification:
-    name: Send Notification
-    needs: [ snapshot-test ]
-    if: ${{ !success() }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: Send Notification
-        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
-        with:
-          webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}

.github/workflows/continuous-integration-workflow.yml

@@ -27,29 +27,72 @@ jobs:
       java-version: ${{ matrix.jdk }}
       distribution: temurin
     secrets: inherit
+  test:
+    name: Test Against Snapshots
+    uses: spring-io/spring-security-release-tools/.github/workflows/test.yml@v1
+    strategy:
+      matrix:
+        include:
+          - java-version: 21-ea
+            toolchain: 21
+          - java-version: 17
+            toolchain: 17
+    with:
+      java-version: ${{ matrix.java-version }}
+      test-args: --refresh-dependencies -PforceMavenRepositories=snapshot -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=6.2.+ -PreactorVersion=2023.0.+ -PspringDataVersion=2024.0.+ --stacktrace
+    secrets: inherit
+  check-samples:
+    name: Check Samples
+    runs-on: ubuntu-latest
+    if: ${{ github.repository_owner == 'spring-projects' }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up gradle
+        uses: spring-io/spring-gradle-build-action@v2
+        with:
+          java-version: 17
+          distribution: temurin
+      - name: Check samples project
+        env:
+          LOCAL_REPOSITORY_PATH: ${{ github.workspace }}/build/publications/repos
+          SAMPLES_DIR: ../spring-security-samples
+        run: |
+          # Extract version from gradle.properties
+          version=$(cat gradle.properties | grep "version=" | awk -F'=' '{print $2}')
+          # Extract samplesBranch from gradle.properties
+          samples_branch=$(cat gradle.properties | grep "samplesBranch=" | awk -F'=' '{print $2}')
+          ./gradlew publishMavenJavaPublicationToLocalRepository
+          ./gradlew cloneRepository -PrepositoryName="spring-projects/spring-security-samples" -Pref="$samples_branch" -PcloneOutputDirectory="$SAMPLES_DIR"
+          ./gradlew --refresh-dependencies --project-dir "$SAMPLES_DIR" --init-script spring-security-ci.gradle -PlocalRepositoryPath="$LOCAL_REPOSITORY_PATH" -PspringSecurityVersion="$version" test integrationTest
   deploy-artifacts:
     name: Deploy Artifacts
-    needs: [ build]
+    needs: [ build, test, check-samples ]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml@v1
     with:
       should-deploy-artifacts: ${{ needs.build.outputs.should-deploy-artifacts }}
-      default-publish-milestones-central: true
+    secrets: inherit
+  deploy-docs:
+    name: Deploy Docs
+    needs: [ build, test, check-samples ]
+    uses: spring-io/spring-security-release-tools/.github/workflows/deploy-docs.yml@v1
+    with:
+      should-deploy-docs: ${{ needs.build.outputs.should-deploy-artifacts }}
     secrets: inherit
   deploy-schema:
     name: Deploy Schema
-    needs: [ build ]
+    needs: [ build, test, check-samples ]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml@v1
     with:
       should-deploy-schema: ${{ needs.build.outputs.should-deploy-artifacts }}
     secrets: inherit
   perform-release:
     name: Perform Release
-    needs: [ deploy-artifacts, deploy-schema ]
+    needs: [ deploy-artifacts, deploy-docs, deploy-schema ]
     uses: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml@v1
     with:
       should-perform-release: ${{ needs.deploy-artifacts.outputs.artifacts-deployed }}
       project-version: ${{ needs.deploy-artifacts.outputs.project-version }}
-      milestone-repo-url: https://repo1.maven.org/maven2
+      milestone-repo-url: https://repo.spring.io/artifactory/milestone
       release-repo-url: https://repo1.maven.org/maven2
       artifact-path: org/springframework/security/spring-security-core
       slack-announcing-id: spring-security-announcing

.github/workflows/finalize-release.yml

@@ -1,27 +0,0 @@
-name: Finalize Release
-
-on:
-  workflow_dispatch: # Manual trigger
-    inputs:
-      version:
-        description: The Spring Security release to finalize (e.g. 7.0.0-RC2)
-        required: true
-
-env:
-  DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
-
-permissions:
-  contents: read
-
-jobs:
-  perform-release:
-    name: Perform Release
-    uses: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml@v1
-    with:
-      should-perform-release: true
-      project-version: ${{ inputs.version }}
-      milestone-repo-url: https://repo1.maven.org/maven2
-      release-repo-url: https://repo1.maven.org/maven2
-      artifact-path: org/springframework/security/spring-security-core
-      slack-announcing-id: spring-security-announcing
-    secrets: inherit

.github/workflows/release-scheduler.yml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       matrix:
         # List of active maintenance branches.
-        branch: [ main, 6.5.x, 6.4.x, 6.3.x ]
+        branch: [ main, 6.4.x, 6.3.x ]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout

.gitignore

@@ -25,7 +25,6 @@ atlassian-ide-plugin.xml
 s101plugin.state
 .attach_pid*
 .~lock.*#
-.kotlin/
 
 !.idea/checkstyle-idea.xml
 !.idea/externalDependencies.xml

CONTRIBUTING.adoc

@@ -79,9 +79,6 @@ See https://github.com/spring-projects/spring-security/tree/main#building-from-s
 
 The wiki pages https://github.com/spring-projects/spring-framework/wiki/Code-Style[Code Style] and https://github.com/spring-projects/spring-framework/wiki/IntelliJ-IDEA-Editor-Settings[IntelliJ IDEA Editor Settings] define the source file coding standards we use along with some IDEA editor settings we customize.
 
-Additionally, since Streams are https://github.com/spring-projects/spring-security/issues/7154[much slower] than `for` loops, please use them judiciously.
-The team may ask you to change to a `for` loop if the given code is along a hot path.
-
 To format the code as well as check the style, run `./gradlew format && ./gradlew check`.
 
 [[submit-a-pull-request]]

access/spring-security-access.gradle

@@ -1,49 +0,0 @@
-apply plugin: 'io.spring.convention.spring-module'
-
-dependencies {
-	management platform(project(":spring-security-dependencies"))
-	api project(':spring-security-crypto')
-	api project(':spring-security-core')
-	api 'org.springframework:spring-aop'
-	api 'org.springframework:spring-beans'
-	api 'org.springframework:spring-context'
-	api 'org.springframework:spring-core'
-	api 'org.springframework:spring-expression'
-	api 'io.micrometer:micrometer-observation'
-
-	optional project(':spring-security-acl')
-	optional project(':spring-security-messaging')
-	optional project(':spring-security-web')
-	optional 'org.springframework:spring-websocket'
-	optional 'com.fasterxml.jackson.core:jackson-databind'
-	optional 'io.micrometer:context-propagation'
-	optional 'io.projectreactor:reactor-core'
-	optional 'jakarta.annotation:jakarta.annotation-api'
-	optional 'org.aspectj:aspectjrt'
-	optional 'org.springframework:spring-jdbc'
-	optional 'org.springframework:spring-tx'
-	optional 'org.jetbrains.kotlinx:kotlinx-coroutines-reactor'
-
-	provided 'jakarta.servlet:jakarta.servlet-api'
-
-	testImplementation project(path : ':spring-security-web', configuration : 'tests')
-	testImplementation 'commons-collections:commons-collections'
-	testImplementation 'io.projectreactor:reactor-test'
-	testImplementation "org.assertj:assertj-core"
-	testImplementation "org.junit.jupiter:junit-jupiter-api"
-	testImplementation "org.junit.jupiter:junit-jupiter-params"
-	testImplementation "org.junit.jupiter:junit-jupiter-engine"
-	testImplementation "org.mockito:mockito-core"
-	testImplementation "org.mockito:mockito-junit-jupiter"
-	testImplementation "org.springframework:spring-core-test"
-	testImplementation "org.springframework:spring-test"
-	testImplementation 'org.skyscreamer:jsonassert'
-	testImplementation 'org.springframework:spring-test'
-	testImplementation 'org.jetbrains.kotlin:kotlin-reflect'
-	testImplementation 'org.jetbrains.kotlin:kotlin-stdlib-jdk8'
-	testImplementation 'io.mockk:mockk'
-
-	testRuntimeOnly 'org.hsqldb:hsqldb'
-	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
-}
-

access/src/test/java/org/springframework/security/access/ITargetObject.java

@@ -1,36 +0,0 @@
-/*
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.access;
-
-/**
- * Represents the interface of a secured object.
- *
- * @author Ben Alex
- */
-public interface ITargetObject {
-
-	Integer computeHashCode(String input);
-
-	int countLength(String input);
-
-	String makeLowerCase(String input);
-
-	String makeUpperCase(String input);
-
-	String publicMakeLowerCase(String input);
-
-}

access/src/test/java/org/springframework/security/access/OtherTargetObject.java

@@ -1,53 +0,0 @@
-/*
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.access;
-
-/**
- * Simply extends {@link TargetObject} so we have a different object to put configuration
- * attributes against.
- * <P>
- * There is no different behaviour. We have to define each method so that
- * <code>Class.getMethod(methodName, args)</code> returns a <code>Method</code>
- * referencing this class rather than the parent class.
- * </p>
- * <P>
- * We need to implement <code>ITargetObject</code> again because the
- * <code>MethodDefinitionAttributes</code> only locates attributes on interfaces
- * explicitly defined by the intercepted class (not the interfaces defined by its parent
- * class or classes).
- * </p>
- *
- * @author Ben Alex
- */
-public class OtherTargetObject extends TargetObject implements ITargetObject {
-
-	@Override
-	public String makeLowerCase(String input) {
-		return super.makeLowerCase(input);
-	}
-
-	@Override
-	public String makeUpperCase(String input) {
-		return super.makeUpperCase(input);
-	}
-
-	@Override
-	public String publicMakeLowerCase(String input) {
-		return super.publicMakeLowerCase(input);
-	}
-
-}

access/src/test/java/org/springframework/security/access/TargetObject.java

@@ -1,81 +0,0 @@
-/*
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.access;
-
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-
-/**
- * Represents a secured object.
- *
- * @author Ben Alex
- */
-public class TargetObject implements ITargetObject {
-
-	@Override
-	public Integer computeHashCode(String input) {
-		return input.hashCode();
-	}
-
-	@Override
-	public int countLength(String input) {
-		return input.length();
-	}
-
-	/**
-	 * Returns the lowercase string, followed by security environment information.
-	 * @param input the message to make lowercase
-	 * @return the lowercase message, a space, the <code>Authentication</code> class that
-	 * was on the <code>SecurityContext</code> at the time of method invocation, and a
-	 * boolean indicating if the <code>Authentication</code> object is authenticated or
-	 * not
-	 */
-	@Override
-	public String makeLowerCase(String input) {
-		Authentication auth = SecurityContextHolder.getContext().getAuthentication();
-		if (auth == null) {
-			return input.toLowerCase() + " Authentication empty";
-		}
-		else {
-			return input.toLowerCase() + " " + auth.getClass().getName() + " " + auth.isAuthenticated();
-		}
-	}
-
-	/**
-	 * Returns the uppercase string, followed by security environment information.
-	 * @param input the message to make uppercase
-	 * @return the uppercase message, a space, the <code>Authentication</code> class that
-	 * was on the <code>SecurityContext</code> at the time of method invocation, and a
-	 * boolean indicating if the <code>Authentication</code> object is authenticated or
-	 * not
-	 */
-	@Override
-	public String makeUpperCase(String input) {
-		Authentication auth = SecurityContextHolder.getContext().getAuthentication();
-		return input.toUpperCase() + " " + auth.getClass().getName() + " " + auth.isAuthenticated();
-	}
-
-	/**
-	 * Delegates through to the {@link #makeLowerCase(String)} method.
-	 * @param input the message to be made lower-case
-	 */
-	@Override
-	public String publicMakeLowerCase(String input) {
-		return this.makeLowerCase(input);
-	}
-
-}

acl/src/main/java/org/springframework/security/acls/AclEntryVoter.java

@@ -71,7 +71,7 @@ import org.springframework.util.StringUtils;
  * <tt>AclEntryVoter</tt>:
  * <ul>
  * <li>Process domain object class <code>BankAccount</code>, configuration attribute
- * <code>VOTE_ACL_BANK_ACCOUNT_READ</code>, require permission
+ * <code>VOTE_ACL_BANK_ACCONT_READ</code>, require permission
  * <code>BasePermission.READ</code></li>
  * <li>Process domain object class <code>BankAccount</code>, configuration attribute
  * <code>VOTE_ACL_BANK_ACCOUNT_WRITE</code>, require permission list

acl/src/main/java/org/springframework/security/acls/jdbc/BasicLookupStrategy.java

@@ -65,11 +65,10 @@ import org.springframework.util.Assert;
  * NB: This implementation does attempt to provide reasonably optimised lookups - within
  * the constraints of a normalised database and standard ANSI SQL features. If you are
  * willing to sacrifice either of these constraints (e.g. use a particular database
- * feature such as hierarchical queries or materialized views, or reduce normalisation)
- * you are likely to achieve better performance. In such situations you will need to
- * provide your own custom <code>LookupStrategy</code>. This class does not support
- * subclassing, as it is likely to change in future releases and therefore subclassing is
- * unsupported.
+ * feature such as hierarchical queries or materalized views, or reduce normalisation) you
+ * are likely to achieve better performance. In such situations you will need to provide
+ * your own custom <code>LookupStrategy</code>. This class does not support subclassing,
+ * as it is likely to change in future releases and therefore subclassing is unsupported.
  * <p>
  * There are two SQL queries executed, one in the <tt>lookupPrimaryKeys</tt> method and
  * one in <tt>lookupObjectIdentities</tt>. These are built from the same select and "order

aspects/spring-security-aspects.gradle

@@ -18,8 +18,6 @@ dependencies {
 	api 'org.springframework:spring-context'
 	api 'org.springframework:spring-core'
 
-	optional project(':spring-security-access')
-
 	testImplementation 'org.springframework:spring-aop'
 	testImplementation "org.assertj:assertj-core"
 	testImplementation "org.junit.jupiter:junit-jupiter-api"

build.gradle

@@ -42,7 +42,7 @@ springRelease {
 	weekOfMonth = 3
 	dayOfWeek = 1
 	referenceDocUrl = "https://docs.spring.io/spring-security/reference/{version}/index.html"
-	apiDocUrl = "https://docs.spring.io/spring-security/reference/{version}/api/java/index.html"
+	apiDocUrl = "https://docs.spring.io/spring-security/site/docs/{version}/api/"
 	replaceSnapshotVersionInReferenceDocUrl = true
 }
 

buildSrc/build.gradle

@@ -1,6 +1,5 @@
 plugins {
 	id "java-gradle-plugin"
-	id "groovy-gradle-plugin"
 	id "java"
 	id "groovy"
 }
@@ -12,7 +11,7 @@ java {
 repositories {
 	gradlePluginPortal()
 	mavenCentral()
-	maven { url 'https://repo.spring.io/snapshot' }
+	maven { url 'https://repo.spring.io/milestone' }
 }
 
 sourceSets {
@@ -64,7 +63,6 @@ configurations {
 dependencies {
 	implementation platform(libs.io.projectreactor.reactor.bom)
 
