Fix Nullability in WebInvocationPrivilegeEvaluator

Issue gh-17535

Author: rwinch

web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java

@@ -50,13 +50,13 @@ public AuthorizationManagerWebInvocationPrivilegeEvaluator(
 	}
 
 	@Override
-	public boolean isAllowed(String uri, Authentication authentication) {
+	public boolean isAllowed(String uri, @Nullable Authentication authentication) {
 		return isAllowed(null, uri, null, authentication);
 	}
 
 	@Override
 	public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method,
-			Authentication authentication) {
+			@Nullable Authentication authentication) {
 		FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
 		HttpServletRequest httpRequest = this.requestTransformer.transform(filterInvocation.getHttpRequest());
 		AuthorizationResult result = this.authorizationManager.authorize(() -> authentication, httpRequest);

web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java

@@ -65,7 +65,7 @@ public DefaultWebInvocationPrivilegeEvaluator(AbstractSecurityInterceptor securi
 	 * be used)
 	 */
 	@Override
-	public boolean isAllowed(String uri, Authentication authentication) {
+	public boolean isAllowed(String uri, @Nullable Authentication authentication) {
 		return isAllowed(null, uri, null, authentication);
 	}
 
@@ -88,7 +88,7 @@ public boolean isAllowed(String uri, Authentication authentication) {
 	 */
 	@Override
 	public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method,
-			Authentication authentication) {
+			@Nullable Authentication authentication) {
 		Assert.notNull(uri, "uri parameter is required");
 		FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
 		Collection<ConfigAttribute> attributes = this.securityInterceptor.obtainSecurityMetadataSource()

web/src/main/java/org/springframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java

@@ -73,7 +73,7 @@ public RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(
 	 * @return true if access is allowed, false if denied
 	 */
 	@Override
-	public boolean isAllowed(String uri, Authentication authentication) {
+	public boolean isAllowed(String uri, @Nullable Authentication authentication) {
 		List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(null, uri, null);
 		if (privilegeEvaluators.isEmpty()) {
 			return true;
@@ -106,7 +106,8 @@ public boolean isAllowed(String uri, Authentication authentication) {
 	 * @return true if access is allowed, false if denied
 	 */
 	@Override
-	public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
+	public boolean isAllowed(String contextPath, String uri, @Nullable String method,
+			@Nullable Authentication authentication) {
 		List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(contextPath, uri, method);
 		if (privilegeEvaluators.isEmpty()) {
 			return true;

web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.access;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.core.Authentication;
 
 /**
@@ -35,7 +37,7 @@ public interface WebInvocationPrivilegeEvaluator {
 	 * @param uri the URI excluding the context path (a default context path setting will
 	 * be used)
 	 */
-	boolean isAllowed(String uri, Authentication authentication);
+	boolean isAllowed(String uri, @Nullable Authentication authentication);
 
 	/**
 	 * Determines whether the user represented by the supplied <tt>Authentication</tt>
@@ -58,6 +60,6 @@ public interface WebInvocationPrivilegeEvaluator {
 	 * be used in evaluation whether access should be granted.
 	 * @return true if access is allowed, false if denied
 	 */
-	boolean isAllowed(String contextPath, String uri, String method, Authentication authentication);
+	boolean isAllowed(String contextPath, String uri, @Nullable String method, @Nullable Authentication authentication);
 
 }