Switch to JSpecify annotations in spring-security-core

core/src/main/java/org/springframework/security/authentication/AuthenticationObservationConvention.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,9 +21,7 @@
 import io.micrometer.common.KeyValues;
 import io.micrometer.observation.Observation;
 import io.micrometer.observation.ObservationConvention;
-import org.jetbrains.annotations.NotNull;
-
-import org.springframework.lang.NonNull;
+import org.jspecify.annotations.NonNull;
 
 /**
  * An {@link ObservationConvention} for translating authentications into
@@ -63,7 +61,7 @@ public String getContextualName(AuthenticationObservationContext context) {
 	/**
 	 * {@inheritDoc}
 	 */
-	@NotNull
+	@NonNull
 	@Override
 	public KeyValues getLowCardinalityKeyValues(@NonNull AuthenticationObservationContext context) {
 		return KeyValues.of("authentication.request.type", getAuthenticationType(context))
@@ -104,7 +102,7 @@ private String getAuthenticationFailureType(AuthenticationObservationContext con
 	 * {@inheritDoc}
 	 */
 	@Override
-	public boolean supportsContext(@NotNull Observation.Context context) {
+	public boolean supportsContext(Observation.@NonNull Context context) {
 		return context instanceof AuthenticationObservationContext;
 	}
 

core/src/main/java/org/springframework/security/authentication/ott/InMemoryOneTimeTokenService.java

@@ -22,7 +22,8 @@
 import java.util.UUID;
 import java.util.concurrent.ConcurrentHashMap;
 
-import org.springframework.lang.NonNull;
+import org.jspecify.annotations.NonNull;
+
 import org.springframework.util.Assert;
 
 /**
@@ -41,8 +42,7 @@ public final class InMemoryOneTimeTokenService implements OneTimeTokenService {
 	private Clock clock = Clock.systemUTC();
 
 	@Override
-	@NonNull
-	public OneTimeToken generate(GenerateOneTimeTokenRequest request) {
+	@NonNull public OneTimeToken generate(GenerateOneTimeTokenRequest request) {
 		String token = UUID.randomUUID().toString();
 		Instant expiresAt = this.clock.instant().plus(request.getExpiresIn());
 		OneTimeToken ott = new DefaultOneTimeToken(token, request.getUsername(), expiresAt);

core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenService.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,8 +16,8 @@
 
 package org.springframework.security.authentication.ott;
 
-import org.springframework.lang.NonNull;
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.NonNull;
+import org.jspecify.annotations.Nullable;
 
 /**
  * Interface for generating and consuming one-time tokens.
@@ -33,16 +33,14 @@ public interface OneTimeTokenService {
 	 * generate the token
 	 * @return the generated {@link OneTimeToken}, never {@code null}.
 	 */
-	@NonNull
-	OneTimeToken generate(GenerateOneTimeTokenRequest request);
+	@NonNull OneTimeToken generate(GenerateOneTimeTokenRequest request);
 
 	/**
 	 * Consumes a one-time token based on the provided authentication token.
 	 * @param authenticationToken the authentication token containing the one-time token
 	 * value to be consumed
 	 * @return the consumed {@link OneTimeToken} or {@code null} if the token is invalid
 	 */
-	@Nullable
-	OneTimeToken consume(OneTimeTokenAuthenticationToken authenticationToken);
+	@Nullable OneTimeToken consume(OneTimeTokenAuthenticationToken authenticationToken);
 
 }

core/src/main/java/org/springframework/security/authentication/password/CompromisedPasswordChecker.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,7 +16,7 @@
 
 package org.springframework.security.authentication.password;
 
-import org.springframework.lang.NonNull;
+import org.jspecify.annotations.NonNull;
 
 /**
  * An API for checking if a password has been compromised.
@@ -31,7 +31,6 @@ public interface CompromisedPasswordChecker {
 	 * @param password the password to check
 	 * @return a non-null {@link CompromisedPasswordDecision}
 	 */
-	@NonNull
-	CompromisedPasswordDecision check(String password);
+	@NonNull CompromisedPasswordDecision check(String password);
 
 }

core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java

@@ -18,7 +18,8 @@
 
 import java.util.function.Supplier;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.core.Authentication;
 
@@ -53,7 +54,6 @@ default void verify(Supplier<Authentication> authentication, T object) {
 	 * @return an {@link AuthorizationResult}
 	 * @since 6.4
 	 */
-	@Nullable
-	AuthorizationResult authorize(Supplier<Authentication> authentication, T object);
+	@Nullable AuthorizationResult authorize(Supplier<Authentication> authentication, T object);
 