-	implementation libs.spring.nullability
 	implementation libs.com.google.code.gson.gson
 	implementation libs.com.thaiopensource.trag
 	implementation libs.net.sourceforge.saxon.saxon
@@ -78,7 +76,6 @@ dependencies {
 	implementation libs.com.github.spullara.mustache.java.compiler
 	implementation libs.io.spring.javaformat.spring.javaformat.gradle.plugin
 	implementation libs.io.spring.nohttp.nohttp.gradle
-	implementation libs.org.jetbrains.kotlin.kotlin.gradle.plugin
 	implementation (libs.net.sourceforge.htmlunit) {
 		exclude group: 'org.eclipse.jetty.websocket', module: 'websocket-client'
 	}

buildSrc/src/main/groovy/io/spring/gradle/convention/DeployDocsPlugin.groovy

@@ -0,0 +1,82 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package io.spring.gradle.convention
+
+import org.gradle.api.plugins.JavaPlugin
+import org.gradle.api.tasks.bundling.Zip
+import org.gradle.api.Plugin
+import org.gradle.api.Project
+
+public class DeployDocsPlugin implements Plugin<Project> {
+
+	@Override
+	public void apply(Project project) {
+		project.getPluginManager().apply('org.hidetake.ssh')
+
+		project.ssh.settings {
+			knownHosts = allowAnyHosts
+		}
+		project.remotes {
+			docs {
+				role 'docs'
+				if (project.hasProperty('deployDocsHost')) {
+					host = project.findProperty('deployDocsHost')
+				} else {
+					host = 'docs.af.pivotal.io'
+				}
+				retryCount = 5 // retry 5 times (default is 0)
+				retryWaitSec = 10 // wait 10 seconds between retries (default is 0)
+				user = project.findProperty('deployDocsSshUsername')
+				if (project.hasProperty('deployDocsSshKeyPath')) {
+					identity = project.file(project.findProperty('deployDocsSshKeyPath'))
+				} else if (project.hasProperty('deployDocsSshKey')) {
+					identity = project.findProperty('deployDocsSshKey')
+				}
+				if(project.hasProperty('deployDocsSshPassphrase')) {
+					passphrase = project.findProperty('deployDocsSshPassphrase')
+				}
+			}
+		}
+
+		project.task('deployDocs') {
+			dependsOn 'docsZip'
+			doFirst {
+				project.ssh.run {
+					session(project.remotes.docs) {
+						def now = System.currentTimeMillis()
+						def name = project.rootProject.name
+						def version = project.rootProject.version
+						def tempPath = "/tmp/${name}-${now}-docs/".replaceAll(' ', '_')
+						execute "mkdir -p $tempPath"
+
+						project.tasks.docsZip.outputs.each { o ->
+							put from: o.files, into: tempPath
+						}
+
+						execute "unzip $tempPath*.zip -d $tempPath"
+
+						def extractPath = "/var/www/domains/spring.io/docs/htdocs/autorepo/docs/${name}/${version}/"
+
+						execute "rm -rf $extractPath"
+						execute "mkdir -p $extractPath"
+						execute "mv $tempPath/docs/* $extractPath"
+						execute "chmod -R g+w $extractPath"
+					}
+				}
+			}
+		}
+	}
+}

buildSrc/src/main/groovy/io/spring/gradle/convention/DocsPlugin.groovy

@@ -17,6 +17,7 @@ public class DocsPlugin implements Plugin<Project> {
 
 		PluginManager pluginManager = project.getPluginManager();
 		pluginManager.apply(BasePlugin);
+		pluginManager.apply(DeployDocsPlugin);
 		pluginManager.apply(JavadocApiPlugin);
 
 		Task docsZip = project.tasks.create('docsZip', Zip) {

buildSrc/src/main/groovy/io/spring/gradle/convention/ManagementConfigurationPlugin.java

@@ -61,7 +61,7 @@ public class ManagementConfigurationPlugin implements Plugin<Project> {
 				PublishingExtension publishing = project.getExtensions().getByType(PublishingExtension.class);
 				publishing.getPublications().withType(MavenPublication.class, (mavenPublication -> {
 					mavenPublication.versionMapping((versions) ->
-							versions.allVariants((versionMapping) -> versionMapping.fromResolutionResult())
+							versions.allVariants(versionMapping -> versionMapping.fromResolutionResult())
 					);
 				}));
 			});

buildSrc/src/main/groovy/io/spring/gradle/convention/RepositoryConventionPlugin.groovy

@@ -80,11 +80,6 @@ class RepositoryConventionPlugin implements Plugin<Project> {
 				}
 				url = 'https://repo.spring.io/release/'
 			}
-			forceMavenRepositories.findAll { it.startsWith('https://') || it.startsWith('file://') }.each { mavenUrl ->
-				maven {
-					url mavenUrl
-				}
-			}
 		}
 	}
 

buildSrc/src/main/groovy/io/spring/gradle/convention/SchemaZipPlugin.groovy

@@ -32,13 +32,10 @@ public class SchemaZipPlugin implements Plugin<Project> {
 				for (def key : schemas.keySet()) {
 					def shortName = key.replaceAll(/http.*schema.(.*).spring-.*/, '$1')
 					assert shortName != key
-					def schemaResourceName = schemas.get(key)
 					File xsdFile = module.sourceSets.main.resources.find {
-						it.path.endsWith(schemaResourceName)
-					}
-					if (xsdFile == null) {
-						throw new IllegalStateException("Could not find schema file for resource name " + schemaResourceName + " in src/main/resources")
+						it.path.endsWith(schemas.get(key))
 					}
+					assert xsdFile != null
 					schemaZip.into (shortName) {
 						duplicatesStrategy 'exclude'
 						from xsdFile.path

buildSrc/src/main/groovy/security-kotlin.gradle

@@ -1,17 +0,0 @@
-import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
-
-plugins {
-    id 'kotlin'
-}
-
-project.plugins.withId("org.jetbrains.kotlin.jvm", (kotlinProject) -> {
-    project.tasks.withType(KotlinCompile).configureEach {
-        kotlinOptions {
-            languageVersion = '2.2'
-            apiVersion = '2.2'
-            freeCompilerArgs = ["-Xjsr305=strict", "-Xsuppress-version-warnings"]
-            jvmTarget = '17'
-
-        }
-    }
-})

buildSrc/src/main/groovy/security-nullability.gradle

@@ -1,3 +0,0 @@
-plugins {
-    id 'io.spring.nullability'
-}

buildSrc/src/main/java/org/springframework/gradle/classpath/CheckClasspathForProhibitedDependencies.java

@@ -81,6 +81,9 @@ public class CheckClasspathForProhibitedDependencies extends DefaultTask {
 		if (group.startsWith("javax")) {
 			return true;
 		}
+		if (group.equals("commons-logging")) {
+			return true;
+		}
 		if (group.equals("org.slf4j") && id.getName().equals("jcl-over-slf4j")) {
 			return true;
 		}

buildSrc/src/main/java/org/springframework/security/CheckExpectedBranchVersionPlugin.java

@@ -46,7 +46,7 @@ public class CheckExpectedBranchVersionPlugin implements Plugin<Project> {
 			task.setDescription("Check if the project version matches the branch version");
 			task.onlyIf("skipCheckExpectedBranchVersion property is false or not present", CheckExpectedBranchVersionPlugin::skipPropertyFalseOrNotPresent);
 			task.getVersion().convention(project.provider(() -> project.getVersion().toString()));
-			task.getBranchName().convention(project.getProviders().exec((execSpec) -> execSpec.setCommandLine("git", "symbolic-ref", "--short", "HEAD")).getStandardOutput().getAsText());
+			task.getBranchName().convention(project.getProviders().exec(execSpec -> execSpec.setCommandLine("git", "symbolic-ref", "--short", "HEAD")).getStandardOutput().getAsText());
 			task.getOutputFile().convention(project.getLayout().getBuildDirectory().file("check-expected-branch-version"));
 		});
 		project.getTasks().named(JavaBasePlugin.CHECK_TASK_NAME, checkTask -> checkTask.dependsOn(checkExpectedBranchVersionTask));

buildSrc/src/main/java/org/springframework/security/convention/versions/VerifyDependenciesVersionsPlugin.java

@@ -83,8 +83,12 @@ public class VerifyDependenciesVersionsPlugin implements Plugin<Project> {
 			String transitiveNimbusJoseJwtVersion = TransitiveDependencyLookupUtils.lookupJwtVersion(oauth2OidcSdkVersion);
 			String expectedNimbusJoseJwtVersion = this.getExpectedNimbusJoseJwtVersion().get();
 			if (!transitiveNimbusJoseJwtVersion.equals(expectedNimbusJoseJwtVersion)) {
-				String message = String.format("Found transitive nimbus-jose-jwt:%s in oauth2-oidc-sdk:%s, but the project contains a different version of nimbus-jose-jwt [%s]. Please align the versions.", transitiveNimbusJoseJwtVersion, oauth2OidcSdkVersion, expectedNimbusJoseJwtVersion);
-				throw new VerificationException(message);
+				String transitiveNimbusJoseJwtMajorMinorVersion = transitiveNimbusJoseJwtVersion.substring(0, transitiveNimbusJoseJwtVersion.lastIndexOf("."));
+				String expectedNimbusJoseJwtMajorMinorVersion = expectedNimbusJoseJwtVersion.substring(0, expectedNimbusJoseJwtVersion.lastIndexOf("."));
+				if (!transitiveNimbusJoseJwtMajorMinorVersion.equals(expectedNimbusJoseJwtMajorMinorVersion)) {
+					String message = String.format("Found transitive nimbus-jose-jwt:%s in oauth2-oidc-sdk:%s, but the project contains a different version of nimbus-jose-jwt [%s]. Please align the major/minor versions.", transitiveNimbusJoseJwtVersion, oauth2OidcSdkVersion, expectedNimbusJoseJwtVersion);
+					throw new VerificationException(message);
+				}
 			}
 			String message = String.format("Found transitive nimbus-jose-jwt:%s in oauth2-oidc-sdk:%s, the project contains expected version of nimbus-jose-jwt [%s]. Verified all versions align.", transitiveNimbusJoseJwtVersion, oauth2OidcSdkVersion, expectedNimbusJoseJwtVersion);
 			try {

buildSrc/src/test/java/io/spring/gradle/TestKit.java

@@ -17,6 +17,8 @@ package io.spring.gradle;
 
 import org.apache.commons.io.FileUtils;
 import org.gradle.testkit.runner.GradleRunner;
+import org.junit.runner.Description;
+import org.junit.runners.model.Statement;
 
 import java.io.File;
 import java.io.IOException;

buildSrc/src/test/java/io/spring/gradle/convention/IntegrationPluginTest.java

@@ -23,6 +23,8 @@ import org.gradle.testfixtures.ProjectBuilder;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
 
+import java.io.File;
+
 import static org.assertj.core.api.Assertions.assertThat;
 
 /**

buildSrc/src/test/java/io/spring/gradle/convention/JavadocApiPluginITest.java

@@ -5,6 +5,7 @@ import org.apache.commons.io.FileUtils;
 import org.gradle.testkit.runner.BuildResult;
 import org.gradle.testkit.runner.TaskOutcome;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
 

buildSrc/src/test/resources/samples/showcase/Jenkinsfile

@@ -30,6 +30,16 @@ ossrh: {
 		}
 	}
 },
+docs: {
+	stage('Deploy Docs') {
+		node {
+			checkout scm
+			withCredentials([file(credentialsId: 'docs.spring.io-jenkins_private_ssh_key', variable: 'DEPLOY_SSH_KEY')]) {
+				sh "./gradlew deployDocs -PdeployDocsSshKeyPath=$DEPLOY_SSH_KEY -PdeployDocsSshUsername=$SPRING_DOCS_USERNAME --refresh-dependencies --no-daemon --stacktrace"
+			}
+		}
+	}
+},
 schema: {
 	stage('Deploy Schema') {
 		node {
@@ -39,4 +49,4 @@ schema: {
 			}
 		}
 	}
-}
+}

cas/spring-security-cas.gradle

@@ -1,7 +1,3 @@
-plugins {
-	id 'security-nullability'
-}
-
 apply plugin: 'io.spring.convention.spring-module'
 
 dependencies {
@@ -15,11 +11,9 @@ dependencies {
 	api 'org.springframework:spring-web'
 
 	optional 'com.fasterxml.jackson.core:jackson-databind'
-	optional 'tools.jackson.core:jackson-databind'
 
 	provided 'jakarta.servlet:jakarta.servlet-api'
 
-	testImplementation project(path : ':spring-security-web', configuration : 'tests')
 	testImplementation "org.assertj:assertj-core"
 	testImplementation "org.junit.jupiter:junit-jupiter-api"
 	testImplementation "org.junit.jupiter:junit-jupiter-params"

cas/src/main/java/org/springframework/security/cas/ServiceProperties.java

@@ -16,8 +16,6 @@
 
 package org.springframework.security.cas;
 
-import org.jspecify.annotations.Nullable;
-
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.util.Assert;
 
@@ -36,7 +34,7 @@ public class ServiceProperties implements InitializingBean {
 
 	public static final String DEFAULT_CAS_SERVICE_PARAMETER = "service";
 
-	private @Nullable String service;
+	private String service;
 
 	private boolean authenticateAllArtifacts;
 
@@ -64,7 +62,7 @@ public class ServiceProperties implements InitializingBean {
 	 * </pre>
 	 * @return the URL of the service the user is authenticating to
 	 */
-	public final @Nullable String getService() {
+	public final String getService() {
 		return this.service;
 	}
 

cas/src/main/java/org/springframework/security/cas/authentication/CasAssertionAuthenticationToken.java

@@ -21,6 +21,7 @@ import java.util.ArrayList;
 import org.apereo.cas.client.validation.Assertion;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 
 /**
  * Temporary authentication object needed to load the user details service.
@@ -30,7 +31,7 @@ import org.springframework.security.authentication.AbstractAuthenticationToken;
  */
 public final class CasAssertionAuthenticationToken extends AbstractAuthenticationToken {
 
-	private static final long serialVersionUID = 620L;
+	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
 
 	private final Assertion assertion;
 

cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationProvider.java

@@ -16,16 +16,11 @@
 
 package org.springframework.security.cas.authentication;
 
-import java.util.ArrayList;
-import java.util.Collection;
-
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apereo.cas.client.validation.Assertion;
 import org.apereo.cas.client.validation.TicketValidationException;
 import org.apereo.cas.client.validation.TicketValidator;
-import org.jspecify.annotations.NullUnmarked;
-import org.jspecify.annotations.Nullable;
 
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.context.MessageSource;
@@ -38,9 +33,7 @@ import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.cas.ServiceProperties;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.SpringSecurityMessageSource;
-import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.core.authority.mapping.NullAuthoritiesMapper;
 import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
@@ -69,9 +62,6 @@ public class CasAuthenticationProvider implements AuthenticationProvider, Initia
 
 	private static final Log logger = LogFactory.getLog(CasAuthenticationProvider.class);
 
-	private static final String AUTHORITY = FactorGrantedAuthority.CAS_AUTHORITY;
-
-	@SuppressWarnings("NullAway.Init")
 	private AuthenticationUserDetailsService<CasAssertionAuthenticationToken> authenticationUserDetailsService;
 
 	private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker();
@@ -80,13 +70,11 @@ public class CasAuthenticationProvider implements AuthenticationProvider, Initia
 
 	private StatelessTicketCache statelessTicketCache = new NullStatelessTicketCache();
 
-	@SuppressWarnings("NullAway.Init")
 	private String key;
 
-	@SuppressWarnings("NullAway.Init")
 	private TicketValidator ticketValidator;
 
-	private @Nullable ServiceProperties serviceProperties;
+	private ServiceProperties serviceProperties;
 
 	private GrantedAuthoritiesMapper authoritiesMapper = new NullAuthoritiesMapper();
 
@@ -101,7 +89,7 @@ public class CasAuthenticationProvider implements AuthenticationProvider, Initia
 	}
 
