Enable null-safety in spring-security-oauth2-jose

Closes gh-17821

Author: jgrandja

config/src/test/kotlin/org/springframework/security/config/annotation/web/OAuth2ResourceServerDslTests.kt

@@ -147,7 +147,7 @@ class OAuth2ResourceServerDslTests {
     }
 
     class MockJwtDecoder: JwtDecoder {
-        override fun decode(token: String?): Jwt {
+        override fun decode(token: String): Jwt {
             return Jwt.withTokenValue("token")
                 .header("alg", "none")
                 .claim(SUB, "user")

config/src/test/kotlin/org/springframework/security/config/annotation/web/oauth2/resourceserver/JwtDslTests.kt

@@ -207,7 +207,7 @@ class JwtDslTests {
     }
 
     class MockJwtDecoder: JwtDecoder {
-        override fun decode(token: String?): Jwt {
+        override fun decode(token: String): Jwt {
             return Jwt.withTokenValue("some tokenValue").build()
         }
     }

config/src/test/kotlin/org/springframework/security/config/web/server/ServerJwtDslTests.kt

@@ -168,7 +168,7 @@ class ServerJwtDslTests {
     }
 
     class NullReactiveJwtDecoder: ReactiveJwtDecoder {
-        override fun decode(token: String?): Mono<Jwt> {
+        override fun decode(token: String): Mono<Jwt> {
             return Mono.empty()
         }
     }

docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/oauth2/resourceserver/customuserdetailsservice/UserDetailsJwtPrincipalConverter.kt

@@ -29,15 +29,16 @@ import org.springframework.stereotype.Component
 class UserDetailsJwtPrincipalConverter(private val users: UserDetailsService) : Converter<Jwt, OAuth2AuthenticatedPrincipal> {
 
 	override fun convert(jwt: Jwt): OAuth2AuthenticatedPrincipal {
-		val user = users.loadUserByUsername(jwt.subject)
+		val subject = jwt.subject ?: throw IllegalArgumentException("JWT subject is required")
+		val user = users.loadUserByUsername(subject)
 		return JwtUser(jwt, user)
 	}
 
 	private class JwtUser(private val jwt: Jwt, user: UserDetails) :
 		User(user.username, user.password, user.isEnabled, user.isAccountNonExpired, user.isCredentialsNonExpired, user.isAccountNonLocked, user.authorities),
 		OAuth2AuthenticatedPrincipal {
 
-		override fun getName(): String = jwt.subject
+		override fun getName(): String = jwt.subject ?: ""
 
 		override fun getAttributes(): Map<String, Any> = jwt.claims
 

oauth2/oauth2-jose/spring-security-oauth2-jose.gradle

@@ -1,5 +1,9 @@
+plugins {
+	id 'javadoc-warnings-error'
+	id 'security-nullability'
+}
+
 apply plugin: 'io.spring.convention.spring-module'
-apply plugin: 'javadoc-warnings-error'
 
 dependencies {
 	management platform(project(":spring-security-dependencies"))

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jose/jws/MacAlgorithm.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.oauth2.jose.jws;
 
+import org.jspecify.annotations.Nullable;
+
 /**
  * An enumeration of the cryptographic algorithms defined by the JSON Web Algorithms (JWA)
  * specification and used by JSON Web Signature (JWS) to create a MAC of the contents of
@@ -69,7 +71,7 @@ public String getName() {
 	 * @param name the algorithm name
 	 * @return the resolved {@code MacAlgorithm}, or {@code null} if not found
 	 */
-	public static MacAlgorithm from(String name) {
+	public static @Nullable MacAlgorithm from(String name) {
 		for (MacAlgorithm algorithm : values()) {
 			if (algorithm.getName().equals(name)) {
 				return algorithm;

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jose/jws/SignatureAlgorithm.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.oauth2.jose.jws;
 
+import org.jspecify.annotations.Nullable;
+
 /**
  * An enumeration of the cryptographic algorithms defined by the JSON Web Algorithms (JWA)
  * specification and used by JSON Web Signature (JWS) to digitally sign the contents of
@@ -99,7 +101,7 @@ public String getName() {
 	 * @param name the algorithm name
 	 * @return the resolved {@code SignatureAlgorithm}, or {@code null} if not found
 	 */
-	public static SignatureAlgorithm from(String name) {
+	public static @Nullable SignatureAlgorithm from(String name) {
 		for (SignatureAlgorithm value : values()) {
 			if (value.getName().equals(name)) {
 				return value;

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jose/jws/package-info.java

@@ -17,4 +17,7 @@
 /**
  * Core classes and interfaces providing support for JSON Web Signature (JWS).
  */
+@NullMarked
 package org.springframework.security.oauth2.jose.jws;
+
+import org.jspecify.annotations.NullMarked;

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jose/package-info.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Core classes and interfaces providing support for JavaScript Object Signing and
+ * Encryption (JOSE).
+ */
+@NullMarked
+package org.springframework.security.oauth2.jose;
+
+import org.jspecify.annotations.NullMarked;

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/DPoPProofContext.java

@@ -18,7 +18,8 @@
 
 import java.net.URI;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.oauth2.core.OAuth2Token;
 import org.springframework.util.Assert;
 
@@ -38,7 +39,7 @@ public final class DPoPProofContext {
 
 	private final String targetUri;
 
-	private final OAuth2Token accessToken;
+	private final @Nullable OAuth2Token accessToken;
 
 	private DPoPProofContext(String dPoPProof, String method, String targetUri, @Nullable OAuth2Token accessToken) {
 		this.dPoPProof = dPoPProof;
@@ -82,8 +83,7 @@ public String getTargetUri() {
 	 * {@code null}
 	 */
 	@SuppressWarnings("unchecked")
-	@Nullable
-	public <T extends OAuth2Token> T getAccessToken() {
+	public @Nullable <T extends OAuth2Token> T getAccessToken() {
 		return (T) this.accessToken;
 	}
 
@@ -103,11 +103,11 @@ public static final class Builder {
 
 		private String dPoPProof;
 
-		private String method;
+		private @Nullable String method;
 
-		private String targetUri;
+		private @Nullable String targetUri;
 
-		private OAuth2Token accessToken;
+		private @Nullable OAuth2Token accessToken;
 
 		private Builder(String dPoPProof) {
 			Assert.hasText(dPoPProof, "dPoPProof cannot be empty");
@@ -144,7 +144,7 @@ public Builder targetUri(String targetUri) {
 		 * request
 		 * @return the {@link Builder}
 		 */
-		public Builder accessToken(OAuth2Token accessToken) {
+		public Builder accessToken(@Nullable OAuth2Token accessToken) {
 			this.accessToken = accessToken;
 			return this;
 		}
@@ -154,13 +154,13 @@ public Builder accessToken(OAuth2Token accessToken) {
 		 * @return a {@link DPoPProofContext}
 		 */
 		public DPoPProofContext build() {
+			Assert.hasText(this.method, "method cannot be empty");
+			Assert.hasText(this.targetUri, "targetUri cannot be empty");
 			validate();
 			return new DPoPProofContext(this.dPoPProof, this.method, this.targetUri, this.accessToken);
 		}
 
 		private void validate() {
-			Assert.hasText(this.method, "method cannot be empty");
-			Assert.hasText(this.targetUri, "targetUri cannot be empty");
 			if (!"GET".equals(this.method) && !"HEAD".equals(this.method) && !"POST".equals(this.method)
 					&& !"PUT".equals(this.method) && !"PATCH".equals(this.method) && !"DELETE".equals(this.method)
 					&& !"OPTIONS".equals(this.method) && !"TRACE".equals(this.method)) {