 }

core/src/main/java/org/springframework/security/authorization/method/AbstractAuthorizationManagerRegistry.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,9 +21,9 @@
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.aopalliance.intercept.MethodInvocation;
+import org.jspecify.annotations.NonNull;
 
 import org.springframework.core.MethodClassKey;
-import org.springframework.lang.NonNull;
 import org.springframework.security.authorization.AuthorizationManager;
 
 /**
@@ -57,7 +57,6 @@ final AuthorizationManager<MethodInvocation> getManager(MethodInvocation methodI
 	 * @param targetClass the target class
 	 * @return the non-null {@link AuthorizationManager}
 	 */
-	@NonNull
-	abstract AuthorizationManager<MethodInvocation> resolveManager(Method method, Class<?> targetClass);
+	@NonNull abstract AuthorizationManager<MethodInvocation> resolveManager(Method method, Class<?> targetClass);
 
 }

core/src/main/java/org/springframework/security/authorization/method/AbstractExpressionAttributeRegistry.java

@@ -21,9 +21,9 @@
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.aopalliance.intercept.MethodInvocation;
+import org.jspecify.annotations.NonNull;
 
 import org.springframework.core.MethodClassKey;
-import org.springframework.lang.NonNull;
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
@@ -86,8 +86,7 @@ void setExpressionHandler(MethodSecurityExpressionHandler expressionHandler) {
 	 * @param targetClass the target class
 	 * @return the non-null {@link ExpressionAttribute}
 	 */
-	@NonNull
-	abstract T resolveAttribute(Method method, Class<?> targetClass);
+	@NonNull abstract T resolveAttribute(Method method, Class<?> targetClass);
 
 	Class<?> targetClass(Method method, Class<?> targetClass) {
 		return (targetClass != null) ? targetClass : method.getDeclaringClass();

core/src/main/java/org/springframework/security/authorization/method/AuthorizationAdvisorProxyFactory.java

@@ -40,6 +40,7 @@
 
 import org.aopalliance.aop.Advice;
 import org.aopalliance.intercept.MethodInvocation;
+import org.jspecify.annotations.NonNull;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
 
@@ -49,7 +50,6 @@
 import org.springframework.aop.framework.ProxyFactory;
 import org.springframework.beans.factory.SmartInitializingSingleton;
 import org.springframework.core.annotation.AnnotationAwareOrderComparator;
-import org.springframework.lang.NonNull;
 import org.springframework.security.authorization.AuthorizationProxyFactory;
 import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;
@@ -278,8 +278,7 @@ public void setTargetVisitor(TargetVisitor visitor) {
 	}
 
 	@Override
-	@NonNull
-	public Iterator<AuthorizationAdvisor> iterator() {
+	@NonNull public Iterator<AuthorizationAdvisor> iterator() {
 		return this.advisors.iterator();
 	}
 

core/src/main/java/org/springframework/security/authorization/method/Jsr250AuthorizationManager.java

@@ -28,8 +28,8 @@
 import jakarta.annotation.security.PermitAll;
 import jakarta.annotation.security.RolesAllowed;
 import org.aopalliance.intercept.MethodInvocation;
+import org.jspecify.annotations.NonNull;
 
-import org.springframework.lang.NonNull;
 import org.springframework.security.authorization.AuthoritiesAuthorizationManager;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.AuthorizationResult;

core/src/main/java/org/springframework/security/authorization/method/MethodAuthorizationDeniedHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,8 +17,8 @@
 package org.springframework.security.authorization.method;
 
 import org.aopalliance.intercept.MethodInvocation;
+import org.jspecify.annotations.Nullable;
 
-import org.springframework.lang.Nullable;
 import org.springframework.security.authorization.AuthorizationResult;
 
 /**
@@ -41,8 +41,7 @@ public interface MethodAuthorizationDeniedHandler {
 	 * @return a replacement result for the denied method invocation, or null, or a
 	 * {@link reactor.core.publisher.Mono} for reactive applications
 	 */
-	@Nullable
-	Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult);
+	@Nullable Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult);
 