 	@Override
-	public @Nullable Authentication authenticate(Authentication authentication) throws AuthenticationException {
+	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
 		if (!supports(authentication.getClass())) {
 			return null;
 		}
@@ -141,17 +129,12 @@ public class CasAuthenticationProvider implements AuthenticationProvider, Initia
 
 	private CasAuthenticationToken authenticateNow(final Authentication authentication) throws AuthenticationException {
 		try {
-			Object credentials = authentication.getCredentials();
-			if (credentials == null) {
-				throw new BadCredentialsException("Authentication.getCredentials() cannot be null");
-			}
-			Assertion assertion = this.ticketValidator.validate(credentials.toString(), getServiceUrl(authentication));
+			Assertion assertion = this.ticketValidator.validate(authentication.getCredentials().toString(),
+					getServiceUrl(authentication));
 			UserDetails userDetails = loadUserByAssertion(assertion);
 			this.userDetailsChecker.check(userDetails);
-			Collection<GrantedAuthority> authorities = new ArrayList<>(
-					this.authoritiesMapper.mapAuthorities(userDetails.getAuthorities()));
-			authorities.add(FactorGrantedAuthority.fromAuthority(AUTHORITY));
-			return new CasAuthenticationToken(this.key, userDetails, credentials, authorities, userDetails, assertion);
+			return new CasAuthenticationToken(this.key, userDetails, authentication.getCredentials(),
+					this.authoritiesMapper.mapAuthorities(userDetails.getAuthorities()), userDetails, assertion);
 		}
 		catch (TicketValidationException ex) {
 			throw new BadCredentialsException(ex.getMessage(), ex);
@@ -166,8 +149,7 @@ public class CasAuthenticationProvider implements AuthenticationProvider, Initia
 	 * @param authentication
 	 * @return
 	 */
-	@NullUnmarked
-	private @Nullable String getServiceUrl(Authentication authentication) {
+	private String getServiceUrl(Authentication authentication) {
 		String serviceUrl;
 		if (authentication.getDetails() instanceof ServiceAuthenticationDetails) {
 			return ((ServiceAuthenticationDetails) authentication.getDetails()).getServiceUrl();
@@ -233,7 +215,7 @@ public class CasAuthenticationProvider implements AuthenticationProvider, Initia
 		return this.statelessTicketCache;
 	}
 
-	protected @Nullable TicketValidator getTicketValidator() {
+	protected TicketValidator getTicketValidator() {
 		return this.ticketValidator;
 	}
 

cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationToken.java

@@ -20,10 +20,10 @@ import java.io.Serializable;
 import java.util.Collection;
 
 import org.apereo.cas.client.validation.Assertion;
-import org.jspecify.annotations.Nullable;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.util.Assert;
 import org.springframework.util.ObjectUtils;
@@ -36,7 +36,7 @@ import org.springframework.util.ObjectUtils;
  */
 public class CasAuthenticationToken extends AbstractAuthenticationToken implements Serializable {
 
-	private static final long serialVersionUID = 620L;
+	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
 
 	private final Object credentials;
 
@@ -105,19 +105,6 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken implemen
 		setAuthenticated(true);
 	}
 
-	protected CasAuthenticationToken(Builder<?> builder) {
-		super(builder);
-		Assert.isTrue(!"".equals(builder.principal), "principal cannot be null or empty");
-		Assert.notNull(!"".equals(builder.credentials), "credentials cannot be null or empty");
-		Assert.notNull(builder.userDetails, "userDetails cannot be null");
-		Assert.notNull(builder.assertion, "assertion cannot be null");
-		this.keyHash = builder.keyHash;
-		this.principal = builder.principal;
-		this.credentials = builder.credentials;
-		this.userDetails = builder.userDetails;
-		this.assertion = builder.assertion;
-	}
-
 	private static Integer extractKeyHash(String key) {
 		Assert.hasLength(key, "key cannot be null or empty");
 		return key.hashCode();
@@ -167,11 +154,6 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken implemen
 		return this.userDetails;
 	}
 
-	@Override
-	public Builder<?> toBuilder() {
-		return new Builder<>(this);
-	}
-
 	@Override
 	public String toString() {
 		StringBuilder sb = new StringBuilder();
@@ -181,81 +163,4 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken implemen
 		return (sb.toString());
 	}
 
-	/**
-	 * A builder of {@link CasAuthenticationToken} instances
-	 *
-	 * @since 7.0
-	 */
-	public static class Builder<B extends Builder<B>> extends AbstractAuthenticationBuilder<B> {
-
-		private Integer keyHash;
-
-		private Object principal;
-
-		private Object credentials;
-
-		private UserDetails userDetails;
-
-		private Assertion assertion;
-
-		protected Builder(CasAuthenticationToken token) {
-			super(token);
-			this.keyHash = token.keyHash;
-			this.principal = token.principal;
-			this.credentials = token.credentials;
-			this.userDetails = token.userDetails;
-			this.assertion = token.assertion;
-		}
-
-		/**
-		 * Use this key
-		 * @param key the key to use
-		 * @return the {@link Builder} for further configurations
-		 */
-		public B key(String key) {
-			this.keyHash = key.hashCode();
-			return (B) this;
-		}
-
-		@Override
-		public B principal(@Nullable Object principal) {
-			Assert.notNull(principal, "principal cannot be null");
-			this.principal = principal;
-			return (B) this;
-		}
-
-		@Override
-		public B credentials(@Nullable Object credentials) {
-			Assert.notNull(credentials, "credentials cannot be null");
-			this.credentials = credentials;
-			return (B) this;
-		}
-
-		/**
-		 * Use this {@link UserDetails}
-		 * @param userDetails the {@link UserDetails} to use
-		 * @return the {@link Builder} for further configurations
-		 */
-		public B userDetails(UserDetails userDetails) {
-			this.userDetails = userDetails;
-			return (B) this;
-		}
-
-		/**
-		 * Use this {@link Assertion}
-		 * @param assertion the {@link Assertion} to use
-		 * @return the {@link Builder} for further configurations
-		 */
-		public B assertion(Assertion assertion) {
-			this.assertion = assertion;
-			return (B) this;
-		}
-
-		@Override
-		public CasAuthenticationToken build() {
-			return new CasAuthenticationToken(this);
-		}
-
-	}
-
 }

cas/src/main/java/org/springframework/security/cas/authentication/CasServiceTicketAuthenticationToken.java

@@ -19,10 +19,9 @@ package org.springframework.security.cas.authentication;
 import java.io.Serial;
 import java.util.Collection;
 
-import org.jspecify.annotations.Nullable;
-
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.Assert;
 
 /**
@@ -39,11 +38,11 @@ public class CasServiceTicketAuthenticationToken extends AbstractAuthenticationT
 	static final String CAS_STATEFUL_IDENTIFIER = "_cas_stateful_";
 
 	@Serial
-	private static final long serialVersionUID = 620L;
+	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
 
 	private final String identifier;
 
-	private @Nullable Object credentials;
+	private Object credentials;
 
 	/**
 	 * This constructor can be safely used by any code that wishes to create a
@@ -52,7 +51,7 @@ public class CasServiceTicketAuthenticationToken extends AbstractAuthenticationT
 	 *
 	 */
 	public CasServiceTicketAuthenticationToken(String identifier, Object credentials) {
-		super((Collection<? extends GrantedAuthority>) null);
+		super(null);
 		this.identifier = identifier;
 		this.credentials = credentials;
 		setAuthenticated(false);
@@ -75,12 +74,6 @@ public class CasServiceTicketAuthenticationToken extends AbstractAuthenticationT
 		super.setAuthenticated(true);
 	}
 
-	protected CasServiceTicketAuthenticationToken(Builder<?> builder) {
-		super(builder);
-		this.identifier = builder.principal;
-		this.credentials = builder.credentials;
-	}
-
 	public static CasServiceTicketAuthenticationToken stateful(Object credentials) {
 		return new CasServiceTicketAuthenticationToken(CAS_STATEFUL_IDENTIFIER, credentials);
 	}
@@ -94,7 +87,7 @@ public class CasServiceTicketAuthenticationToken extends AbstractAuthenticationT
 	}
 
 	@Override
-	public @Nullable Object getCredentials() {
+	public Object getCredentials() {
 		return this.credentials;
 	}
 
@@ -116,46 +109,4 @@ public class CasServiceTicketAuthenticationToken extends AbstractAuthenticationT
 		this.credentials = null;
 	}
 
-	public Builder<?> toBuilder() {
-		return new Builder<>(this);
-	}
-
-	/**
-	 * A builder of {@link CasServiceTicketAuthenticationToken} instances
-	 *
-	 * @since 7.0
-	 */
-	public static class Builder<B extends Builder<B>> extends AbstractAuthenticationBuilder<B> {
-
-		private String principal;
-
-		private @Nullable Object credentials;
-
-		protected Builder(CasServiceTicketAuthenticationToken token) {
-			super(token);
-			this.principal = token.identifier;
-			this.credentials = token.credentials;
-		}
-
-		@Override
-		public B principal(@Nullable Object principal) {
-			Assert.isInstanceOf(String.class, principal, "principal must be of type String");
-			this.principal = (String) principal;
-			return (B) this;
-		}
-
-		@Override
-		public B credentials(@Nullable Object credentials) {
-			Assert.notNull(credentials, "credentials cannot be null");
-			this.credentials = credentials;
-			return (B) this;
-		}
-
-		@Override
-		public CasServiceTicketAuthenticationToken build() {
-			return new CasServiceTicketAuthenticationToken(this);
-		}
-
-	}
-
 }

cas/src/main/java/org/springframework/security/cas/authentication/NullStatelessTicketCache.java

@@ -16,8 +16,6 @@
 
 package org.springframework.security.cas.authentication;
 
-import org.jspecify.annotations.Nullable;
-
 /**
  * Implementation of @link {@link StatelessTicketCache} that has no backing cache. Useful
  * in instances where storing of tickets for stateless session management is not required.
@@ -35,7 +33,7 @@ public final class NullStatelessTicketCache implements StatelessTicketCache {
 	 * @return null since we are not storing any tickets.
 	 */
 	@Override
-	public @Nullable CasAuthenticationToken getByTicketId(final String serviceTicket) {
+	public CasAuthenticationToken getByTicketId(final String serviceTicket) {
 		return null;
 	}
 

cas/src/main/java/org/springframework/security/cas/authentication/SpringCacheBasedTicketCache.java

@@ -18,7 +18,6 @@ package org.springframework.security.cas.authentication;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.jspecify.annotations.Nullable;
 
 import org.springframework.cache.Cache;
 import org.springframework.core.log.LogMessage;
@@ -43,7 +42,7 @@ public class SpringCacheBasedTicketCache implements StatelessTicketCache {
 	}
 
 	@Override
-	public @Nullable CasAuthenticationToken getByTicketId(final String serviceTicket) {
+	public CasAuthenticationToken getByTicketId(final String serviceTicket) {
 		final Cache.ValueWrapper element = (serviceTicket != null) ? this.cache.get(serviceTicket) : null;
 		logger.debug(LogMessage.of(() -> "Cache hit: " + (element != null) + "; service ticket: " + serviceTicket));
 		return (element != null) ? (CasAuthenticationToken) element.get() : null;

cas/src/main/java/org/springframework/security/cas/authentication/StatelessTicketCache.java

@@ -16,8 +16,6 @@
 
 package org.springframework.security.cas.authentication;
 
-import org.jspecify.annotations.Nullable;
-
 /**
  * Caches CAS service tickets and CAS proxy tickets for stateless connections.
  *
@@ -71,7 +69,7 @@ public interface StatelessTicketCache {
 	 * </p>
 	 * @return the fully populated authentication token
 	 */
-	@Nullable CasAuthenticationToken getByTicketId(String serviceTicket);
+	CasAuthenticationToken getByTicketId(String serviceTicket);
 
 	/**
 	 * Adds the specified <code>CasAuthenticationToken</code> to the cache.

cas/src/main/java/org/springframework/security/cas/authentication/package-info.java

@@ -18,7 +18,4 @@
  * An {@code AuthenticationProvider} that can process CAS service tickets and proxy
  * tickets.
  */
-@NullMarked
 package org.springframework.security.cas.authentication;
-
-import org.jspecify.annotations.NullMarked;

cas/src/main/java/org/springframework/security/cas/jackson/AssertionImplMixin.java

@@ -1,60 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.cas.jackson;
-
-import java.util.Date;
-import java.util.Map;
-
-import com.fasterxml.jackson.annotation.JsonAutoDetect;
-import com.fasterxml.jackson.annotation.JsonCreator;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.annotation.JsonTypeInfo;
-import org.apereo.cas.client.authentication.AttributePrincipal;
-
-/**
- * Helps in jackson deserialization of class
- * {@link org.apereo.cas.client.validation.AssertionImpl}, which is used with
- * {@link org.springframework.security.cas.authentication.CasAuthenticationToken}.
- *
- * @author Sebastien Deleuze
- * @author Jitendra Singh
- * @since 7.0
- * @see CasJacksonModule
- * @see org.springframework.security.jackson.SecurityJacksonModules
- */
-@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
-@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
-		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
-class AssertionImplMixin {
-
-	/**
-	 * Mixin Constructor helps in deserialize
-	 * {@link org.apereo.cas.client.validation.AssertionImpl}
-	 * @param principal the Principal to associate with the Assertion.
-	 * @param validFromDate when the assertion is valid from.
-	 * @param validUntilDate when the assertion is valid to.
-	 * @param authenticationDate when the assertion is authenticated.
-	 * @param attributes the key/value pairs for this attribute.
-	 */
-	@JsonCreator
-	AssertionImplMixin(@JsonProperty("principal") AttributePrincipal principal,
-			@JsonProperty("validFromDate") Date validFromDate, @JsonProperty("validUntilDate") Date validUntilDate,
-			@JsonProperty("authenticationDate") Date authenticationDate,
-			@JsonProperty("attributes") Map<String, Object> attributes) {
-	}
-
-}

cas/src/main/java/org/springframework/security/cas/jackson/AttributePrincipalImplMixin.java

@@ -1,59 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.cas.jackson;
-
-import java.util.Map;
-
-import com.fasterxml.jackson.annotation.JsonAutoDetect;
-import com.fasterxml.jackson.annotation.JsonCreator;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.annotation.JsonTypeInfo;
-import org.apereo.cas.client.proxy.ProxyRetriever;
-
-/**
- * Helps in deserialize
- * {@link org.apereo.cas.client.authentication.AttributePrincipalImpl} which is used with
- * {@link org.springframework.security.cas.authentication.CasAuthenticationToken}.
- *
- * @author Sebastien Deleuze
- * @author Jitendra Singh
- * @since 7.0
- * @see CasJacksonModule
- * @see org.springframework.security.jackson.SecurityJacksonModules
- */
-@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
-@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
-		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
-class AttributePrincipalImplMixin {
-
-	/**
-	 * Mixin Constructor helps in deserialize
-	 * {@link org.apereo.cas.client.authentication.AttributePrincipalImpl}
-	 * @param name the unique identifier for the principal.
-	 * @param attributes the key/value pairs for this principal.
-	 * @param proxyGrantingTicket the ticket associated with this principal.
-	 * @param proxyRetriever the ProxyRetriever implementation to call back to the CAS
-	 * server.
-	 */
-	@JsonCreator
-	AttributePrincipalImplMixin(@JsonProperty("name") String name,
-			@JsonProperty("attributes") Map<String, Object> attributes,
-			@JsonProperty("proxyGrantingTicket") String proxyGrantingTicket,
-			@JsonProperty("proxyRetriever") ProxyRetriever proxyRetriever) {
-	}
-
-}

cas/src/main/java/org/springframework/security/cas/jackson/CasAuthenticationTokenMixin.java

