spring-projects · rwinch · Jan 21, 2026 · Jan 13, 2026 · Jan 13, 2026 · Jan 13, 2026
diff --git a/.../main/java/org/springframework/security/cas/authentication/CasAuthenticationProvider.java b/.../main/java/org/springframework/security/cas/authentication/CasAuthenticationProvider.java
@@ -24,7 +24,6 @@
 import org.apereo.cas.client.validation.Assertion;
 import org.apereo.cas.client.validation.TicketValidationException;
 import org.apereo.cas.client.validation.TicketValidator;
-import org.jspecify.annotations.NullUnmarked;
 import org.jspecify.annotations.Nullable;
 
 import org.springframework.beans.factory.InitializingBean;
@@ -166,7 +165,6 @@ private CasAuthenticationToken authenticateNow(final Authentication authenticati
 	 * @param authentication
 	 * @return
 	 */
-	@NullUnmarked
 	private @Nullable String getServiceUrl(Authentication authentication) {
 		String serviceUrl;
 		if (authentication.getDetails() instanceof ServiceAuthenticationDetails) {

diff --git a/...rg/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java b/...rg/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java
@@ -19,7 +19,7 @@
 import java.lang.reflect.Method;
 
 import org.aopalliance.intercept.MethodInvocation;
-import org.jspecify.annotations.NullUnmarked;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.aop.framework.AopProxyUtils;
 import org.springframework.aop.support.AopUtils;
@@ -45,13 +45,11 @@ class MethodSecurityEvaluationContext extends MethodBasedEvaluationContext {
 	 * for each instance. Use the constructor which takes the resolver, as an argument
 	 * thus allowing for caching.
 	 */
-	MethodSecurityEvaluationContext(Authentication user, MethodInvocation mi) {
+	MethodSecurityEvaluationContext(@Nullable Authentication user, MethodInvocation mi) {
 		this(user, mi, new DefaultSecurityParameterNameDiscoverer());
 	}
 
-	@NullUnmarked // FIXME: rootObject in MethodBasedEvaluationContext is non-null
-					// (probably needs changed) but StandardEvaluationContext is Nullable
-	MethodSecurityEvaluationContext(Authentication user, MethodInvocation mi,
+	MethodSecurityEvaluationContext(@Nullable Authentication user, MethodInvocation mi,
 			ParameterNameDiscoverer parameterNameDiscoverer) {
 		super(mi.getThis(), getSpecificMethod(mi), mi.getArguments(), parameterNameDiscoverer);
 	}

diff --git a/...curity/messaging/handler/invocation/reactive/AuthenticationPrincipalArgumentResolver.java b/...curity/messaging/handler/invocation/reactive/AuthenticationPrincipalArgumentResolver.java
@@ -18,7 +18,6 @@
 
 import java.lang.annotation.Annotation;
 
-import org.jspecify.annotations.NullUnmarked;
 import org.jspecify.annotations.Nullable;
 import org.reactivestreams.Publisher;
 import reactor.core.publisher.Mono;
@@ -152,9 +151,11 @@ public Mono<Object> resolveArgument(MethodParameter parameter, Message<?> messag
 		// @formatter:on
 	}
 
-	@NullUnmarked
 	private @Nullable Object resolvePrincipal(MethodParameter parameter, @Nullable Object principal) {
 		AuthenticationPrincipal authPrincipal = findMethodAnnotation(parameter);
+		if (authPrincipal == null) {
+			return null;
+		}
 		String expressionToParse = authPrincipal.expression();
 		if (StringUtils.hasLength(expressionToParse)) {
 			StandardEvaluationContext context = new StandardEvaluationContext();

diff --git a/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java b/taglibs/src/main/java/org/springframework/security/taglibs/authz/AbstractAuthorizeTag.java
@@ -24,7 +24,6 @@
 import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
-import org.jspecify.annotations.NullUnmarked;
 import org.jspecify.annotations.Nullable;
 
 import org.springframework.context.ApplicationContext;
@@ -180,7 +179,6 @@ public void setUrl(String url) {
 		return this.method;
 	}
 
-	@NullUnmarked
 	public void setMethod(String method) {
 		this.method = (method != null) ? method.toUpperCase(Locale.ENGLISH) : null;
 	}

diff --git a/...ringframework/security/test/context/support/WithSecurityContextTestExecutionListener.java b/...ringframework/security/test/context/support/WithSecurityContextTestExecutionListener.java
@@ -20,14 +20,15 @@
 import java.lang.reflect.AnnotatedElement;
 import java.util.function.Supplier;
 
