Feature/added j specify nullity check in saml2 service provider

saml2/package-info.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * Core Spring Security SAML 2.0 abstractions.
+ */
+@NullMarked
+package org.springframework.security.saml2;
+
+import org.jspecify.annotations.NullMarked;

saml2/saml2-service-provider/spring-security-saml2-service-provider.gradle

@@ -1,3 +1,7 @@
+plugins {
+	id 'security-nullability'
+}
+
 apply plugin: 'io.spring.convention.spring-module'
 
 configurations {

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/package-info.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * Core Spring Security SAML 2.0 abstractions.
+ */
+@NullMarked
+package org.springframework.security.saml2.core;
+
+import org.jspecify.annotations.NullMarked;

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/internal/package-info.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * Core Spring Security SAML 2.0 abstractions.
+ */
+@NullMarked
+package org.springframework.security.saml2.internal;
+
+import org.jspecify.annotations.NullMarked;

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/package-info.java

@@ -17,4 +17,7 @@
 /**
  * Jackson 3+ serialization support for SAML2.
  */
+@NullMarked
 package org.springframework.security.saml2.jackson;
+
+import org.jspecify.annotations.NullMarked;

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/package-info.java

@@ -17,4 +17,7 @@
 /**
  * Jackson 2 serialization support for SAML2.
  */
+@NullMarked
 package org.springframework.security.saml2.jackson2;
+
+import org.jspecify.annotations.NullMarked;

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticatedPrincipal.java

@@ -20,7 +20,7 @@
 import java.util.List;
 import java.util.Map;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
 import org.springframework.security.core.AuthenticatedPrincipal;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.util.CollectionUtils;
@@ -76,6 +76,7 @@ default Map<String, List<Object>> getAttributes() {
 	 * @return the {@link RelyingPartyRegistration} identifier
 	 * @since 5.6
 	 */
+	@Nullable	
 	default String getRelyingPartyRegistrationId() {
 		return null;
 	}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/package-info.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * Core Spring Security SAML 2.0 abstractions.
+ */
+@NullMarked
+package org.springframework.security.saml2.provider.service.authentication.logout;
+
+import org.jspecify.annotations.NullMarked;

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/package-info.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * Core Spring Security SAML 2.0 abstractions.
+ */
+@NullMarked
+package org.springframework.security.saml2.provider.service.authentication;
+
+import org.jspecify.annotations.NullMarked;

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/metadata/package-info.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * Core Spring Security SAML 2.0 abstractions.
+ */
+@NullMarked
+package org.springframework.security.saml2.provider.service.metadata;
+
+import org.jspecify.annotations.NullMarked;

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/package-info.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * Core Spring Security SAML 2.0 abstractions.
+ */
+@NullMarked
+package org.springframework.security.saml2.provider.service;
+
+import org.jspecify.annotations.NullMarked;

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/AssertingPartyMetadataRepository.java

@@ -16,7 +16,7 @@
 
 package org.springframework.security.saml2.provider.service.registration;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
 
 /**
  * A repository for retrieving SAML 2.0 Asserting Party Metadata

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/BaseOpenSamlAssertingPartyMetadataRepository.java

@@ -20,6 +20,7 @@
 import java.util.Set;
 import java.util.function.Supplier;
 
+import org.jspecify.annotations.Nullable;
 import org.opensaml.core.criterion.EntityIdCriterion;
 import org.opensaml.saml.criterion.EntityRoleCriterion;
 import org.opensaml.saml.metadata.IterableMetadataSource;
@@ -30,9 +31,7 @@
 import org.opensaml.saml.metadata.resolver.index.impl.RoleMetadataIndex;
 import org.opensaml.saml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
-
 import org.springframework.lang.NonNull;
-import org.springframework.lang.Nullable;
 import org.springframework.security.saml2.Saml2Exception;
 import org.springframework.security.saml2.core.OpenSamlInitializationService;
 import org.springframework.util.Assert;

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/package-info.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * Core Spring Security SAML 2.0 abstractions.
+ */
+@NullMarked
+package org.springframework.security.saml2.provider.service.registration;
+
+import org.jspecify.annotations.NullMarked;

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/BaseOpenSamlAuthenticationTokenConverter.java

@@ -16,10 +16,10 @@
 
 package org.springframework.security.saml2.provider.service.web;
 
-import jakarta.servlet.http.HttpServletRequest;
 import org.opensaml.saml.saml2.core.Response;
-
 import org.springframework.http.HttpMethod;
+
+import org.jspecify.annotations.Nullable;
 import org.springframework.security.saml2.core.OpenSamlInitializationService;
 import org.springframework.security.saml2.core.Saml2Error;
 import org.springframework.security.saml2.core.Saml2ParameterNames;
@@ -30,11 +30,12 @@
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers.UriResolver;
 import org.springframework.security.web.authentication.AuthenticationConverter;
+import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
-import static org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher.pathPattern;
+import jakarta.servlet.http.HttpServletRequest;
 
 final class BaseOpenSamlAuthenticationTokenConverter implements AuthenticationConverter {
 
@@ -91,7 +92,9 @@ final class BaseOpenSamlAuthenticationTokenConverter implements AuthenticationCo
 	 * @throws Saml2AuthenticationException if the {@link RequestMatcher} specifies a
 	 * non-existent {@code registrationId}
 	 */
+
 	@Override
+	@Nullable
 	public Saml2AuthenticationToken convert(HttpServletRequest request) {
 		String serialized = request.getParameter(Saml2ParameterNames.SAML_RESPONSE);
 		if (serialized == null) {
@@ -110,7 +113,8 @@ public Saml2AuthenticationToken convert(HttpServletRequest request) {
 		}
 		return token;
 	}
-
+
+	@Nullable
 	private Saml2AuthenticationToken tokenByAuthenticationRequest(HttpServletRequest request) {
 		AbstractSaml2AuthenticationRequest authenticationRequest = this.authenticationRequests
 			.loadAuthenticationRequest(request);
@@ -121,7 +125,8 @@ private Saml2AuthenticationToken tokenByAuthenticationRequest(HttpServletRequest
 		RelyingPartyRegistration registration = this.registrations.findByRegistrationId(registrationId);
 		return tokenByRegistration(request, registration, authenticationRequest);
 	}
-
+
+	@Nullable
 	private Saml2AuthenticationToken tokenByRegistrationId(HttpServletRequest request,
 			RequestMatcher.MatchResult result) {
 		String registrationId = result.getVariables().get("registrationId");
@@ -132,15 +137,18 @@ private Saml2AuthenticationToken tokenByRegistrationId(HttpServletRequest reques
 		return tokenByRegistration(request, registration, null);
 	}
 
+	@Nullable
 	private Saml2AuthenticationToken tokenByEntityId(HttpServletRequest request) {
 		Response response = this.saml.deserialize(decode(request));
 		String issuer = response.getIssuer().getValue();
 		RelyingPartyRegistration registration = this.registrations.findUniqueByAssertingPartyEntityId(issuer);
 		return tokenByRegistration(request, registration, null);
 	}
 
-	private Saml2AuthenticationToken tokenByRegistration(HttpServletRequest request,
-			RelyingPartyRegistration registration, AbstractSaml2AuthenticationRequest authenticationRequest) {
+	@Nullable
+	private Saml2AuthenticationToken tokenByRegistration(HttpServletRequest request, 
+			@Nullable RelyingPartyRegistration registration, 
+			@Nulable AbstractSaml2AuthenticationRequest authenticationRequest) {
 		if (registration == null) {
 			return null;
 		}
@@ -178,6 +186,7 @@ void setShouldConvertGetRequests(boolean shouldConvertGetRequests) {
 		this.shouldConvertGetRequests = shouldConvertGetRequests;
 	}
 
+	@Nullable
 	private String decode(HttpServletRequest request) {
 		String encoded = request.getParameter(Saml2ParameterNames.SAML_RESPONSE);
 		boolean isGet = HttpMethod.GET.matches(request.getMethod());

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/CacheSaml2AuthenticationRequestRepository.java

@@ -16,15 +16,16 @@
 
 package org.springframework.security.saml2.provider.service.web;
 
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
-
+import org.jspecify.annotations.Nullable;
 import org.springframework.cache.Cache;
 import org.springframework.cache.concurrent.ConcurrentMapCache;
 import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
 import org.springframework.util.Assert;
 
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
 /**
  * A cache-based {@link Saml2AuthenticationRequestRepository}. This can be handy when you
  * are dropping requests due to using SameSite=Strict and the previous session is lost.
@@ -43,6 +44,7 @@ public final class CacheSaml2AuthenticationRequestRepository
 	private Cache cache = new ConcurrentMapCache("authentication-requests");
 
 	@Override
+	@Nullable
 	public AbstractSaml2AuthenticationRequest loadAuthenticationRequest(HttpServletRequest request) {
 		String relayState = request.getParameter(Saml2ParameterNames.RELAY_STATE);
 		Assert.notNull(relayState, "relayState must not be null");
@@ -58,6 +60,7 @@ public void saveAuthenticationRequest(AbstractSaml2AuthenticationRequest authent
 	}
 
 	@Override
+	@Nullable
 	public AbstractSaml2AuthenticationRequest removeAuthenticationRequest(HttpServletRequest request,
 			HttpServletResponse response) {
 		String relayState = request.getParameter(Saml2ParameterNames.RELAY_STATE);