@@ -1,69 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.cas.jackson;
-
-import java.util.Collection;
-
-import com.fasterxml.jackson.annotation.JsonAutoDetect;
-import com.fasterxml.jackson.annotation.JsonCreator;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.annotation.JsonTypeInfo;
-import org.apereo.cas.client.validation.Assertion;
-
-import org.springframework.security.cas.authentication.CasAuthenticationProvider;
-import org.springframework.security.cas.authentication.CasAuthenticationToken;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.userdetails.UserDetails;
-
-/**
- * Mixin class which helps in deserialize {@link CasAuthenticationToken} using jackson.
- *
- * @author Sebastien Deleuze
- * @author Jitendra Singh
- * @since 7.0
- * @see CasJacksonModule
- * @see org.springframework.security.jackson.SecurityJacksonModules
- */
-@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
-@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,
-		getterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY)
-class CasAuthenticationTokenMixin {
-
-	/**
-	 * Mixin Constructor helps in deserialize {@link CasAuthenticationToken}
-	 * @param keyHash hashCode of provided key to identify if this object made by a given
-	 * {@link CasAuthenticationProvider}
-	 * @param principal typically the UserDetails object (cannot be <code>null</code>)
-	 * @param credentials the service/proxy ticket ID from CAS (cannot be
-	 * <code>null</code>)
-	 * @param authorities the authorities granted to the user (from the
-	 * {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
-	 * be <code>null</code>)
-	 * @param userDetails the user details (from the
-	 * {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
-	 * be <code>null</code>)
-	 * @param assertion the assertion returned from the CAS servers. It contains the
-	 * principal and how to obtain a proxy ticket for the user.
-	 */
-	@JsonCreator
-	CasAuthenticationTokenMixin(@JsonProperty("keyHash") Integer keyHash, @JsonProperty("principal") Object principal,
-			@JsonProperty("credentials") Object credentials,
-			@JsonProperty("authorities") Collection<? extends GrantedAuthority> authorities,
-			@JsonProperty("userDetails") UserDetails userDetails, @JsonProperty("assertion") Assertion assertion) {
-	}
-
-}

cas/src/main/java/org/springframework/security/cas/jackson/CasJacksonModule.java

@@ -1,71 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.cas.jackson;
-
-import org.apereo.cas.client.authentication.AttributePrincipalImpl;
-import org.apereo.cas.client.validation.AssertionImpl;
-import tools.jackson.core.Version;
-import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
-
-import org.springframework.security.cas.authentication.CasAuthenticationToken;
-import org.springframework.security.jackson.SecurityJacksonModule;
-import org.springframework.security.jackson.SecurityJacksonModules;
-
-/**
- * Jackson module for spring-security-cas. This module register
- * {@link AssertionImplMixin}, {@link AttributePrincipalImplMixin} and
- * {@link CasAuthenticationTokenMixin}. If no default typing enabled by default then it'll
- * enable it because typing info is needed to properly serialize/deserialize objects. In
- * order to use this module just add this module into your JsonMapper configuration.
- *
- * <p>
- * The recommended way to configure it is to use {@link SecurityJacksonModules} in order
- * to enable properly automatic inclusion of type information with related validation.
- *
- * <pre>
- *     ClassLoader loader = getClass().getClassLoader();
- *     JsonMapper mapper = JsonMapper.builder()
- * 				.addModules(SecurityJacksonModules.getModules(loader))
- * 				.build();
- * </pre>
- *
- * @author Sebastien Deleuze
- * @author Jitendra Singh
- * @since 7.0
- * @see SecurityJacksonModules
- */
-public class CasJacksonModule extends SecurityJacksonModule {
-
-	public CasJacksonModule() {
-		super(CasJacksonModule.class.getName(), new Version(1, 0, 0, null, null, null));
-	}
-
-	@Override
-	public void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Builder builder) {
-		builder.allowIfSubType(AssertionImpl.class)
-			.allowIfSubType(AttributePrincipalImpl.class)
-			.allowIfSubType(CasAuthenticationToken.class);
-	}
-
-	@Override
-	public void setupModule(SetupContext context) {
-		context.setMixIn(AssertionImpl.class, AssertionImplMixin.class);
-		context.setMixIn(AttributePrincipalImpl.class, AttributePrincipalImplMixin.class);
-		context.setMixIn(CasAuthenticationToken.class, CasAuthenticationTokenMixin.class);
-	}
-
-}

cas/src/main/java/org/springframework/security/cas/jackson/package-info.java

@@ -1,20 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * Jackson 3+ serialization support for CAS.
- */
-package org.springframework.security.cas.jackson;

cas/src/main/java/org/springframework/security/cas/jackson2/AssertionImplMixin.java

@@ -33,7 +33,6 @@ import org.apereo.cas.client.authentication.AttributePrincipal;
  * this class we need to register with
  * {@link com.fasterxml.jackson.databind.ObjectMapper}. Type information will be stored
  * in @class property.
- *
  * <p>
  * <pre>
  *     ObjectMapper mapper = new ObjectMapper();
@@ -44,11 +43,7 @@ import org.apereo.cas.client.authentication.AttributePrincipal;
  * @since 4.2
  * @see CasJackson2Module
  * @see org.springframework.security.jackson2.SecurityJackson2Modules
- * @deprecated as of 7.0 in favor of
- * {@code org.springframework.security.cas.jackson.AssertionImplMixin} based on Jackson 3
  */
-@SuppressWarnings("removal")
-@Deprecated(forRemoval = true)
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
 		isGetterVisibility = JsonAutoDetect.Visibility.NONE)

cas/src/main/java/org/springframework/security/cas/jackson2/AttributePrincipalImplMixin.java

@@ -30,7 +30,6 @@ import org.apereo.cas.client.proxy.ProxyRetriever;
  * {@link org.apereo.cas.client.authentication.AttributePrincipalImpl} which is used with
  * {@link org.springframework.security.cas.authentication.CasAuthenticationToken}. Type
  * information will be stored in property named @class.
- *
  * <p>
  * <pre>
  *     ObjectMapper mapper = new ObjectMapper();
@@ -41,12 +40,7 @@ import org.apereo.cas.client.proxy.ProxyRetriever;
  * @since 4.2
  * @see CasJackson2Module
  * @see org.springframework.security.jackson2.SecurityJackson2Modules
- * @deprecated as of 7.0 in favor of
- * {@code org.springframework.security.cas.jackson.AttributePrincipalImplMixin} based on
- * Jackson 3
  */
-@SuppressWarnings("removal")
-@Deprecated(forRemoval = true)
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
 		isGetterVisibility = JsonAutoDetect.Visibility.NONE)

cas/src/main/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixin.java

@@ -40,6 +40,7 @@ import org.springframework.security.core.userdetails.UserDetails;
  * </ol>
  *
  * <p>
+ *
  * <pre>
  *     ObjectMapper mapper = new ObjectMapper();
  *     mapper.registerModule(new CasJackson2Module());
@@ -49,12 +50,7 @@ import org.springframework.security.core.userdetails.UserDetails;
  * @since 4.2
  * @see CasJackson2Module
  * @see org.springframework.security.jackson2.SecurityJackson2Modules
- * @deprecated as of 7.0 in favor of
- * {@code org.springframework.security.cas.jackson.CasAuthenticationTokenMixin} based on
- * Jackson 3
  */
-@SuppressWarnings("removal")
-@Deprecated(forRemoval = true)
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,
 		getterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY)

cas/src/main/java/org/springframework/security/cas/jackson2/CasJackson2Module.java

@@ -37,14 +37,11 @@ import org.springframework.security.jackson2.SecurityJackson2Modules;
  * </pre> <b>Note: use {@link SecurityJackson2Modules#getModules(ClassLoader)} to get list
  * of all security modules on the classpath.</b>
  *
- * @author Jitendra Singh
+ * @author Jitendra Singh.
  * @since 4.2
  * @see org.springframework.security.jackson2.SecurityJackson2Modules
- * @deprecated as of 7.0 in favor of
- * {@link org.springframework.security.cas.jackson.CasJacksonModule} based on Jackson 3
  */
-@Deprecated(forRemoval = true)
-@SuppressWarnings({ "serial", "removal" })
+@SuppressWarnings("serial")
 public class CasJackson2Module extends SimpleModule {
 
 	public CasJackson2Module() {

cas/src/main/java/org/springframework/security/cas/jackson2/package-info.java

@@ -1,23 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * Jackson 2 support for CAS.
- */
-@NullMarked
-package org.springframework.security.cas.jackson2;
-
-import org.jspecify.annotations.NullMarked;

cas/src/main/java/org/springframework/security/cas/package-info.java

@@ -18,7 +18,4 @@
  * Spring Security support for Apereo's Central Authentication Service
  * (<a href="https://github.com/apereo/cas">CAS</a>).
  */
-@NullMarked
 package org.springframework.security.cas;
-
-import org.jspecify.annotations.NullMarked;

cas/src/main/java/org/springframework/security/cas/userdetails/package-info.java

@@ -1,23 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * {@link org.springframework.security.core.userdetails.UserDetails} abstractions for CAS.
- */
-@NullMarked
-package org.springframework.security.cas.userdetails;
-
-import org.jspecify.annotations.NullMarked;

cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationEntryPoint.java

@@ -22,7 +22,6 @@ import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.apereo.cas.client.util.CommonUtils;
 import org.apereo.cas.client.util.WebUtils;
-import org.jspecify.annotations.Nullable;
 
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.cas.ServiceProperties;
@@ -48,10 +47,9 @@ import org.springframework.util.Assert;
  */
 public class CasAuthenticationEntryPoint implements AuthenticationEntryPoint, InitializingBean {
 
-	@SuppressWarnings("NullAway.Init")
 	private ServiceProperties serviceProperties;
 
-	private @Nullable String loginUrl;
+	private String loginUrl;
 
 	/**
 	 * Determines whether the Service URL should include the session id for the specific
@@ -119,7 +117,7 @@ public class CasAuthenticationEntryPoint implements AuthenticationEntryPoint, In
 	 * <code>https://www.mycompany.com/cas/login</code>.
 	 * @return the enterprise-wide CAS login URL
 	 */
-	public final @Nullable String getLoginUrl() {
+	public final String getLoginUrl() {
 		return this.loginUrl;
 	}
 

cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java

@@ -26,7 +26,6 @@ import jakarta.servlet.http.HttpSession;
 import org.apereo.cas.client.proxy.ProxyGrantingTicketStorage;
 import org.apereo.cas.client.util.WebUtils;
 import org.apereo.cas.client.validation.TicketValidator;
-import org.jspecify.annotations.Nullable;
 
 import org.springframework.core.log.LogMessage;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
@@ -35,7 +34,7 @@ import org.springframework.security.authentication.AuthenticationTrustResolverIm
 import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
 import org.springframework.security.cas.ServiceProperties;
 import org.springframework.security.cas.authentication.CasServiceTicketAuthenticationToken;
-import org.springframework.security.cas.authentication.ServiceAuthenticationDetails;
+import org.springframework.security.cas.web.authentication.ServiceAuthenticationDetails;
 import org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
@@ -52,12 +51,12 @@ import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.security.web.savedrequest.SavedRequest;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
-import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
-
 /**
  * Processes a CAS service ticket, obtains proxy granting tickets, and processes proxy
  * tickets.
@@ -191,12 +190,12 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
 	/**
 	 * The last portion of the receptor url, i.e. /proxy/receptor
 	 */
-	private @Nullable RequestMatcher proxyReceptorMatcher;
+	private RequestMatcher proxyReceptorMatcher;
 
 	/**
 	 * The backing storage to store ProxyGrantingTicket requests.
 	 */
-	private @Nullable ProxyGrantingTicketStorage proxyGrantingTicketStorage;
+	private ProxyGrantingTicketStorage proxyGrantingTicketStorage;
 
 	private String artifactParameter = ServiceProperties.DEFAULT_CAS_ARTIFACT_PARAMETER;
 
@@ -217,7 +216,7 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
 
 	public CasAuthenticationFilter() {
 		super("/login/cas");
-		RequestMatcher processUri = pathPattern("/login/cas");
+		RequestMatcher processUri = PathPatternRequestMatcher.withDefaults().matcher("/login/cas");
 		setRequiresAuthenticationRequestMatcher(processUri);
 		setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler());
 		setSecurityContextRepository(this.securityContextRepository);
@@ -245,7 +244,7 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
 	}
 
 	@Override
-	public @Nullable Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
+	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 			throws AuthenticationException, IOException {
 		// if the request is a proxy request process it and return null to indicate the
 		// request has been processed
@@ -336,7 +335,7 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
 	}
 
 	public final void setProxyReceptorUrl(final String proxyReceptorUrl) {
-		this.proxyReceptorMatcher = pathPattern(proxyReceptorUrl);
+		this.proxyReceptorMatcher = new AntPathRequestMatcher("/**" + proxyReceptorUrl);
 	}
 
 	public final void setProxyGrantingTicketStorage(final ProxyGrantingTicketStorage proxyGrantingTicketStorage) {
@@ -423,7 +422,6 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
 	 * @param request
 	 * @return
 	 */
-	@SuppressWarnings("NullAway") // Dataflow analysis limitation
 	private boolean proxyReceptorRequest(HttpServletRequest request) {
 		final boolean result = proxyReceptorConfigured() && this.proxyReceptorMatcher.matches(request);
 		this.logger.debug(LogMessage.format("proxyReceptorRequest = %s", result));

cas/src/main/java/org/springframework/security/cas/web/authentication/DefaultServiceAuthenticationDetails.java

@@ -21,9 +21,7 @@ import java.net.URL;
 import java.util.regex.Pattern;
 
 import jakarta.servlet.http.HttpServletRequest;
-import org.jspecify.annotations.Nullable;
 
-import org.springframework.security.cas.authentication.ServiceAuthenticationDetails;
 import org.springframework.security.web.authentication.WebAuthenticationDetails;
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
@@ -50,8 +48,8 @@ final class DefaultServiceAuthenticationDetails extends WebAuthenticationDetails
 	 * string from containing the artifact name and value. This can be created using
 	 * {@link #createArtifactPattern(String)}.
 	 */
-	DefaultServiceAuthenticationDetails(@Nullable String casService, HttpServletRequest request,
-			Pattern artifactPattern) throws MalformedURLException {
+	DefaultServiceAuthenticationDetails(String casService, HttpServletRequest request, Pattern artifactPattern)
+			throws MalformedURLException {
 		super(request);
 		URL casServiceUrl = new URL(casService);
 		int port = getServicePort(casServiceUrl);
@@ -62,7 +60,7 @@ final class DefaultServiceAuthenticationDetails extends WebAuthenticationDetails
 
 	/**
 	 * Returns the current URL minus the artifact parameter and its value, if present.
-	 * @see org.springframework.security.cas.authentication.ServiceAuthenticationDetails#getServiceUrl()
+	 * @see org.springframework.security.cas.web.authentication.ServiceAuthenticationDetails#getServiceUrl()
 	 */
 	@Override
 	public String getServiceUrl() {
@@ -105,7 +103,7 @@ final class DefaultServiceAuthenticationDetails extends WebAuthenticationDetails
 	 * @return the query String minus the artifactParameterName and the corresponding
 	 * value.
 	 */
-	private @Nullable String getQueryString(final HttpServletRequest request, final Pattern artifactPattern) {
+	private String getQueryString(final HttpServletRequest request, final Pattern artifactPattern) {
 		final String query = request.getQueryString();
 		if (query == null) {
 			return null;

cas/src/main/java/org/springframework/security/cas/web/authentication/ServiceAuthenticationDetails.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.web.authentication;
+
+import org.springframework.security.cas.ServiceProperties;
+import org.springframework.security.core.Authentication;
+
+/**
+ * In order for the
+ * {@link org.springframework.security.cas.authentication.CasAuthenticationProvider} to
+ * provide the correct service url to authenticate the ticket, the returned value of
+ * {@link Authentication#getDetails()} should implement this interface when tickets can be
+ * sent to any URL rather than only {@link ServiceProperties#getService()}.
+ *
+ * @author Rob Winch
+ * @see ServiceAuthenticationDetailsSource
+ * @deprecated Please use
+ * org.springframework.security.cas.authentication.ServiceAuthenticationDetails
+ */
+@Deprecated
+public interface ServiceAuthenticationDetails
+		extends org.springframework.security.cas.authentication.ServiceAuthenticationDetails {
+
+	/**
+	 * Gets the absolute service url (i.e. https://example.com/service/).
+	 * @return the service url. Cannot be <code>null</code>.
+	 */
+	String getServiceUrl();
+
+}

cas/src/main/java/org/springframework/security/cas/web/authentication/ServiceAuthenticationDetailsSource.java

@@ -23,7 +23,6 @@ import jakarta.servlet.http.HttpServletRequest;
 
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.cas.ServiceProperties;
-import org.springframework.security.cas.authentication.ServiceAuthenticationDetails;
 import org.springframework.util.Assert;
 
 /**

cas/src/main/java/org/springframework/security/cas/web/authentication/package-info.java

@@ -18,7 +18,4 @@
  * Authentication processing mechanisms which respond to the submission of authentication
  * credentials using CAS.
  */
-@NullMarked
 package org.springframework.security.cas.web.authentication;
-
-import org.jspecify.annotations.NullMarked;

cas/src/main/java/org/springframework/security/cas/web/package-info.java

@@ -17,7 +17,4 @@
 /**
  * Authenticates standard web browser users via CAS.
  */
-@NullMarked
 package org.springframework.security.cas.web;
-
-import org.jspecify.annotations.NullMarked;

cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java

@@ -27,14 +27,13 @@ import org.junit.jupiter.api.Test;
 