-import org.jspecify.annotations.NullUnmarked;
 import org.jspecify.annotations.Nullable;
 
 import org.springframework.beans.BeanUtils;
 import org.springframework.context.ApplicationContext;
 import org.springframework.core.GenericTypeResolver;
 import org.springframework.core.annotation.AnnotatedElementUtils;
 import org.springframework.core.annotation.AnnotationUtils;
+import org.springframework.core.annotation.MergedAnnotation;
+import org.springframework.core.annotation.MergedAnnotations;
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -40,6 +41,7 @@
 import org.springframework.test.context.TestExecutionListener;
 import org.springframework.test.context.support.AbstractTestExecutionListener;
 import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.util.Assert;
 
 /**
  * A {@link TestExecutionListener} that will find annotations that are annotated with
@@ -79,7 +81,6 @@ public class WithSecurityContextTestExecutionListener extends AbstractTestExecut
 	 * {@link WithSecurityContext} on it. If that is not found, the class is inspected. If
 	 * still not found, then no {@link SecurityContext} is populated.
 	 */
-	@NullUnmarked
 	@Override
 	public void beforeTestMethod(TestContext testContext) {
 		TestSecurityContext testSecurityContext = createTestSecurityContext(testContext.getTestMethod(), testContext);
@@ -102,7 +103,6 @@ public void beforeTestMethod(TestContext testContext) {
 	 * If configured before test execution sets the SecurityContext
 	 * @since 5.1
 	 */
-	@NullUnmarked
 	@Override
 	public void beforeTestExecution(TestContext testContext) {
 		Supplier<SecurityContext> supplier = (Supplier<SecurityContext>) testContext
@@ -129,7 +129,6 @@ public void beforeTestExecution(TestContext testContext) {
 		return createTestSecurityContext(rootDeclaringClass, withSecurityContext, context);
 	}
 
-	@NullUnmarked
 	@SuppressWarnings({ "rawtypes", "unchecked" })
 	private @Nullable TestSecurityContext createTestSecurityContext(AnnotatedElement annotated,
 			@Nullable WithSecurityContext withSecurityContext, TestContext context) {
@@ -140,7 +139,9 @@ public void beforeTestExecution(TestContext testContext) {
 		WithSecurityContextFactory factory = createFactory(withSecurityContext, context);
 		Class<? extends Annotation> type = (Class<? extends Annotation>) GenericTypeResolver
 			.resolveTypeArgument(factory.getClass(), WithSecurityContextFactory.class);
+		Assert.isTrue(type != null, factory.getClass() + " must specify a Type argument");
 		Annotation annotation = findAnnotation(annotated, type);
+		Assert.isTrue(annotation != null, "No annotation found for " + type + " on " + annotated);
 		Supplier<SecurityContext> supplier = () -> {
 			try {
 				return factory.createSecurityContext(annotation);
@@ -153,22 +154,23 @@ public void beforeTestExecution(TestContext testContext) {
 		return new TestSecurityContext(supplier, initialize);
 	}
 
-	@NullUnmarked
-	private @Nullable Annotation findAnnotation(AnnotatedElement annotated,
-			@Nullable Class<? extends Annotation> type) {
+	private @Nullable Annotation findAnnotation(AnnotatedElement annotated, Class<? extends Annotation> type) {
 		Annotation findAnnotation = AnnotatedElementUtils.findMergedAnnotation(annotated, type);
 		if (findAnnotation != null) {
 			return findAnnotation;
 		}
-		Annotation[] allAnnotations = AnnotationUtils.getAnnotations(annotated);
-		for (Annotation annotationToTest : allAnnotations) {
-			WithSecurityContext withSecurityContext = AnnotationUtils.findAnnotation(annotationToTest.annotationType(),
-					WithSecurityContext.class);
-			if (withSecurityContext != null) {
-				return annotationToTest;
-			}
-		}
-		return null;
+		MergedAnnotations allAnnotations = MergedAnnotations.from(annotated);
+		// @formatter:off
+		return allAnnotations.stream()
+			.filter((annotationToTest) -> {
+				WithSecurityContext withSecurityContext = AnnotationUtils.findAnnotation(annotationToTest.getType(),
+						WithSecurityContext.class);
+				return withSecurityContext != null;
+			})
+			.map(MergedAnnotation::synthesize)
+			.findFirst()
+			.orElse(null);
+		// @formatter:on
 	}
 
 	private WithSecurityContextFactory<? extends Annotation> createFactory(WithSecurityContext withSecurityContext,
@@ -189,7 +191,6 @@ private WithSecurityContextFactory<? extends Annotation> createFactory(WithSecur
 	 * Clears out the {@link TestSecurityContextHolder} and the
 	 * {@link SecurityContextHolder} after each test method.
 	 */
-	@NullUnmarked
 	@Override
 	public void afterTestMethod(TestContext testContext) {
 		this.securityContextHolderStrategyConverter.convert(testContext).clearContext();