 	/**
 	 * Handle denied method invocations, implementations might either throw an
@@ -56,8 +55,7 @@ public interface MethodAuthorizationDeniedHandler {
 	 * @return a replacement result for the denied method invocation, or null, or a
 	 * {@link reactor.core.publisher.Mono} for reactive applications
 	 */
-	@Nullable
-	default Object handleDeniedInvocationResult(MethodInvocationResult methodInvocationResult,
+	@Nullable default Object handleDeniedInvocationResult(MethodInvocationResult methodInvocationResult,
 			AuthorizationResult authorizationResult) {
 		return handleDeniedInvocation(methodInvocationResult.getMethodInvocation(), authorizationResult);
 	}

core/src/main/java/org/springframework/security/authorization/method/PostFilterExpressionAttributeRegistry.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,8 +18,9 @@
 
 import java.lang.reflect.Method;
 
+import org.jspecify.annotations.NonNull;
+
 import org.springframework.expression.Expression;
-import org.springframework.lang.NonNull;
 import org.springframework.security.access.prepost.PostFilter;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
 import org.springframework.security.core.annotation.SecurityAnnotationScanner;

core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeExpressionAttributeRegistry.java

@@ -20,9 +20,10 @@
 import java.util.Arrays;
 import java.util.function.Function;
 
+import org.jspecify.annotations.NonNull;
+
 import org.springframework.context.ApplicationContext;
 import org.springframework.expression.Expression;
-import org.springframework.lang.NonNull;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
 import org.springframework.security.core.annotation.SecurityAnnotationScanner;

core/src/main/java/org/springframework/security/authorization/method/PreFilterExpressionAttributeRegistry.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,8 +18,9 @@
 
 import java.lang.reflect.Method;
 
+import org.jspecify.annotations.NonNull;
+
 import org.springframework.expression.Expression;
-import org.springframework.lang.NonNull;
 import org.springframework.security.access.prepost.PreFilter;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
 import org.springframework.security.core.annotation.SecurityAnnotationScanner;

core/src/main/java/org/springframework/security/converter/RsaKeyConverters.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -34,8 +34,9 @@
 import java.util.List;
 import java.util.stream.Collectors;
 
+import org.jspecify.annotations.NonNull;
+
 import org.springframework.core.convert.converter.Converter;
-import org.springframework.lang.NonNull;
 import org.springframework.util.Assert;
 
 /**
@@ -162,8 +163,7 @@ private static class X509PemDecoder implements Converter<List<String>, RSAPublic
 		}
 
 		@Override
-		@NonNull
-		public RSAPublicKey convert(List<String> lines) {
+		@NonNull public RSAPublicKey convert(List<String> lines) {
 			StringBuilder base64Encoded = new StringBuilder();
 			for (String line : lines) {
 				if (isNotX509PemWrapper(line)) {
@@ -194,8 +194,7 @@ private static class X509CertificateDecoder implements Converter<List<String>, R
 		}
 
 		@Override
-		@NonNull
-		public RSAPublicKey convert(List<String> lines) {
+		@NonNull public RSAPublicKey convert(List<String> lines) {
 			StringBuilder base64Encoded = new StringBuilder();
 			for (String line : lines) {
 				if (isNotX509CertificateWrapper(line)) {

core/src/main/java/org/springframework/security/core/annotation/AbstractSecurityAnnotationScanner.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,8 +21,9 @@
 import java.lang.reflect.Method;
 import java.lang.reflect.Parameter;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.core.annotation.MergedAnnotation;
-import org.springframework.lang.Nullable;
 import org.springframework.util.Assert;
 
 /**

core/src/main/java/org/springframework/security/core/annotation/SecurityAnnotationScanner.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,7 +20,7 @@
 import java.lang.reflect.Method;
 import java.lang.reflect.Parameter;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
 
 /**
  * An interface to scan for and synthesize an annotation on a type, method, or method
@@ -62,8 +62,7 @@ public interface SecurityAnnotationScanner<A extends Annotation> {
 	 * @param targetClass the target class for the method
 	 * @return the synthesized annotation or {@code null} if not found
 	 */
-	@Nullable
-	A scan(Method method, Class<?> targetClass);
+	@Nullable A scan(Method method, Class<?> targetClass);
 
 	/**
 	 * Scan for an annotation of type {@code A}, starting from the given method parameter.
@@ -78,7 +77,6 @@ public interface SecurityAnnotationScanner<A extends Annotation> {
 	 * @param element the element to search
 	 * @return the synthesized annotation or {@code null} if not found
 	 */
-	@Nullable
-	A scan(Parameter parameter);
+	@Nullable A scan(Parameter parameter);
 
 }