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.authentication.BadCredentialsException;
-import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.cas.ServiceProperties;
+import org.springframework.security.cas.web.authentication.ServiceAuthenticationDetails;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
 import org.springframework.security.core.userdetails.User;
@@ -348,22 +347,6 @@ public class CasAuthenticationProviderTests {
 		assertThat(checkCount.get()).isEqualTo(1);
 	}
 
-	@Test
-	public void authenticateWhenSuccessfulThenIssuesFactor() throws Exception {
-		CasAuthenticationProvider cap = new CasAuthenticationProvider();
-		cap.setAuthenticationUserDetailsService(new MockAuthoritiesPopulator());
-		cap.setKey("qwerty");
-		StatelessTicketCache cache = new MockStatelessTicketCache();
-		cap.setStatelessTicketCache(cache);
-		cap.setServiceProperties(makeServiceProperties());
-		cap.setTicketValidator(new MockTicketValidator(true));
-		cap.afterPropertiesSet();
-		CasServiceTicketAuthenticationToken token = CasServiceTicketAuthenticationToken.stateful("ST-123");
-		token.setDetails("details");
-		Authentication result = cap.authenticate(token);
-		SecurityAssertions.assertThat(result).hasAuthority(FactorGrantedAuthority.CAS_AUTHORITY);
-	}
-
 	private class MockAuthoritiesPopulator implements AuthenticationUserDetailsService {
 
 		@Override

cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationTokenTests.java

@@ -18,7 +18,6 @@ package org.springframework.security.cas.authentication;
 
 import java.util.Collections;
 import java.util.List;
-import java.util.Set;
 
 import org.apereo.cas.client.validation.Assertion;
 import org.apereo.cas.client.validation.AssertionImpl;
@@ -27,7 +26,6 @@ import org.junit.jupiter.api.Test;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
-import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 
@@ -157,29 +155,4 @@ public class CasAuthenticationTokenTests {
 		assertThat(result.lastIndexOf("Credentials (Service/Proxy Ticket):") != -1).isTrue();
 	}
 
-	@Test
-	public void toBuilderWhenApplyThenCopies() {
-		Assertion assertionOne = new AssertionImpl("test");
-		CasAuthenticationToken factorOne = new CasAuthenticationToken("key", "alice", "pass",
-				AuthorityUtils.createAuthorityList("FACTOR_ONE"), PasswordEncodedUser.user(), assertionOne);
-		Assertion assertionTwo = new AssertionImpl("test");
-		CasAuthenticationToken factorTwo = new CasAuthenticationToken("yek", "bob", "ssap",
-				AuthorityUtils.createAuthorityList("FACTOR_TWO"), PasswordEncodedUser.admin(), assertionTwo);
-		CasAuthenticationToken authentication = factorOne.toBuilder()
-			.authorities((a) -> a.addAll(factorTwo.getAuthorities()))
-			.key("yek")
-			.principal(factorTwo.getPrincipal())
-			.credentials(factorTwo.getCredentials())
-			.userDetails(factorTwo.getUserDetails())
-			.assertion(factorTwo.getAssertion())
-			.build();
-		Set<String> authorities = AuthorityUtils.authorityListToSet(authentication.getAuthorities());
-		assertThat(authentication.getKeyHash()).isEqualTo(factorTwo.getKeyHash());
-		assertThat(authentication.getPrincipal()).isEqualTo(factorTwo.getPrincipal());
-		assertThat(authentication.getCredentials()).isEqualTo(factorTwo.getCredentials());
-		assertThat(authentication.getUserDetails()).isEqualTo(factorTwo.getUserDetails());
-		assertThat(authentication.getAssertion()).isEqualTo(factorTwo.getAssertion());
-		assertThat(authorities).containsExactlyInAnyOrder("FACTOR_ONE", "FACTOR_TWO");
-	}
-
 }

cas/src/test/java/org/springframework/security/cas/jackson/CasAuthenticationTokenMixinTests.java

@@ -1,151 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.cas.jackson;
-
-import java.io.IOException;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Date;
-
-import org.apereo.cas.client.authentication.AttributePrincipalImpl;
-import org.apereo.cas.client.validation.Assertion;
-import org.apereo.cas.client.validation.AssertionImpl;
-import org.json.JSONException;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.skyscreamer.jsonassert.JSONAssert;
-import tools.jackson.databind.json.JsonMapper;
-
-import org.springframework.security.cas.authentication.CasAuthenticationToken;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.jackson.SecurityJacksonModules;
-
-import static org.assertj.core.api.Assertions.assertThat;
-
-/**
- * @author Jitendra Singh
- * @since 4.2
- */
-public class CasAuthenticationTokenMixinTests {
-
-	private static final String KEY = "casKey";
-
-	private static final String PASSWORD = "\"1234\"";
-
-	private static final Date START_DATE = new Date();
-
-	private static final Date END_DATE = new Date();
-
-	public static final String AUTHORITY_JSON = "{\"@class\": \"org.springframework.security.core.authority.SimpleGrantedAuthority\", \"authority\": \"ROLE_USER\"}";
-
-	public static final String AUTHORITIES_SET_JSON = "[\"java.util.Collections$UnmodifiableSet\", [" + AUTHORITY_JSON
-			+ "]]";
-
-	public static final String AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.Collections$UnmodifiableRandomAccessList\", ["
-			+ AUTHORITY_JSON + "]]";
-
-	// @formatter:off
-	public static final String USER_JSON = "{"
-		+ "\"@class\": \"org.springframework.security.core.userdetails.User\", "
-		+ "\"username\": \"admin\","
-		+ " \"password\": " + PASSWORD + ", "
-		+ "\"accountNonExpired\": true, "
-		+ "\"accountNonLocked\": true, "
-		+ "\"credentialsNonExpired\": true, "
-		+ "\"enabled\": true, "
-		+ "\"authorities\": " + AUTHORITIES_SET_JSON
-	+ "}";
-	// @formatter:on
-	private static final String CAS_TOKEN_JSON = "{"
-			+ "\"@class\": \"org.springframework.security.cas.authentication.CasAuthenticationToken\", "
-			+ "\"keyHash\": " + KEY.hashCode() + "," + "\"principal\": " + USER_JSON + ", " + "\"credentials\": "
-			+ PASSWORD + ", " + "\"authorities\": " + AUTHORITIES_ARRAYLIST_JSON + "," + "\"userDetails\": " + USER_JSON
-			+ "," + "\"authenticated\": true, " + "\"details\": null," + "\"assertion\": {"
-			+ "\"@class\": \"org.apereo.cas.client.validation.AssertionImpl\", " + "\"principal\": {"
-			+ "\"@class\": \"org.apereo.cas.client.authentication.AttributePrincipalImpl\", "
-			+ "\"name\": \"assertName\", " + "\"attributes\": {\"@class\": \"java.util.Collections$EmptyMap\"}, "
-			+ "\"proxyGrantingTicket\": null, " + "\"proxyRetriever\": null" + "}, "
-			+ "\"validFromDate\": [\"java.util.Date\", " + START_DATE.getTime() + "], "
-			+ "\"validUntilDate\": [\"java.util.Date\", " + END_DATE.getTime() + "],"
-			+ "\"authenticationDate\": [\"java.util.Date\", " + START_DATE.getTime() + "], "
-			+ "\"attributes\": {\"@class\": \"java.util.Collections$EmptyMap\"},"
-			+ "\"context\": {\"@class\":\"java.util.HashMap\"}" + "}" + "}";
-
-	private static final String CAS_TOKEN_CLEARED_JSON = CAS_TOKEN_JSON.replaceFirst(PASSWORD, "null");
-
-	protected JsonMapper mapper;
-
-	@BeforeEach
-	public void setup() {
-		ClassLoader loader = getClass().getClassLoader();
-		this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build();
-	}
-
-	@Test
-	public void serializeCasAuthenticationTest() throws JSONException {
-		CasAuthenticationToken token = createCasAuthenticationToken();
-		String actualJson = this.mapper.writeValueAsString(token);
-		JSONAssert.assertEquals(CAS_TOKEN_JSON, actualJson, true);
-	}
-
-	@Test
-	public void serializeCasAuthenticationTestAfterEraseCredentialInvoked() throws JSONException {
-		CasAuthenticationToken token = createCasAuthenticationToken();
-		token.eraseCredentials();
-		String actualJson = this.mapper.writeValueAsString(token);
-		JSONAssert.assertEquals(CAS_TOKEN_CLEARED_JSON, actualJson, true);
-	}
-
-	@Test
-	public void deserializeCasAuthenticationTestAfterEraseCredentialInvoked() {
-		CasAuthenticationToken token = this.mapper.readValue(CAS_TOKEN_CLEARED_JSON, CasAuthenticationToken.class);
-		assertThat(((UserDetails) token.getPrincipal()).getPassword()).isNull();
-	}
-
-	@Test
-	public void deserializeCasAuthenticationTest() throws IOException {
-		CasAuthenticationToken token = this.mapper.readValue(CAS_TOKEN_JSON, CasAuthenticationToken.class);
-		assertThat(token).isNotNull();
-		assertThat(token.getPrincipal()).isNotNull().isInstanceOf(User.class);
-		assertThat(((User) token.getPrincipal()).getUsername()).isEqualTo("admin");
-		assertThat(((User) token.getPrincipal()).getPassword()).isEqualTo("1234");
-		assertThat(token.getUserDetails()).isNotNull().isInstanceOf(User.class);
-		assertThat(token.getAssertion()).isNotNull().isInstanceOf(AssertionImpl.class);
-		assertThat(token.getKeyHash()).isEqualTo(KEY.hashCode());
-		assertThat(token.getUserDetails().getAuthorities()).extracting(GrantedAuthority::getAuthority)
-			.containsOnly("ROLE_USER");
-		assertThat(token.getAssertion().getAuthenticationDate()).isEqualTo(START_DATE);
-		assertThat(token.getAssertion().getValidFromDate()).isEqualTo(START_DATE);
-		assertThat(token.getAssertion().getValidUntilDate()).isEqualTo(END_DATE);
-		assertThat(token.getAssertion().getPrincipal().getName()).isEqualTo("assertName");
-		assertThat(token.getAssertion().getAttributes()).hasSize(0);
-	}
-
-	private CasAuthenticationToken createCasAuthenticationToken() {
-		User principal = new User("admin", "1234", Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER")));
-		Collection<? extends GrantedAuthority> authorities = Collections
-			.singletonList(new SimpleGrantedAuthority("ROLE_USER"));
-		Assertion assertion = new AssertionImpl(new AttributePrincipalImpl("assertName"), START_DATE, END_DATE,
-				START_DATE, Collections.<String, Object>emptyMap());
-		return new CasAuthenticationToken(KEY, principal, principal.getPassword(), authorities,
-				new User("admin", "1234", authorities), assertion);
-	}
-
-}

cas/src/test/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixinTests.java

@@ -44,7 +44,6 @@ import static org.assertj.core.api.Assertions.assertThat;
  * @author Jitendra Singh
  * @since 4.2
  */
-@SuppressWarnings("removal")
 public class CasAuthenticationTokenMixinTests {
 
 	private static final String KEY = "casKey";

cas/src/test/java/org/springframework/security/cas/web/CasAuthenticationFilterTests.java

@@ -43,6 +43,7 @@ import org.springframework.security.core.context.SecurityContextImpl;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.test.util.ReflectionTestUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -54,9 +55,6 @@ import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.verifyNoMoreInteractions;
-import static org.springframework.security.web.servlet.TestMockHttpServletRequests.get;
-import static org.springframework.security.web.servlet.TestMockHttpServletRequests.post;
-import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
 
 /**
  * Tests {@link CasAuthenticationFilter}.
@@ -81,7 +79,9 @@ public class CasAuthenticationFilterTests {
 
 	@Test
 	public void testNormalOperation() throws Exception {
-		MockHttpServletRequest request = post("/login/cas").param("ticket", "ST-0-ER94xMJmn6pha35CQRoZ").build();
+		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/login/cas");
+		request.setServletPath("/login/cas");
+		request.addParameter("ticket", "ST-0-ER94xMJmn6pha35CQRoZ");
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
 		filter.setAuthenticationManager((a) -> a);
 		assertThat(filter.requiresAuthentication(request, new MockHttpServletResponse())).isTrue();
@@ -104,22 +104,24 @@ public class CasAuthenticationFilterTests {
 		String url = "/login/cas";
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
 		filter.setFilterProcessesUrl(url);
-		MockHttpServletRequest request = post(url).build();
+		MockHttpServletRequest request = new MockHttpServletRequest("POST", url);
 		MockHttpServletResponse response = new MockHttpServletResponse();
+		request.setServletPath(url);
 		assertThat(filter.requiresAuthentication(request, response)).isTrue();
 	}
 
 	@Test
 	public void testRequiresAuthenticationProxyRequest() {
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
-		MockHttpServletRequest request = get("/pgtCallback").build();
+		MockHttpServletRequest request = new MockHttpServletRequest();
 		MockHttpServletResponse response = new MockHttpServletResponse();
+		request.setServletPath("/pgtCallback");
 		assertThat(filter.requiresAuthentication(request, response)).isFalse();
 		filter.setProxyReceptorUrl(request.getServletPath());
 		assertThat(filter.requiresAuthentication(request, response)).isFalse();
 		filter.setProxyGrantingTicketStorage(mock(ProxyGrantingTicketStorage.class));
 		assertThat(filter.requiresAuthentication(request, response)).isTrue();
-		request = get("/other").build();
+		request.setServletPath("/other");
 		assertThat(filter.requiresAuthentication(request, response)).isFalse();
 	}
 
@@ -131,10 +133,12 @@ public class CasAuthenticationFilterTests {
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
 		filter.setFilterProcessesUrl(url);
 		filter.setServiceProperties(properties);
-		MockHttpServletRequest request = post(url).build();
+		MockHttpServletRequest request = new MockHttpServletRequest("POST", url);
 		MockHttpServletResponse response = new MockHttpServletResponse();
+		request.setServletPath(url);
 		assertThat(filter.requiresAuthentication(request, response)).isTrue();
-		request = post("/other").build();
+		request = new MockHttpServletRequest("POST", "/other");
+		request.setServletPath("/other");
 		assertThat(filter.requiresAuthentication(request, response)).isFalse();
 		request.setParameter(properties.getArtifactParameter(), "value");
 		assertThat(filter.requiresAuthentication(request, response)).isTrue();
@@ -152,8 +156,9 @@ public class CasAuthenticationFilterTests {
 	@Test
 	public void testAuthenticateProxyUrl() throws Exception {
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
-		MockHttpServletRequest request = get("/pgtCallback").build();
+		MockHttpServletRequest request = new MockHttpServletRequest();
 		MockHttpServletResponse response = new MockHttpServletResponse();
+		request.setServletPath("/pgtCallback");
 		filter.setProxyGrantingTicketStorage(mock(ProxyGrantingTicketStorage.class));
 		filter.setProxyReceptorUrl(request.getServletPath());
 		assertThat(filter.attemptAuthentication(request, response)).isNull();
@@ -167,7 +172,9 @@ public class CasAuthenticationFilterTests {
 		given(manager.authenticate(any(Authentication.class))).willReturn(authentication);
 		ServiceProperties serviceProperties = new ServiceProperties();
 		serviceProperties.setAuthenticateAllArtifacts(true);
-		MockHttpServletRequest request = post("/authenticate").param("ticket", "ST-1-123").build();
+		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/authenticate");
+		request.setParameter("ticket", "ST-1-123");
+		request.setServletPath("/authenticate");
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		FilterChain chain = mock(FilterChain.class);
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
@@ -193,9 +200,10 @@ public class CasAuthenticationFilterTests {
 	@Test
 	public void testChainNotInvokedForProxyReceptor() throws Exception {
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
-		MockHttpServletRequest request = get("/pgtCallback").build();
+		MockHttpServletRequest request = new MockHttpServletRequest();
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		FilterChain chain = mock(FilterChain.class);
+		request.setServletPath("/pgtCallback");
 		filter.setProxyGrantingTicketStorage(mock(ProxyGrantingTicketStorage.class));
 		filter.setProxyReceptorUrl(request.getServletPath());
 		filter.doFilter(request, response, chain);
@@ -263,14 +271,16 @@ public class CasAuthenticationFilterTests {
 	@Test
 	public void requiresAuthenticationWhenProxyRequestMatcherThenMatches() {
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
-		MockHttpServletRequest request = get("/pgtCallback").build();
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/pgtCallback");
 		MockHttpServletResponse response = new MockHttpServletResponse();
+		request.setServletPath("/pgtCallback");
 		assertThat(filter.requiresAuthentication(request, response)).isFalse();
-		filter.setProxyReceptorMatcher(pathPattern(request.getServletPath()));
+		filter.setProxyReceptorMatcher(PathPatternRequestMatcher.withDefaults().matcher(request.getServletPath()));
 		assertThat(filter.requiresAuthentication(request, response)).isFalse();
 		filter.setProxyGrantingTicketStorage(mock(ProxyGrantingTicketStorage.class));
 		assertThat(filter.requiresAuthentication(request, response)).isTrue();
-		request = get("/other").build();
+		request.setRequestURI("/other");
+		request.setServletPath("/other");
 		assertThat(filter.requiresAuthentication(request, response)).isFalse();
 	}
 

cas/src/test/java/org/springframework/security/cas/web/authentication/DefaultServiceAuthenticationDetailsTests.java

