Merge branch 'main' into gh-18452

Signed-off-by: Rob Winch <362503+rwinch@users.noreply.github.com>

Author: rwinch

aspects/spring-security-aspects.gradle

@@ -1,13 +1,16 @@
 apply plugin: 'io.spring.convention.spring-module'
 apply plugin: 'io.freefair.aspectj'
+apply plugin: 'compile-warnings-error'
 
 compileAspectj {
 	sourceCompatibility = "17"
 	targetCompatibility = "17"
+	ajcOptions.compilerArgs += ['-Xlint:ignore']
 }
 compileTestAspectj {
 	sourceCompatibility = "17"
 	targetCompatibility = "17"
+	ajcOptions.compilerArgs += ['-Xlint:ignore']
 }
 
 dependencies {

cas/spring-security-cas.gradle

@@ -1,6 +1,7 @@
 plugins {
 	id 'security-nullability'
 	id 'javadoc-warnings-error'
+	id 'compile-warnings-error'
 }
 
 apply plugin: 'io.spring.convention.spring-module'

cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationEntryPoint.java

@@ -91,7 +91,8 @@ public final void commence(final HttpServletRequest servletRequest, HttpServletR
 	 */
 	protected String createServiceUrl(HttpServletRequest request, HttpServletResponse response) {
 		return WebUtils.constructServiceUrl(null, response, this.serviceProperties.getService(), null,
-				this.serviceProperties.getArtifactParameter(), this.encodeServiceUrlWithSessionId);
+				this.serviceProperties.getServiceParameter(), this.serviceProperties.getArtifactParameter(),
+				this.encodeServiceUrlWithSessionId);
 	}
 
 	/**

config/src/integration-test/java/org/springframework/security/config/ldap/LdapBindAuthenticationManagerFactoryITests.java

@@ -20,6 +20,7 @@
 import java.util.HashSet;
 import java.util.Set;
 
+import org.jspecify.annotations.NullMarked;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
@@ -98,12 +99,14 @@ public void authenticationManagerFactoryWhenCustomAuthoritiesMapperThenUsed() th
 	public void authenticationManagerFactoryWhenCustomUserDetailsContextMapperThenUsed() throws Exception {
 		CustomUserDetailsContextMapperConfig.CONTEXT_MAPPER = new UserDetailsContextMapper() {
 			@Override
+			@NullMarked
 			public UserDetails mapUserFromContext(DirContextOperations ctx, String username,
 					Collection<? extends GrantedAuthority> authorities) {
 				return User.withUsername("other").password("password").roles("USER").build();
 			}
 
 			@Override
+			@NullMarked
 			public void mapUserToContext(UserDetails user, DirContextAdapter ctx) {
 			}
 		};

core/src/main/java/org/springframework/security/authentication/TestingAuthenticationToken.java

@@ -38,30 +38,30 @@ public class TestingAuthenticationToken extends AbstractAuthenticationToken {
 
 	private static final long serialVersionUID = 1L;
 
-	private final Object credentials;
+	private final @Nullable Object credentials;
 
 	private final Object principal;
 
-	public TestingAuthenticationToken(Object principal, Object credentials) {
+	public TestingAuthenticationToken(Object principal, @Nullable Object credentials) {
 		super((Collection<? extends GrantedAuthority>) null);
 		this.principal = principal;
 		this.credentials = credentials;
 	}
 
-	public TestingAuthenticationToken(Object principal, Object credentials, String... authorities) {
+	public TestingAuthenticationToken(Object principal, @Nullable Object credentials, String... authorities) {
 		this(principal, credentials, AuthorityUtils.createAuthorityList(authorities));
 	}
 
-	public TestingAuthenticationToken(Object principal, Object credentials, GrantedAuthority... authorities) {
+	public TestingAuthenticationToken(Object principal, @Nullable Object credentials, GrantedAuthority... authorities) {
 		this(principal, credentials, Arrays.asList(authorities));
 	}
 
-	public TestingAuthenticationToken(Object principal, Object credentials,
+	public TestingAuthenticationToken(Object principal, @Nullable Object credentials,
 			List<? extends GrantedAuthority> authorities) {
 		this(principal, credentials, (Collection<? extends GrantedAuthority>) authorities);
 	}
 
