Fix Nullability in WebInvocationPrivilegeEvaluator

Issue gh-17535
4 months ago · f13d8d5c75
4 changed files with 11 additions and 8 deletions
--- a/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
+++ b/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
@ -50,13 +50,13 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator
				@@ -50,13 +50,13 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator
 	}

 	@Override
-	public boolean isAllowed(String uri, Authentication authentication) {
+	public boolean isAllowed(String uri, @Nullable Authentication authentication) {
 		return isAllowed(null, uri, null, authentication);
 	}

 	@Override
 	public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method,
-			Authentication authentication) {
+			@Nullable Authentication authentication) {
 		FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
 		HttpServletRequest httpRequest = this.requestTransformer.transform(filterInvocation.getHttpRequest());
 		AuthorizationResult result = this.authorizationManager.authorize(() -> authentication, httpRequest);
--- a/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
+++ b/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
@ -65,7 +65,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
				@@ -65,7 +65,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
 	 * be used)
 	 */
 	@Override
-	public boolean isAllowed(String uri, Authentication authentication) {
+	public boolean isAllowed(String uri, @Nullable Authentication authentication) {
 		return isAllowed(null, uri, null, authentication);
 	}

@ -88,7 +88,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
				@@ -88,7 +88,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
 	 */
 	@Override
 	public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method,
-			Authentication authentication) {
+			@Nullable Authentication authentication) {
 		Assert.notNull(uri, "uri parameter is required");
 		FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
 		Collection<ConfigAttribute> attributes = this.securityInterceptor.obtainSecurityMetadataSource()
--- a/web/src/main/java/org/springframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java
+++ b/web/src/main/java/org/springframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java
@ -73,7 +73,7 @@ public final class RequestMatcherDelegatingWebInvocationPrivilegeEvaluator
				@@ -73,7 +73,7 @@ public final class RequestMatcherDelegatingWebInvocationPrivilegeEvaluator
 	 * @return true if access is allowed, false if denied
 	 */
 	@Override
-	public boolean isAllowed(String uri, Authentication authentication) {
+	public boolean isAllowed(String uri, @Nullable Authentication authentication) {
 		List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(null, uri, null);
 		if (privilegeEvaluators.isEmpty()) {
 			return true;
@ -106,7 +106,8 @@ public final class RequestMatcherDelegatingWebInvocationPrivilegeEvaluator
				@@ -106,7 +106,8 @@ public final class RequestMatcherDelegatingWebInvocationPrivilegeEvaluator
 	 * @return true if access is allowed, false if denied
 	 */
 	@Override
-	public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
+	public boolean isAllowed(String contextPath, String uri, @Nullable String method,
+			@Nullable Authentication authentication) {
 		List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(contextPath, uri, method);
 		if (privilegeEvaluators.isEmpty()) {
 			return true;
--- a/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java
+++ b/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java
@ -16,6 +16,8 @@
				@@ -16,6 +16,8 @@

 package org.springframework.security.web.access;

+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.core.Authentication;

 /**
@ -35,7 +37,7 @@ public interface WebInvocationPrivilegeEvaluator {
				@@ -35,7 +37,7 @@ public interface WebInvocationPrivilegeEvaluator {
 	 * @param uri the URI excluding the context path (a default context path setting will
 	 * be used)
 	 */
-	boolean isAllowed(String uri, Authentication authentication);
+	boolean isAllowed(String uri, @Nullable Authentication authentication);

 	/**
 	 * Determines whether the user represented by the supplied <tt>Authentication</tt>
@ -58,6 +60,6 @@ public interface WebInvocationPrivilegeEvaluator {
				@@ -58,6 +60,6 @@ public interface WebInvocationPrivilegeEvaluator {
 	 * be used in evaluation whether access should be granted.
 	 * @return true if access is allowed, false if denied
 	 */
-	boolean isAllowed(String contextPath, String uri, String method, Authentication authentication);
+	boolean isAllowed(String contextPath, String uri, @Nullable String method, @Nullable Authentication authentication);

 }