@@ -26,7 +26,6 @@ import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.context.support.GenericXmlApplicationContext;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.cas.ServiceProperties;
-import org.springframework.security.cas.authentication.ServiceAuthenticationDetails;
 import org.springframework.security.web.util.UrlUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;

config/spring-security-config.gradle

@@ -1,9 +1,10 @@
+import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
 import org.springframework.gradle.xsd.CreateVersionlessXsdTask
 import trang.RncToXsd
 
 apply plugin: 'io.spring.convention.spring-module'
 apply plugin: 'trang'
-apply plugin: 'security-kotlin'
+apply plugin: 'kotlin'
 
 configurations {
 	opensaml5 {
@@ -20,18 +21,16 @@ dependencies {
 	api 'org.springframework:spring-context'
 	api 'org.springframework:spring-core'
 
-	optional project(':spring-security-access')
 	optional project(':spring-security-data')
 	optional project(':spring-security-ldap')
 	optional project(':spring-security-messaging')
 	optional project(path: ':spring-security-saml2-service-provider')
+	opensaml5 project(path: ':spring-security-saml2-service-provider', configuration: 'opensamlFiveMain')
 	optional project(':spring-security-oauth2-client')
 	optional project(':spring-security-oauth2-jose')
 	optional project(':spring-security-oauth2-resource-server')
-	optional project(':spring-security-oauth2-authorization-server')
 	optional project(':spring-security-rsocket')
 	optional project(':spring-security-web')
-	optional project(':spring-security-webauthn')
 	optional 'io.projectreactor:reactor-core'
 	optional 'org.aspectj:aspectjweaver'
 	optional 'org.springframework:spring-jdbc'
@@ -44,22 +43,20 @@ dependencies {
 	optional 'org.jetbrains.kotlin:kotlin-reflect'
 	optional 'org.jetbrains.kotlin:kotlin-stdlib-jdk8'
 	optional 'jakarta.annotation:jakarta.annotation-api'
+	optional libs.webauthn4j.core
 
 	provided 'jakarta.servlet:jakarta.servlet-api'
 
 	testImplementation project(':spring-security-aspects')
 	testImplementation project(':spring-security-cas')
 	testImplementation project(':spring-security-test')
-	testImplementation project(path : ':spring-security-access', configuration : 'tests')
 	testImplementation project(path : ':spring-security-core', configuration : 'tests')
 	testImplementation project(path : ':spring-security-ldap', configuration : 'tests')
 	testImplementation project(path : ':spring-security-oauth2-client', configuration : 'tests')
 	testImplementation project(path : ':spring-security-oauth2-resource-server', configuration : 'tests')
-	testImplementation project(path : ':spring-security-oauth2-authorization-server', configuration : 'tests')
 	testImplementation project(':spring-security-saml2-service-provider')
 	testImplementation project(path : ':spring-security-saml2-service-provider', configuration : 'tests')
 	testImplementation project(path : ':spring-security-web', configuration : 'tests')
-	testImplementation project(path : ':spring-security-webauthn', configuration : 'tests')
 	testImplementation "jakarta.inject:jakarta.inject-api"
 	testImplementation "org.assertj:assertj-core"
 	testImplementation "org.junit.jupiter:junit-jupiter-api"
@@ -81,6 +78,12 @@ dependencies {
 		exclude group: 'commons-logging', module: 'commons-logging'
 		exclude group: 'xml-apis', module: 'xml-apis'
 	}
+	testImplementation "org.apache.directory.server:apacheds-core"
+	testImplementation "org.apache.directory.server:apacheds-core-entry"
+	testImplementation "org.apache.directory.server:apacheds-protocol-shared"
+	testImplementation "org.apache.directory.server:apacheds-protocol-ldap"
+	testImplementation "org.apache.directory.server:apacheds-server-jndi"
+	testImplementation 'org.apache.directory.shared:shared-ldap'
 	testImplementation "com.unboundid:unboundid-ldapsdk"
 	testImplementation 'jakarta.persistence:jakarta.persistence-api'
 	testImplementation "org.hibernate.orm:hibernate-core"
@@ -124,7 +127,6 @@ dependencies {
 
 	testRuntimeOnly 'org.hsqldb:hsqldb'
 	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
-	testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine'
 }
 
 def rncToXsd = tasks.named('rncToXsd', RncToXsd)
@@ -156,6 +158,15 @@ tasks.named('sourcesJar', Jar).configure {
 	}
 }
 
+tasks.withType(KotlinCompile).configureEach {
+	kotlinOptions {
+		languageVersion = "1.7"
+		apiVersion = "1.7"
+		freeCompilerArgs = ["-Xjsr305=strict", "-Xsuppress-version-warnings"]
+		jvmTarget = "17"
+	}
+}
+
 configure(project.tasks.withType(Test)) {
 	doFirst {
 		systemProperties['springSecurityVersion'] = version
@@ -172,3 +183,15 @@ test {
 		}
 	}
 }
+
+tasks.register("opensaml5Test", Test) {
+	filter {
+		includeTestsMatching "org.springframework.security.config.annotation.web.configurers.saml2.*"
+	}
+	useJUnitPlatform()
+	classpath = sourceSets.main.output + sourceSets.test.output + configurations.opensaml5
+}
+
+tasks.named("check") {
+	dependsOn opensaml5Test
+}

config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderBuilderSecurityBuilderTests.java

@@ -18,6 +18,7 @@ package org.springframework.security.config.annotation.authentication.ldap;
 
 import java.io.IOException;
 import java.net.ServerSocket;
+import java.util.Collections;
 import java.util.List;
 
 import javax.naming.directory.SearchControls;
@@ -38,11 +39,12 @@ import org.springframework.security.config.annotation.configuration.ObjectPostPr
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
 import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
-import org.springframework.security.ldap.server.UnboundIdContainer;
+import org.springframework.security.ldap.server.ApacheDSContainer;
 import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.test.web.servlet.MockMvc;
@@ -118,7 +120,8 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests {
 		this.spring.register(BindAuthenticationConfig.class).autowire();
 
 		this.mockMvc.perform(formLogin().user("bob").password("bobspassword"))
-			.andExpect(authenticated().withUsername("bob").withRoles("DEVELOPERS"));
+			.andExpect(authenticated().withUsername("bob")
+				.withAuthorities(Collections.singleton(new SimpleGrantedAuthority("ROLE_DEVELOPERS"))));
 	}
 
 	// SEC-2472
@@ -127,7 +130,8 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests {
 		this.spring.register(PasswordEncoderConfig.class).autowire();
 
 		this.mockMvc.perform(formLogin().user("bcrypt").password("password"))
-			.andExpect(authenticated().withUsername("bcrypt").withRoles("DEVELOPERS"));
+			.andExpect(authenticated().withUsername("bcrypt")
+				.withAuthorities(Collections.singleton(new SimpleGrantedAuthority("ROLE_DEVELOPERS"))));
 	}
 
 	private LdapAuthenticationProvider ldapProvider() {
@@ -322,11 +326,11 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests {
 	abstract static class BaseLdapServerConfig extends BaseLdapProviderConfig {
 
 		@Bean
-		UnboundIdContainer ldapServer() throws Exception {
-			UnboundIdContainer unboundIdContainer = new UnboundIdContainer("dc=springframework,dc=org",
+		ApacheDSContainer ldapServer() throws Exception {
+			ApacheDSContainer apacheDSContainer = new ApacheDSContainer("dc=springframework,dc=org",
 					"classpath:/test-server.ldif");
-			unboundIdContainer.setPort(getPort());
-			return unboundIdContainer;
+			apacheDSContainer.setPort(getPort());
+			return apacheDSContainer;
 		}
 
 	}

config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderConfigurerTests.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.config.annotation.authentication.ldap;
 
+import java.util.Collections;
+
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
@@ -26,6 +28,8 @@ import org.springframework.security.config.annotation.authentication.ldap.LdapAu
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders;
 import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers;
 import org.springframework.test.web.servlet.MockMvc;
@@ -60,7 +64,7 @@ public class LdapAuthenticationProviderConfigurerTests {
 				.password("bobspassword");
 		SecurityMockMvcResultMatchers.AuthenticatedMatcher expectedUser = authenticated()
 				.withUsername("bob")
-				.withRoles("DEVELOPERS");
+				.withAuthorities(Collections.singleton(new SimpleGrantedAuthority("ROLE_DEVELOPERS")));
 		// @formatter:on
 		this.mockMvc.perform(request).andExpect(expectedUser);
 	}
@@ -75,7 +79,7 @@ public class LdapAuthenticationProviderConfigurerTests {
 				.password("bobspassword");
 		SecurityMockMvcResultMatchers.AuthenticatedMatcher expectedUser = authenticated()
 				.withUsername("bob")
-				.withRoles("ROL_", new String[] { "DEVELOPERS" });
+				.withAuthorities(Collections.singleton(new SimpleGrantedAuthority("ROL_DEVELOPERS")));
 		// @formatter:on
 		this.mockMvc.perform(request).andExpect(expectedUser);
 	}
@@ -104,7 +108,8 @@ public class LdapAuthenticationProviderConfigurerTests {
 				.password("otherbenspassword");
 		SecurityMockMvcResultMatchers.AuthenticatedMatcher expectedUser = authenticated()
 				.withUsername("otherben")
-				.withRoles("SUBMANAGERS", "MANAGERS", "DEVELOPERS");
+				.withAuthorities(
+						AuthorityUtils.createAuthorityList("ROLE_SUBMANAGERS", "ROLE_MANAGERS", "ROLE_DEVELOPERS"));
 		// @formatter:on
 		this.mockMvc.perform(request).andExpect(expectedUser);
 	}

config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTests.java

@@ -16,6 +16,7 @@
 
 package org.springframework.security.config.annotation.authentication.ldap;
 
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 
@@ -33,6 +34,7 @@ import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders;
@@ -77,7 +79,7 @@ public class NamespaceLdapAuthenticationProviderTests {
 				.user("bob")
 				.password("bobspassword");
 		SecurityMockMvcResultMatchers.AuthenticatedMatcher user = authenticated()
-				.withRoles("PREFIX_", new String[] { "DEVELOPERS" });
+				.withAuthorities(Collections.singleton(new SimpleGrantedAuthority("PREFIX_DEVELOPERS")));
 		// @formatter:on
 		this.mockMvc.perform(request).andExpect(user);
 	}
@@ -101,7 +103,7 @@ public class NamespaceLdapAuthenticationProviderTests {
 				.user("bob")
 				.password("bobspassword");
 		SecurityMockMvcResultMatchers.AuthenticatedMatcher user = authenticated()
-				.withRoles("EXTRA");
+				.withAuthorities(Collections.singleton(new SimpleGrantedAuthority("ROLE_EXTRA")));
 		// @formatter:on
 		this.mockMvc.perform(request).andExpect(user);
 	}

config/src/integration-test/java/org/springframework/security/config/annotation/configurers/WebAuthnWebDriverTests.java

@@ -31,7 +31,6 @@ import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.openqa.selenium.By;
 import org.openqa.selenium.WebDriverException;
@@ -56,7 +55,6 @@ import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.util.StringUtils;
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
 import org.springframework.web.filter.DelegatingFilterProxy;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
@@ -69,7 +67,7 @@ import static org.assertj.core.api.Assertions.assertThat;
  *
  * @author Daniel Garnier-Moiroux
  */
-@Disabled
+@org.junit.jupiter.api.Disabled
 class WebAuthnWebDriverTests {
 
 	private String baseUrl;
@@ -84,8 +82,6 @@ class WebAuthnWebDriverTests {
 
 	private static final String PASSWORD = "password";
 
-	private String authenticatorId = null;
-
 	@BeforeAll
 	static void startChromeDriverService() throws Exception {
 		driverService = new ChromeDriverService.Builder().usingAnyFreePort().build();
@@ -148,7 +144,7 @@ class WebAuthnWebDriverTests {
 	@Test
 	void loginWhenNoValidAuthenticatorCredentialsThenRejects() {
 		createVirtualAuthenticator(true);
-		this.getAndWait("/", "/login");
+		this.driver.get(this.baseUrl);
 		this.driver.findElement(signinWithPasskeyButton()).click();
 		await(() -> assertThat(this.driver.getCurrentUrl()).endsWith("/login?error"));
 	}
@@ -157,7 +153,7 @@ class WebAuthnWebDriverTests {
 	void registerWhenNoLabelThenRejects() {
 		login();
 
-		this.getAndWait("/webauthn/register");
+		this.driver.get(this.baseUrl + "/webauthn/register");
 
 		this.driver.findElement(registerPasskeyButton()).click();
 		assertHasAlertStartingWith("error", "Error: Passkey Label is required");
@@ -167,7 +163,7 @@ class WebAuthnWebDriverTests {
 	void registerWhenAuthenticatorNoUserVerificationThenRejects() {
 		createVirtualAuthenticator(false);
 		login();
-		this.getAndWait("/webauthn/register");
+		this.driver.get(this.baseUrl + "/webauthn/register");
 		this.driver.findElement(passkeyLabel()).sendKeys("Virtual authenticator");
 		this.driver.findElement(registerPasskeyButton()).click();
 
@@ -182,8 +178,7 @@ class WebAuthnWebDriverTests {
 	 * <li>Step 1: Log in with username / password</li>
 	 * <li>Step 2: Register a credential from the virtual authenticator</li>
 	 * <li>Step 3: Log out</li>
-	 * <li>Step 4: Log in with the authenticator (no allowCredentials)</li>
-	 * <li>Step 5: Log in again with the same authenticator (with allowCredentials)</li>
+	 * <li>Step 4: Log in with the authenticator</li>
 	 * </ul>
 	 */
 	@Test
@@ -195,7 +190,7 @@ class WebAuthnWebDriverTests {
 		login();
 
 		// Step 2: register a credential from the virtual authenticator
-		this.getAndWait("/webauthn/register");
+		this.driver.get(this.baseUrl + "/webauthn/register");
 		this.driver.findElement(passkeyLabel()).sendKeys("Virtual authenticator");
 		this.driver.findElement(registerPasskeyButton()).click();
 
@@ -217,58 +212,9 @@ class WebAuthnWebDriverTests {
 		logout();
 