-	public TestingAuthenticationToken(Object principal, Object credentials,
+	public TestingAuthenticationToken(Object principal, @Nullable Object credentials,
 			Collection<? extends GrantedAuthority> authorities) {
 		super(authorities);
 		this.principal = principal;
@@ -76,7 +76,7 @@ protected TestingAuthenticationToken(Builder<?> builder) {
 	}
 
 	@Override
-	public Object getCredentials() {
+	public @Nullable Object getCredentials() {
 		return this.credentials;
 	}
 
@@ -99,7 +99,7 @@ public static class Builder<B extends Builder<B>> extends AbstractAuthentication
 
 		private Object principal;
 
-		private Object credentials;
+		private @Nullable Object credentials;
 
 		protected Builder(TestingAuthenticationToken token) {
 			super(token);
@@ -116,7 +116,6 @@ public B principal(@Nullable Object principal) {
 
 		@Override
 		public B credentials(@Nullable Object credentials) {
-			Assert.notNull(credentials, "credentials cannot be null");
 			this.credentials = credentials;
 			return (B) this;
 		}

core/src/main/java/org/springframework/security/authorization/RequiredFactor.java

@@ -122,7 +122,7 @@ public static class Builder {
 		 * @param authority the authority.
 		 * @return the builder.
 		 */
-		public Builder authority(String authority) {
+		public Builder authority(@Nullable String authority) {
 			this.authority = authority;
 			return this;
 		}
@@ -205,7 +205,7 @@ public Builder x509Authority() {
 		 * @param validDuration the {@link Duration}.
 		 * @return
 		 */
-		public Builder validDuration(Duration validDuration) {
+		public Builder validDuration(@Nullable Duration validDuration) {
 			this.validDuration = validDuration;
 			return this;
 		}

data/spring-security-data.gradle

@@ -4,6 +4,7 @@ plugins {
 }
 
 apply plugin: 'io.spring.convention.spring-module'
+apply plugin: 'compile-warnings-error'
 
 dependencies {
 	management platform(project(":spring-security-dependencies"))

data/src/test/java/org/springframework/security/data/repository/query/SecurityEvaluationContextExtensionTests.java

@@ -27,6 +27,7 @@
 import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.authorization.DefaultAuthorizationManagerFactory;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.context.SecurityContextImpl;
@@ -90,6 +91,7 @@ public void getRootObjectExplicitAuthentication() {
 	}
 
 	@Test
+	@SuppressWarnings("deprecation")
 	public void setTrustResolverWhenNullThenIllegalArgumentException() {
 		TestingAuthenticationToken explicit = new TestingAuthenticationToken("explicit", "password", "ROLE_EXPLICIT");
 		this.securityExtension = new SecurityEvaluationContextExtension(explicit);
@@ -98,6 +100,7 @@ public void setTrustResolverWhenNullThenIllegalArgumentException() {
 	}
 
 	@Test
+	@SuppressWarnings("deprecation")
 	public void setTrustResolverWhenNotNullThenVerifyRootObject() {
 		TestingAuthenticationToken explicit = new TestingAuthenticationToken("explicit", "password", "ROLE_EXPLICIT");
 		this.securityExtension = new SecurityEvaluationContextExtension(explicit);
@@ -109,6 +112,7 @@ public void setTrustResolverWhenNotNullThenVerifyRootObject() {
 	}
 
 	@Test
+	@SuppressWarnings("deprecation")
 	public void setRoleHierarchyWhenNullThenIllegalArgumentException() {
 		TestingAuthenticationToken explicit = new TestingAuthenticationToken("explicit", "password", "ROLE_EXPLICIT");
 		this.securityExtension = new SecurityEvaluationContextExtension(explicit);
@@ -117,6 +121,7 @@ public void setRoleHierarchyWhenNullThenIllegalArgumentException() {
 	}
 
 	@Test
+	@SuppressWarnings("deprecation")
 	public void setRoleHierarchyWhenNotNullThenVerifyRootObject() {
 		TestingAuthenticationToken explicit = new TestingAuthenticationToken("explicit", "password", "ROLE_PARENT");
 		this.securityExtension = new SecurityEvaluationContextExtension(explicit);
@@ -143,6 +148,7 @@ public void setPermissionEvaluatorWhenNotNullThenVerifyRootObject() {
 	}
 