 		// Step 4: log in with the virtual authenticator
-		this.getAndWait("/webauthn/register", "/login");
+		this.driver.get(this.baseUrl + "/webauthn/register");
 		this.driver.findElement(signinWithPasskeyButton()).click();
 		await(() -> assertThat(this.driver.getCurrentUrl()).endsWith("/webauthn/register?continue"));
-
-		// Step 5: authenticate while being already logged in
-		// This simulates some use-cases with MFA. Since the user is already logged in,
-		// the "allowCredentials" property is populated
-		this.getAndWait("/login");
-		this.driver.findElement(signinWithPasskeyButton()).click();
-		await(() -> assertThat(this.driver.getCurrentUrl()).endsWith("/"));
-	}
-
-	@Test
-	void registerWhenAuthenticatorAlreadyRegisteredThenRejects() {
-		createVirtualAuthenticator(true);
-		login();
-		registerAuthenticator("Virtual authenticator");
-
-		// Cannot re-register the same authenticator because excludeCredentials
-		// is not empty and contains the given authenticator
-		this.driver.findElement(passkeyLabel()).sendKeys("Same authenticator");
-		this.driver.findElement(registerPasskeyButton()).click();
-
-		await(() -> assertHasAlertStartingWith("error", "Registration failed"));
-	}
-
-	@Test
-	void registerSecondAuthenticatorThenSucceeds() {
-		createVirtualAuthenticator(true);
-		login();
-
-		registerAuthenticator("Virtual authenticator");
-		this.getAndWait("/webauthn/register");
-		List<WebElement> passkeyRows = this.driver.findElements(passkeyTableRows());
-		assertThat(passkeyRows).hasSize(1)
-			.first()
-			.extracting((row) -> row.findElement(firstCell()))
-			.extracting(WebElement::getText)
-			.isEqualTo("Virtual authenticator");
-
-		// Create second authenticator and register
-		removeAuthenticator();
-		createVirtualAuthenticator(true);
-		registerAuthenticator("Second virtual authenticator");
-
-		this.getAndWait("/webauthn/register");
-
-		passkeyRows = this.driver.findElements(passkeyTableRows());
-		assertThat(passkeyRows).hasSize(2)
-			.extracting((row) -> row.findElement(firstCell()))
-			.extracting(WebElement::getText)
-			.contains("Second virtual authenticator");
 	}
 
 	/**
@@ -285,14 +231,11 @@ class WebAuthnWebDriverTests {
 	 * "https://chromedevtools.github.io/devtools-protocol/tot/WebAuthn/">https://chromedevtools.github.io/devtools-protocol/tot/WebAuthn/</a>
 	 */
 	private void createVirtualAuthenticator(boolean userIsVerified) {
-		if (StringUtils.hasText(this.authenticatorId)) {
-			throw new IllegalStateException("Authenticator already exists, please remove it before re-creating one");
-		}
 		HasCdp cdpDriver = (HasCdp) this.driver;
 		cdpDriver.executeCdpCommand("WebAuthn.enable", Map.of("enableUI", false));
 		// this.driver.addVirtualAuthenticator(createVirtualAuthenticatorOptions());
 		//@formatter:off
-		Map<String, Object> cmdResponse = cdpDriver.executeCdpCommand("WebAuthn.addVirtualAuthenticator",
+		cdpDriver.executeCdpCommand("WebAuthn.addVirtualAuthenticator",
 				Map.of(
 						"options",
 						Map.of(
@@ -305,38 +248,21 @@ class WebAuthnWebDriverTests {
 						)
 				));
 		//@formatter:on
-		this.authenticatorId = cmdResponse.get("authenticatorId").toString();
-	}
-
-	private void removeAuthenticator() {
-		HasCdp cdpDriver = (HasCdp) this.driver;
-		cdpDriver.executeCdpCommand("WebAuthn.removeVirtualAuthenticator",
-				Map.of("authenticatorId", this.authenticatorId));
-		this.authenticatorId = null;
 	}
 
 	private void login() {
-		this.getAndWait("/", "/login");
+		this.driver.get(this.baseUrl);
 		this.driver.findElement(usernameField()).sendKeys(USERNAME);
 		this.driver.findElement(passwordField()).sendKeys(PASSWORD);
 		this.driver.findElement(signinWithUsernamePasswordButton()).click();
-		// Ensure login has completed
-		await(() -> assertThat(this.driver.getCurrentUrl()).doesNotContain("/login"));
 	}
 
 	private void logout() {
-		this.getAndWait("/logout");
+		this.driver.get(this.baseUrl + "/logout");
 		this.driver.findElement(logoutButton()).click();
 		await(() -> assertThat(this.driver.getCurrentUrl()).endsWith("/login?logout"));
 	}
 
-	private void registerAuthenticator(String passkeyName) {
-		this.getAndWait("/webauthn/register");
-		this.driver.findElement(passkeyLabel()).sendKeys(passkeyName);
-		this.driver.findElement(registerPasskeyButton()).click();
-		await(() -> assertThat(this.driver.getCurrentUrl()).endsWith("/webauthn/register?success"));
-	}
-
 	private AbstractStringAssert<?> assertHasAlertStartingWith(String alertType, String alertMessage) {
 		WebElement alert = this.driver.findElement(new By.ById(alertType));
 		assertThat(alert.isDisplayed())
@@ -363,15 +289,6 @@ class WebAuthnWebDriverTests {
 			});
 	}
 
-	private void getAndWait(String endpoint) {
-		this.getAndWait(endpoint, endpoint);
-	}
-
-	private void getAndWait(String endpoint, String redirectUrl) {
-		this.driver.get(this.baseUrl + endpoint);
-		this.await(() -> assertThat(this.driver.getCurrentUrl()).endsWith(redirectUrl));
-	}
-
 	private static By.ById passkeyLabel() {
 		return new By.ById("label");
 	}
@@ -408,10 +325,6 @@ class WebAuthnWebDriverTests {
 		return new By.ByCssSelector("button");
 	}
 
-	private static By.ByCssSelector deletePasskeyButton() {
-		return new By.ByCssSelector("table > tbody > tr > button");
-	}
-
 	/**
 	 * The configuration for WebAuthN tests. It accesses the Server's current port, so we
 	 * can configurer WebAuthnConfigurer#allowedOrigin

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/AnonymousAuthenticationITests.java

@@ -1,147 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.config.annotation.rsocket;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import io.rsocket.core.RSocketServer;
-import io.rsocket.exceptions.RejectedSetupException;
-import io.rsocket.frame.decoder.PayloadDecoder;
-import io.rsocket.transport.netty.server.CloseableChannel;
-import io.rsocket.transport.netty.server.TcpServerTransport;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.messaging.handler.annotation.MessageMapping;
-import org.springframework.messaging.rsocket.RSocketRequester;
-import org.springframework.messaging.rsocket.annotation.support.RSocketMessageHandler;
-import org.springframework.security.authentication.AuthenticationTrustResolver;
-import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
-import org.springframework.security.authorization.AuthorizationDecision;
-import org.springframework.security.authorization.ReactiveAuthorizationManager;
-import org.springframework.security.rsocket.core.PayloadSocketAcceptorInterceptor;
-import org.springframework.security.rsocket.core.SecuritySocketAcceptorInterceptor;
-import org.springframework.security.rsocket.util.matcher.PayloadExchangeAuthorizationContext;
-import org.springframework.stereotype.Controller;
-import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
-
-/**
- * @author Andrey Litvitski
- */
-@ContextConfiguration
-@ExtendWith(SpringExtension.class)
-public class AnonymousAuthenticationITests {
-
-	@Autowired
-	RSocketMessageHandler handler;
-
-	@Autowired
-	SecuritySocketAcceptorInterceptor interceptor;
-
-	@Autowired
-	ServerController controller;
-
-	private CloseableChannel server;
-
-	private RSocketRequester requester;
-
-	@BeforeEach
-	public void setup() {
-		// @formatter:off
-		this.server = RSocketServer.create()
-				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
-				)
-				.acceptor(this.handler.responder())
-				.bind(TcpServerTransport.create("localhost", 0))
-				.block();
-		// @formatter:on
-	}
-
-	@AfterEach
-	public void dispose() {
-		this.requester.rsocket().dispose();
-		this.server.dispose();
-		this.controller.payloads.clear();
-	}
-
-	@Test
-	public void requestWhenAnonymousDisabledThenRespondsWithForbidden() {
-		this.requester = RSocketRequester.builder()
-			.rsocketStrategies(this.handler.getRSocketStrategies())
-			.connectTcp("localhost", this.server.address().getPort())
-			.block();
-		String data = "andrew";
-		assertThatExceptionOfType(RejectedSetupException.class).isThrownBy(
-				() -> this.requester.route("secure.retrieve-mono").data(data).retrieveMono(String.class).block());
-		assertThat(this.controller.payloads).isEmpty();
-	}
-
-	@Configuration
-	@EnableRSocketSecurity
-	static class Config {
-
-		@Bean
-		ServerController controller() {
-			return new ServerController();
-		}
-
-		@Bean
-		RSocketMessageHandler messageHandler() {
-			return new RSocketMessageHandler();
-		}
-
-		@Bean
-		PayloadSocketAcceptorInterceptor rsocketInterceptor(RSocketSecurity rsocket) {
-			AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
-			ReactiveAuthorizationManager<PayloadExchangeAuthorizationContext> anonymous = (authentication,
-					exchange) -> authentication.map(trustResolver::isAnonymous).map(AuthorizationDecision::new);
-			rsocket.authorizePayload((authorize) -> authorize.anyExchange().access(anonymous));
-			rsocket.anonymous((anonymousAuthentication) -> anonymousAuthentication.disable());
-			return rsocket.build();
-		}
-
-	}
-
-	@Controller
-	static class ServerController {
-
-		private List<String> payloads = new ArrayList<>();
-
-		@MessageMapping("**")
-		String retrieveMono(String payload) {
-			add(payload);
-			return "Hi " + payload;
-		}
-
-		private void add(String p) {
-			this.payloads.add(p);
-		}
-
-	}
-
-}

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/HelloRSocketITests.java

@@ -74,7 +74,8 @@ public class HelloRSocketITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) ->
+					registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/HelloRSocketObservationITests.java

@@ -87,7 +87,8 @@ public class HelloRSocketObservationITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) ->
+					registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/HelloRSocketWithWebFluxITests.java

@@ -74,7 +74,8 @@ public class HelloRSocketWithWebFluxITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) ->
+					registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/JwtITests.java

@@ -86,7 +86,8 @@ public class JwtITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 			.payloadDecoder(PayloadDecoder.ZERO_COPY)
-			.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
+			.interceptors((registry) ->
+				registry.forSocketAcceptor(this.interceptor)
 			)
 			.acceptor(this.handler.responder())
 			.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/RSocketMessageHandlerConnectionITests.java

@@ -81,7 +81,8 @@ public class RSocketMessageHandlerConnectionITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) ->
+					registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/RSocketMessageHandlerITests.java

@@ -79,7 +79,8 @@ public class RSocketMessageHandlerITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) ->
+					registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/annotation/rsocket/SimpleAuthenticationITests.java

@@ -79,7 +79,8 @@ public class SimpleAuthenticationITests {
 		// @formatter:off
 		this.server = RSocketServer.create()
 				.payloadDecoder(PayloadDecoder.ZERO_COPY)
-				.interceptors((registry) -> registry.forSocketAcceptor(this.interceptor)
+				.interceptors((registry) ->
+					registry.forSocketAcceptor(this.interceptor)
 				)
 				.acceptor(this.handler.responder())
 				.bind(TcpServerTransport.create("localhost", 0))

config/src/integration-test/java/org/springframework/security/config/ldap/LdapBindAuthenticationManagerFactoryITests.java

@@ -17,6 +17,7 @@
 package org.springframework.security.config.ldap;
 
 import java.util.Collection;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 
@@ -37,11 +38,12 @@ import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
-import org.springframework.security.ldap.server.UnboundIdContainer;
+import org.springframework.security.ldap.server.ApacheDSContainer;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.UserDetailsContextMapper;
@@ -80,7 +82,8 @@ public class LdapBindAuthenticationManagerFactoryITests {
 		this.spring.register(CustomAuthoritiesPopulatorConfig.class).autowire();
 
 		this.mockMvc.perform(formLogin().user("bob").password("bobspassword"))
-			.andExpect(authenticated().withRoles("EXTRA"));
+			.andExpect(
+					authenticated().withAuthorities(Collections.singleton(new SimpleGrantedAuthority("ROLE_EXTRA"))));
 	}
 
 	@Test
@@ -91,7 +94,8 @@ public class LdapBindAuthenticationManagerFactoryITests {
 		this.spring.register(CustomAuthoritiesMapperConfig.class).autowire();
 
 		this.mockMvc.perform(formLogin().user("bob").password("bobspassword"))
-			.andExpect(authenticated().withRoles("CUSTOM"));
+			.andExpect(
+					authenticated().withAuthorities(Collections.singleton(new SimpleGrantedAuthority("ROLE_CUSTOM"))));
 	}
 
 	@Test
@@ -222,18 +226,18 @@ public class LdapBindAuthenticationManagerFactoryITests {
 	@EnableWebSecurity
 	abstract static class BaseLdapServerConfig implements DisposableBean {
 
-		private UnboundIdContainer container;
+		private ApacheDSContainer container;
 
 		@Bean
-		UnboundIdContainer ldapServer() {
-			this.container = new UnboundIdContainer("dc=springframework,dc=org", "classpath:/test-server.ldif");
+		ApacheDSContainer ldapServer() throws Exception {
+			this.container = new ApacheDSContainer("dc=springframework,dc=org", "classpath:/test-server.ldif");
 			this.container.setPort(0);
 			return this.container;
 		}
 
 		@Bean
-		BaseLdapPathContextSource contextSource(UnboundIdContainer container) {
-			int port = container.getPort();
+		BaseLdapPathContextSource contextSource(ApacheDSContainer container) {
+			int port = container.getLocalPort();
 			return new DefaultSpringSecurityContextSource("ldap://localhost:" + port + "/dc=springframework,dc=org");
 		}
 

config/src/integration-test/java/org/springframework/security/config/ldap/LdapPasswordComparisonAuthenticationManagerFactoryITests.java

@@ -31,7 +31,7 @@ import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
-import org.springframework.security.ldap.server.UnboundIdContainer;
+import org.springframework.security.ldap.server.ApacheDSContainer;
 import org.springframework.test.web.servlet.MockMvc;
 
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
@@ -93,18 +93,18 @@ public class LdapPasswordComparisonAuthenticationManagerFactoryITests {
 	@EnableWebSecurity
 	abstract static class BaseLdapServerConfig implements DisposableBean {
 
-		private UnboundIdContainer container;
+		private ApacheDSContainer container;
 
 		@Bean
-		UnboundIdContainer ldapServer() {
-			this.container = new UnboundIdContainer("dc=springframework,dc=org", "classpath:/test-server.ldif");
+		ApacheDSContainer ldapServer() throws Exception {
+			this.container = new ApacheDSContainer("dc=springframework,dc=org", "classpath:/test-server.ldif");
 			this.container.setPort(0);
 			return this.container;
 		}
 
 		@Bean
-		BaseLdapPathContextSource contextSource(UnboundIdContainer container) {
-			int port = container.getPort();
+		BaseLdapPathContextSource contextSource(ApacheDSContainer container) {
+			int port = container.getLocalPort();
 			return new DefaultSpringSecurityContextSource("ldap://localhost:" + port + "/dc=springframework,dc=org");
 		}
 

config/src/integration-test/java/org/springframework/security/config/ldap/LdapProviderBeanDefinitionParserTests.java

@@ -56,7 +56,7 @@ public class LdapProviderBeanDefinitionParserTests {
 		AuthenticationManager authenticationManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER,
 				AuthenticationManager.class);
 		Authentication auth = authenticationManager
-			.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("otherben", "otherbenspassword"));
+			.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("ben", "benspassword"));
 		UserDetails ben = (UserDetails) auth.getPrincipal();
 		assertThat(ben.getAuthorities()).hasSize(3);
 	}
@@ -127,27 +127,6 @@ public class LdapProviderBeanDefinitionParserTests {
 		assertThat(auth).isNotNull();
 	}
 
-	@Test
-	public void supportsShaPasswordEncoder() {
-		this.appCtx = new InMemoryXmlApplicationContext("""
-				<ldap-server ldif='classpath:test-server.ldif' port='0'/>
-				<authentication-manager>
-					<ldap-authentication-provider user-dn-pattern='uid={0},ou=people'>
-						<password-compare>
-							<password-encoder ref='pe' />
-						</password-compare>
-					</ldap-authentication-provider>
-				</authentication-manager>
-				<b:bean id='pe' class='org.springframework.security.crypto.password.LdapShaPasswordEncoder' />
-				""");
-		AuthenticationManager authenticationManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER,
-				AuthenticationManager.class);
-		Authentication auth = authenticationManager
-			.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("ben", "benspassword"));
-
-		assertThat(auth).isNotNull();
-	}
-
 	@Test
 	public void inetOrgContextMapperIsSupported() {
 		this.appCtx = new InMemoryXmlApplicationContext(
@@ -169,7 +148,7 @@ public class LdapProviderBeanDefinitionParserTests {
 		this.appCtx = new InMemoryXmlApplicationContext("<ldap-server />" + "<authentication-manager>"
 				+ "  <ldap-authentication-provider user-dn-pattern='uid={0},ou=${udp}' group-search-filter='${gsf}={0}' />"
 				+ "</authentication-manager>"
-				+ "<b:bean id='org.springframework.context.support.PropertySourcesPlaceholderConfigurer' class='org.springframework.context.support.PropertySourcesPlaceholderConfigurer' />");
+				+ "<b:bean id='org.springframework.beans.factory.config.PropertyPlaceholderConfigurer' class='org.springframework.beans.factory.config.PropertyPlaceholderConfigurer' />");
 
 		ProviderManager providerManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER, ProviderManager.class);
 		assertThat(providerManager.getProviders()).hasSize(1);

config/src/integration-test/java/org/springframework/security/config/ldap/LdapServerBeanDefinitionParserTests.java

@@ -26,7 +26,7 @@ import org.springframework.ldap.core.LdapTemplate;
 import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
-import org.springframework.security.ldap.server.UnboundIdContainer;
+import org.springframework.security.ldap.server.ApacheDSContainer;
 import org.springframework.test.util.ReflectionTestUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -92,9 +92,9 @@ public class LdapServerBeanDefinitionParserTests {
 	@Test
 	public void defaultLdifFileIsSuccessful() {
 		this.appCtx = new InMemoryXmlApplicationContext("<ldap-server/>");
-		UnboundIdContainer dsContainer = this.appCtx.getBean(UnboundIdContainer.class);
+		ApacheDSContainer dsContainer = this.appCtx.getBean(ApacheDSContainer.class);
 
-		assertThat(ReflectionTestUtils.getField(dsContainer, "ldif")).isEqualTo("classpath*:*.ldif");
+		assertThat(ReflectionTestUtils.getField(dsContainer, "ldifResources")).isEqualTo("classpath*:*.ldif");
 	}
 
 	private int getDefaultPort() throws IOException {

config/src/integration-test/resources/logback-test.xml

@@ -7,6 +7,7 @@
 
 	<logger name="org.springframework.security" level="${sec.log.level:-WARN}"/>
 
+	<logger name="org.apache.directory" level="ERROR"/>
 	<logger name="JdbmTable" level="INFO"/>
 	<logger name="JdbmIndex" level="INFO"/>
 	<logger name="org.apache.mina" level="WARN"/>

config/src/main/java/org/springframework/security/config/BeanIds.java

@@ -54,6 +54,8 @@ public abstract class BeanIds {
 
 	public static final String METHOD_SECURITY_METADATA_SOURCE_ADVISOR = PREFIX + "methodSecurityMetadataSourceAdvisor";
 
+	public static final String EMBEDDED_APACHE_DS = PREFIX + "apacheDirectoryServerContainer";
+
 	public static final String EMBEDDED_UNBOUNDID = PREFIX + "unboundidServerContainer";
 
 	public static final String CONTEXT_SOURCE = PREFIX + "securityContextSource";

config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java

@@ -18,7 +18,6 @@ package org.springframework.security.config;
 
 import java.util.HashMap;
 import java.util.Map;
-import java.util.Objects;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -78,23 +77,26 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
 
 	public SecurityNamespaceHandler() {
 		String coreVersion = SpringSecurityCoreVersion.getVersion();
-		String configVersion = configVersion();
-		if (!Objects.equals(coreVersion, configVersion)) {
-			String message = "You are attempting to run spring-security-core:%s with spring-security-config:%s";
-			this.logger.error(String.format(message, coreVersion, configVersion));
-		}
-	}
-
-	private static String configVersion() {
 		Package pkg = SpringSecurityCoreVersion.class.getPackage();
-		return (pkg != null) ? pkg.getImplementationVersion() : null;
+		if (pkg == null || coreVersion == null) {
+			this.logger.info("Couldn't determine package version information.");
+			return;
+		}
+		String version = pkg.getImplementationVersion();
+		this.logger.info("Spring Security 'config' module version is " + version);
+		if (version.compareTo(coreVersion) != 0) {
+			this.logger
+				.error("You are running with different versions of the Spring Security 'core' and 'config' modules");
+		}
 	}
 
 	@Override
 	public BeanDefinition parse(Element element, ParserContext pc) {
 		if (!namespaceMatchesVersion(element)) {
 			pc.getReaderContext()
-				.fatal("You cannot use any XSD older than spring-security-7.0.xsd. Either change to spring-security.xsd or spring-security-7.0.xsd",
+				.fatal("You cannot use a spring-security-2.0.xsd or spring-security-3.0.xsd or "
+						+ "spring-security-3.1.xsd schema or spring-security-3.2.xsd schema or spring-security-4.0.xsd schema "
+						+ "with Spring Security 6.5. Please update your schema declarations to the 6.5 schema.",
 						element);
 		}
 		String name = pc.getDelegate().getLocalName(element);
@@ -219,7 +221,7 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
 
 	private boolean matchesVersionInternal(Element element) {
 		String schemaLocation = element.getAttributeNS("http://www.w3.org/2001/XMLSchema-instance", "schemaLocation");
-		return schemaLocation.matches("(?m).*spring-security-7\\.0.*.xsd.*")
+		return schemaLocation.matches("(?m).*spring-security-6\\.5.*.xsd.*")
 				|| schemaLocation.matches("(?m).*spring-security.xsd.*")
 				|| !schemaLocation.matches("(?m).*spring-security.*");
 	}

config/src/main/java/org/springframework/security/config/ThrowingCustomizer.java

@@ -1,52 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.config;
-
-/**
- * A {@link Customizer} that allows invocation of code that throws a checked exception.
- *
- * @param <T> The type of input.
- */
-@FunctionalInterface
-public interface ThrowingCustomizer<T> extends Customizer<T> {
-
-	/**
-	 * Default {@link Customizer#customize(Object)} that wraps any thrown checked
-	 * exceptions (by default in a {@link RuntimeException}).
-	 * @param t the object to customize
-	 */
-	default void customize(T t) {
-		try {
-			customizeWithException(t);
-		}
-		catch (RuntimeException ex) {
-			throw ex;
-		}
-		catch (Exception ex) {
-			throw new RuntimeException(ex);
-		}
-	}
-
-	/**
-	 * Performs the customization on the given object, possibly throwing a checked
-	 * exception.
-	 * @param t the object to customize
-	 * @throws Exception on error
-	 */
-	void customizeWithException(T t) throws Exception;
-
-}

config/src/main/java/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java

@@ -80,6 +80,15 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
 		this(objectPostProcessor, false);
 	}
 
+	/**
+	 * @deprecated
+	 */
+	@Deprecated(since = "6.4", forRemoval = true)
+	protected AbstractConfiguredSecurityBuilder(
+			org.springframework.security.config.annotation.ObjectPostProcessor<Object> objectPostProcessor) {
+		this(objectPostProcessor, false);
+	}
+
 	/***
 	 * Creates a new instance with the provided {@link ObjectPostProcessor}. This post
 	 * processor must support Object since there are many types of objects that may be
@@ -96,10 +105,22 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
 	}
 
 	/**
-	 * Similar to {@link SecurityBuilder#build()} and {@link #getObject()} but checks the
-	 * state to determine if {@link SecurityBuilder#build()} needs to be called first.
-	 * @return the result of {@link SecurityBuilder#build()} or {@link #getObject()}. If
-	 * an error occurs while building, returns null.
+	 * @deprecated
+	 */
+	@Deprecated(since = "6.4", forRemoval = true)
+	protected AbstractConfiguredSecurityBuilder(
+			org.springframework.security.config.annotation.ObjectPostProcessor<Object> objectPostProcessor,
+			boolean allowConfigurersOfSameType) {
+		Assert.notNull(objectPostProcessor, "objectPostProcessor cannot be null");
+		this.objectPostProcessor = objectPostProcessor;
+		this.allowConfigurersOfSameType = allowConfigurersOfSameType;
+	}
+
+	/**
+	 * Similar to {@link #build()} and {@link #getObject()} but checks the state to
+	 * determine if {@link #build()} needs to be called first.
+	 * @return the result of {@link #build()} or {@link #getObject()}. If an error occurs
+	 * while building, returns null.
 	 */
 	public O getOrBuild() {
 		if (!isUnbuilt()) {
@@ -114,6 +135,24 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
 		}
 	}
 
+	/**
+	 * Applies a {@link SecurityConfigurerAdapter} to this {@link SecurityBuilder} and
+	 * invokes {@link SecurityConfigurerAdapter#setBuilder(SecurityBuilder)}.
+	 * @param configurer
+	 * @return the {@link SecurityConfigurerAdapter} for further customizations
+	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use
+	 * {@link #with(SecurityConfigurerAdapter, Customizer)} instead.
+	 */
+	@Deprecated(since = "6.2", forRemoval = true)
+	@SuppressWarnings("unchecked")
+	public <C extends SecurityConfigurerAdapter<O, B>> C apply(C configurer) throws Exception {
+		configurer.addObjectPostProcessor(this.objectPostProcessor);
+		configurer.setBuilder((B) this);
+		add(configurer);
+		return configurer;
+	}
+
 	/**
 	 * Applies a {@link SecurityConfigurer} to this {@link SecurityBuilder} overriding any
 	 * {@link SecurityConfigurer} of the exact same class. Note that object hierarchies
@@ -122,33 +161,11 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
 	 * @return the {@link SecurityConfigurerAdapter} for further customizations
 	 * @throws Exception
 	 */
-	public <C extends SecurityConfigurer<O, B>> C apply(C configurer) {
+	public <C extends SecurityConfigurer<O, B>> C apply(C configurer) throws Exception {
 		add(configurer);
 		return configurer;
 	}
 
-	/**
-	 * Applies a {@link SecurityConfigurerAdapter} to this {@link SecurityBuilder} and
-	 * invokes {@link SecurityConfigurerAdapter#setBuilder(SecurityBuilder)}.
-	 *
-	 * <p>
-	 * A shortcut for applying a configurer as-is, or in other words: <code>
-	 *     .with(new MyConfigurer())
-	 * </code>
-	 *
-	 * <p>
-	 * Is identical to: <code>
-	 *     .with(new MyConfigurer(), Customizer.withDefaults())
-	 * </code>
-	 * @param configurer
-	 * @return the {@link SecurityBuilder} for further customizations
-	 * @throws Exception
-	 * @since 7.0
-	 */
-	public <C extends SecurityConfigurerAdapter<O, B>> B with(C configurer) {
-		return with(configurer, Customizer.withDefaults());
-	}
-
 	/**
 	 * Applies a {@link SecurityConfigurerAdapter} to this {@link SecurityBuilder} and
 	 * invokes {@link SecurityConfigurerAdapter#setBuilder(SecurityBuilder)}.
@@ -158,7 +175,7 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
 	 * @since 6.2
 	 */
 	@SuppressWarnings("unchecked")
-	public <C extends SecurityConfigurerAdapter<O, B>> B with(C configurer, Customizer<C> customizer) {
+	public <C extends SecurityConfigurerAdapter<O, B>> B with(C configurer, Customizer<C> customizer) throws Exception {
 		configurer.addObjectPostProcessor(this.objectPostProcessor);
 		configurer.setBuilder((B) this);
 		add(configurer);
@@ -326,7 +343,7 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
 	 * </ul>
 	 */
 	@Override
-	protected final O doBuild() {
+	protected final O doBuild() throws Exception {
 		synchronized (this.configurers) {
 			this.buildState = BuildState.INITIALIZING;
 			beforeInit();
@@ -346,7 +363,7 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
 	 * method. Subclasses may override this method to hook into the lifecycle without
 	 * using a {@link SecurityConfigurer}.
 	 */
-	protected void beforeInit() {
+	protected void beforeInit() throws Exception {
 	}
 
 	/**
@@ -355,17 +372,17 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
 	 * override this method to hook into the lifecycle without using a
 	 * {@link SecurityConfigurer}.
 	 */
-	protected void beforeConfigure() {
+	protected void beforeConfigure() throws Exception {
 	}
 
 	/**
 	 * Subclasses must implement this method to build the object that is being returned.
 	 * @return the Object to be buit or null if the implementation allows it
 	 */
-	protected abstract O performBuild();
+	protected abstract O performBuild() throws Exception;
 
 	@SuppressWarnings("unchecked")
-	private void init() {
+	private void init() throws Exception {
 		Collection<SecurityConfigurer<O, B>> configurers = getConfigurers();
 		for (SecurityConfigurer<O, B> configurer : configurers) {
 			configurer.init((B) this);
@@ -380,7 +397,7 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
 	}
 
 	@SuppressWarnings("unchecked")
-	private void configure() {
+	private void configure() throws Exception {
 		Collection<SecurityConfigurer<O, B>> configurers = getConfigurers();
 		for (SecurityConfigurer<O, B> configurer : configurers) {
 			configurer.configure((B) this);

config/src/main/java/org/springframework/security/config/annotation/AbstractSecurityBuilder.java

@@ -33,7 +33,7 @@ public abstract class AbstractSecurityBuilder<O> implements SecurityBuilder<O> {
 	private O object;
 
 	@Override
-	public final O build() {
+	public final O build() throws Exception {
 		if (this.building.compareAndSet(false, true)) {
 			this.object = doBuild();
 			return this.object;
@@ -55,9 +55,9 @@ public abstract class AbstractSecurityBuilder<O> implements SecurityBuilder<O> {
 
 	/**
 	 * Subclasses should implement this to perform the build.
-	 * @return the object that should be returned by {@link SecurityBuilder#build()}.
+	 * @return the object that should be returned by {@link #build()}.
 	 * @throws Exception if an error occurs
 	 */
-	protected abstract O doBuild();
+	protected abstract O doBuild() throws Exception;
 
 }

config/src/main/java/org/springframework/security/config/annotation/AlreadyBuiltException.java

@@ -17,7 +17,7 @@
 package org.springframework.security.config.annotation;
 
 /**
- * Thrown when {@link SecurityBuilder#build()} is two or more times.
+ * Thrown when {@link AbstractSecurityBuilder#build()} is two or more times.
  *
  * @author Rob Winch
  * @since 3.2

config/src/main/java/org/springframework/security/config/annotation/ObjectPostProcessor.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation;
+
+import org.springframework.beans.factory.Aware;
+import org.springframework.beans.factory.DisposableBean;
+import org.springframework.beans.factory.InitializingBean;
+
+/**
+ * Allows initialization of Objects. Typically this is used to call the {@link Aware}
+ * methods, {@link InitializingBean#afterPropertiesSet()}, and ensure that
+ * {@link DisposableBean#destroy()} has been invoked.
+ *
+ * @param <T> the bound of the types of Objects this {@link ObjectPostProcessor} supports.
+ * @author Rob Winch
+ * @since 3.2
+ * @deprecated please use {@link org.springframework.security.config.ObjectPostProcessor}
+ * instead
+ */
+@Deprecated
+public interface ObjectPostProcessor<T> extends org.springframework.security.config.ObjectPostProcessor<T> {
+
+	/**
+	 * Initialize the object possibly returning a modified instance that should be used
+	 * instead.
+	 * @param object the object to initialize
+	 * @return the initialized version of the object
+	 */
+	<O extends T> O postProcess(O object);
+
+}

config/src/main/java/org/springframework/security/config/annotation/SecurityBuilder.java

@@ -30,6 +30,6 @@ public interface SecurityBuilder<O> {
 	 * @return the Object to be built or null if the implementation allows it.
 	 * @throws Exception if an error occurred when building the Object
 	 */
-	O build();
+	O build() throws Exception;
 
 }