 	@Test
+	@SuppressWarnings("deprecation")
 	public void setDefaultRolePrefixWhenCustomThenVerifyRootObject() {
 		TestingAuthenticationToken explicit = new TestingAuthenticationToken("explicit", "password", "CUSTOM_EXPLICIT");
 		this.securityExtension = new SecurityEvaluationContextExtension(explicit);
@@ -151,6 +157,41 @@ public void setDefaultRolePrefixWhenCustomThenVerifyRootObject() {
 		assertThat(getRoot().hasRole("EXPLICIT")).isTrue();
 	}
 
+	@Test
+	public void setAuthorizationManagerFactoryWithTrustResolverThenVerifyRootObject() {
+		TestingAuthenticationToken explicit = new TestingAuthenticationToken("explicit", "password", "ROLE_EXPLICIT");
+		this.securityExtension = new SecurityEvaluationContextExtension(explicit);
+		AuthenticationTrustResolver trustResolver = mock(AuthenticationTrustResolver.class);
+		given(trustResolver.isAuthenticated(explicit)).willReturn(true);
+		DefaultAuthorizationManagerFactory<Object> factory = new DefaultAuthorizationManagerFactory<>();
+		factory.setTrustResolver(trustResolver);
+		this.securityExtension.setAuthorizationManagerFactory(factory);
+		assertThat(getRoot().isAuthenticated()).isTrue();
+		verify(trustResolver).isAuthenticated(explicit);
+	}
+
+	@Test
+	public void setAuthorizationManagerFactoryWithRoleHierarchyThenVerifyRootObject() {
+		TestingAuthenticationToken explicit = new TestingAuthenticationToken("explicit", "password", "ROLE_PARENT");
+		this.securityExtension = new SecurityEvaluationContextExtension(explicit);
+		RoleHierarchy roleHierarchy = RoleHierarchyImpl.fromHierarchy("ROLE_PARENT > ROLE_EXPLICIT");
+		DefaultAuthorizationManagerFactory<Object> factory = new DefaultAuthorizationManagerFactory<>();
+		factory.setRoleHierarchy(roleHierarchy);
+		this.securityExtension.setAuthorizationManagerFactory(factory);
+		assertThat(getRoot().hasRole("EXPLICIT")).isTrue();
+	}
+
+	@Test
+	public void setAuthorizationManagerFactoryWithRolePrefixThenVerifyRootObject() {
+		TestingAuthenticationToken explicit = new TestingAuthenticationToken("explicit", "password", "CUSTOM_EXPLICIT");
+		this.securityExtension = new SecurityEvaluationContextExtension(explicit);
+		String customRolePrefix = "CUSTOM_";
+		DefaultAuthorizationManagerFactory<Object> factory = new DefaultAuthorizationManagerFactory<>();
+		factory.setRolePrefix(customRolePrefix);
+		this.securityExtension.setAuthorizationManagerFactory(factory);
+		assertThat(getRoot().hasRole("EXPLICIT")).isTrue();
+	}
+
 	@Test
 	public void getRootObjectWhenAdditionalFieldsNotSetThenVerifyDefaults() {
 		TestingAuthenticationToken explicit = new TestingAuthenticationToken("explicit", "password", "ROLE_EXPLICIT");

docs/spring-security-docs.gradle

@@ -6,6 +6,7 @@ plugins {
 	id 'java-toolchain'
 	id 'test-compile-target-jdk25'
 	id 'javadoc-warnings-error'
+	id 'compile-warnings-error'
 }
 
 apply plugin: 'io.spring.convention.docs'

docs/src/test/kotlin/org/springframework/security/kt/docs/features/authentication/authenticationcompromisedpasswordcheck/CompromisedPasswordCheckerUsage.kt

@@ -15,7 +15,7 @@ import org.springframework.security.web.authentication.SimpleUrlAuthenticationFa
 import org.springframework.security.web.authentication.password.HaveIBeenPwnedRestApiPasswordChecker
 
 
-class CompromisedPasswordCheckerUsage {
+open class CompromisedPasswordCheckerUsage {
     // tag::configuration[]
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {