Hide utility class constructors

Update all utility classes so that they have a private constructor. This
prevents users from accidentally creating an instance, when they should
just use the static methods directly.

Issue gh-8945

config/src/main/java/org/springframework/security/config/http/ChannelAttributeFactory.java

@@ -30,7 +30,7 @@ import org.springframework.security.web.access.channel.ChannelDecisionManagerImp
  * @author Luke Taylor
  * @since 3.0
  */
-public class ChannelAttributeFactory {
+public final class ChannelAttributeFactory {
 
 	private static final String OPT_REQUIRES_HTTP = "http";
 
@@ -38,6 +38,9 @@ public class ChannelAttributeFactory {
 
 	private static final String OPT_ANY_CHANNEL = "any";
 
+	private ChannelAttributeFactory() {
+	}
+
 	public static List<ConfigAttribute> createChannelAttributes(String requiredChannel) {
 		String channelConfigAttribute;
 

config/src/main/java/org/springframework/security/config/http/OAuth2ClientBeanDefinitionParserUtils.java

@@ -37,6 +37,9 @@ final class OAuth2ClientBeanDefinitionParserUtils {
 
 	private static final String ATT_AUTHORIZED_CLIENT_SERVICE_REF = "authorized-client-service-ref";
 
+	private OAuth2ClientBeanDefinitionParserUtils() {
+	}
+
 	static BeanMetadataElement getClientRegistrationRepository(Element element) {
 		BeanMetadataElement clientRegistrationRepository;
 		String clientRegistrationRepositoryRef = element.getAttribute(ATT_CLIENT_REGISTRATION_REPOSITORY_REF);

config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/TestSaml2Credentials.java

@@ -29,7 +29,10 @@ import org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X
 /**
  * Preconfigured SAML credentials for SAML integration tests.
  */
-public class TestSaml2Credentials {
+public final class TestSaml2Credentials {
+
+	private TestSaml2Credentials() {
+	}
 
 	static Saml2X509Credential verificationCertificate() {
 		String certificate = "-----BEGIN CERTIFICATE-----\n"

config/src/test/java/org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfigurationBuilder.java

@@ -26,7 +26,10 @@ import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
  * @author Rob Winch
  * @since 5.0
  */
-public class ServerHttpSecurityConfigurationBuilder {
+public final class ServerHttpSecurityConfigurationBuilder {
+
+	private ServerHttpSecurityConfigurationBuilder() {
+	}
 
 	public static ServerHttpSecurity http() {
 		return new ServerHttpSecurityConfiguration().httpSecurity();

config/src/test/java/org/springframework/security/config/http/SecurityFiltersAssertions.java

@@ -29,13 +29,15 @@ import static org.assertj.core.api.Assertions.assertThat;
  *
  * @author Josh Cummings
  */
-public class SecurityFiltersAssertions {
+public final class SecurityFiltersAssertions {
 
 	private static Collection<SecurityFilters> ordered = Arrays.asList(SecurityFilters.values());
 
+	private SecurityFiltersAssertions() {
+	}
+
 	public static void assertEquals(List<String> filters) {
 		List<String> expected = ordered.stream().map(SecurityFilters::name).collect(Collectors.toList());
-
 		assertThat(filters).isEqualTo(expected);
 	}
 

core/src/main/java/org/springframework/security/access/expression/ExpressionUtils.java

@@ -22,6 +22,9 @@ import org.springframework.expression.Expression;
 
 public final class ExpressionUtils {
 
+	private ExpressionUtils() {
+	}
+
 	public static boolean evaluateAsBoolean(Expression expr, EvaluationContext ctx) {
 		try {
 			return expr.getValue(ctx, Boolean.class);

core/src/main/java/org/springframework/security/converter/RsaKeyConverters.java

@@ -38,7 +38,7 @@ import org.springframework.util.Assert;
  * @author Josh Cummings
  * @since 5.2
  */
-public class RsaKeyConverters {
+public final class RsaKeyConverters {
 
 	private static final String DASHES = "-----";
 
@@ -50,6 +50,9 @@ public class RsaKeyConverters {
 
 	private static final String X509_PEM_FOOTER = DASHES + "END PUBLIC KEY" + DASHES;
 
+	private RsaKeyConverters() {
+	}
+
 	/**
 	 * Construct a {@link Converter} for converting a PEM-encoded PKCS#8 RSA Private Key
 	 * into a {@link RSAPrivateKey}.

core/src/main/java/org/springframework/security/core/SpringSecurityCoreVersion.java

@@ -30,7 +30,7 @@ import org.springframework.core.SpringVersion;
  * @author Luke Taylor
  * @author Rob Winch
  */
-public class SpringSecurityCoreVersion {
+public final class SpringSecurityCoreVersion {
 
 	private static final String DISABLE_CHECKS = SpringSecurityCoreVersion.class.getName().concat(".DISABLE_CHECKS");
 
@@ -50,6 +50,9 @@ public class SpringSecurityCoreVersion {
 		performVersionChecks();
 	}
 
+	private SpringSecurityCoreVersion() {
+	}
+
 	public static String getVersion() {
 		Package pkg = SpringSecurityCoreVersion.class.getPackage();
 		return (pkg != null ? pkg.getImplementationVersion() : null);

core/src/main/java/org/springframework/security/core/context/ReactiveSecurityContextHolder.java

@@ -29,10 +29,13 @@ import org.springframework.security.core.Authentication;
  * @author Rob Winch
  * @since 5.0
  */
-public class ReactiveSecurityContextHolder {
+public final class ReactiveSecurityContextHolder {
 
 	private static final Class<?> SECURITY_CONTEXT_KEY = SecurityContext.class;
 
+	private ReactiveSecurityContextHolder() {
+	}
+
 	/**
 	 * Gets the {@code Mono<SecurityContext>} from Reactor {@link Context}
 	 * @return the {@code Mono<SecurityContext>}

core/src/main/java/org/springframework/security/util/FieldUtils.java

@@ -29,6 +29,9 @@ import org.springframework.util.StringUtils;
  */
 public final class FieldUtils {
 
+	private FieldUtils() {
+	}
+
 	/**
 	 * Attempts to locate the specified field on the class.
 	 * @param clazz the class definition containing the field

core/src/main/java/org/springframework/security/util/MethodInvocationUtils.java

@@ -35,6 +35,9 @@ import org.springframework.util.Assert;
  */
 public final class MethodInvocationUtils {
 
+	private MethodInvocationUtils() {
+	}
+
 	/**
 	 * Generates a <code>MethodInvocation</code> for specified <code>methodName</code> on
 	 * the passed object, using the <code>args</code> to locate the method.

core/src/test/java/org/springframework/security/access/annotation/sec2150/MethodInvocationFactory.java

@@ -19,7 +19,10 @@ package org.springframework.security.access.annotation.sec2150;
 import org.springframework.aop.framework.ProxyFactory;
 import org.springframework.security.access.intercept.method.MockMethodInvocation;
 
-public class MethodInvocationFactory {
+public final class MethodInvocationFactory {
+
+	private MethodInvocationFactory() {
+	}
 
 	/**
 	 * In order to reproduce the bug for SEC-2150, we must have a proxy object that

core/src/test/java/org/springframework/security/access/expression/method/SecurityRules.java

@@ -16,7 +16,10 @@
 
 package org.springframework.security.access.expression.method;
 
-public class SecurityRules {
+public final class SecurityRules {
+
+	private SecurityRules() {
+	}
 
 	public static boolean disallow() {
 		return false;

core/src/test/java/org/springframework/security/util/FieldUtilsTests.java

@@ -27,8 +27,6 @@ public class FieldUtilsTests {
 
 	@Test
 	public void gettingAndSettingProtectedFieldIsSuccessful() throws Exception {
-		new FieldUtils();
-
 		Object tc = new TestClass();
 
 		assertThat(FieldUtils.getProtectedFieldValue("protectedField", tc)).isEqualTo("x");

core/src/test/java/org/springframework/security/util/MethodInvocationUtilsTests.java

@@ -33,8 +33,6 @@ public class MethodInvocationUtilsTests {
 
 	@Test
 	public void createFromClassReturnsMethodWithNoArgInfoForMethodWithNoArgs() {
-		new MethodInvocationUtils();
-
 		MethodInvocation mi = MethodInvocationUtils.createFromClass(String.class, "length");
 		assertThat(mi).isNotNull();
 	}

crypto/src/main/java/org/springframework/security/crypto/argon2/Argon2EncodingUtils.java

@@ -29,12 +29,15 @@ import org.bouncycastle.util.Arrays;
  * @author Simeon Macke
  * @since 5.3
  */
-class Argon2EncodingUtils {
+final class Argon2EncodingUtils {
 
 	private static final Base64.Encoder b64encoder = Base64.getEncoder().withoutPadding();
 
 	private static final Base64.Decoder b64decoder = Base64.getDecoder();
 
+	private Argon2EncodingUtils() {
+	}
+
 	/**
 	 * Encodes a raw Argon2-hash and its parameters into the standard Argon2-hash-string
 	 * as specified in the reference implementation

crypto/src/main/java/org/springframework/security/crypto/codec/Base64.java

@@ -237,6 +237,9 @@ public final class Base64 {
 			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9 // Decimal 244 - 255
 	};
 
+	private Base64() {
+	}
+
 	public static byte[] decode(byte[] bytes) {
 		return decode(bytes, 0, bytes.length, NO_OPTIONS);
 	}

crypto/src/main/java/org/springframework/security/crypto/codec/Hex.java

@@ -30,6 +30,9 @@ public final class Hex {
 	private static final char[] HEX = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e',
 			'f' };
 
+	private Hex() {
+	}
+
 	public static char[] encode(byte[] bytes) {
 		final int nBytes = bytes.length;
 		char[] result = new char[2 * nBytes];

crypto/src/main/java/org/springframework/security/crypto/codec/Utf8.java

@@ -33,6 +33,9 @@ public final class Utf8 {
 
 	private static final Charset CHARSET = StandardCharsets.UTF_8;
 
+	private Utf8() {
+	}
+
 	/**
 	 * Get the bytes of the String in UTF-8 encoded form.
 	 */

crypto/src/test/java/org/springframework/security/crypto/codec/Base64Tests.java

@@ -28,8 +28,6 @@ public class Base64Tests {
 
 	@Test
 	public void isBase64ReturnsTrueForValidBase64() {
-		new Base64(); // unused
-
 		assertThat(Base64.isBase64(new byte[] { (byte) 'A', (byte) 'B', (byte) 'C', (byte) 'D' })).isTrue();
 	}
 

crypto/src/test/java/org/springframework/security/crypto/encrypt/CryptoAssumptions.java

@@ -26,7 +26,10 @@ import org.junit.AssumptionViolatedException;
 
 import org.springframework.security.crypto.encrypt.AesBytesEncryptor.CipherAlgorithm;
 
-public class CryptoAssumptions {
+public final class CryptoAssumptions {
+
+	private CryptoAssumptions() {
+	}
 
 	public static void assumeGCMJCE() {
 		assumeAes256(CipherAlgorithm.GCM);

etc/checkstyle/checkstyle-suppressions.xml

@@ -3,7 +3,6 @@
 		"-//Checkstyle//DTD SuppressionFilter Configuration 1.2//EN"
 		"https://checkstyle.org/dtds/suppressions_1_2.dtd">
 <suppressions>
-	<suppress files=".*" checks="SpringHideUtilityClassConstructor" />
 	<suppress files=".*" checks="SpringJavadoc" />
 	<suppress files=".*" checks="SpringLambda" />
 	<suppress files=".*" checks="SpringMethodOrder" />

ldap/src/main/java/org/springframework/security/ldap/ppolicy/PasswordPolicyControlExtractor.java

@@ -29,10 +29,13 @@ import org.apache.commons.logging.LogFactory;
  * @author Luke Taylor
  * @since 3.0
  */
-public class PasswordPolicyControlExtractor {
+public final class PasswordPolicyControlExtractor {
 
 	private static final Log logger = LogFactory.getLog(PasswordPolicyControlExtractor.class);
 
+	private PasswordPolicyControlExtractor() {
+	}
+
 	public static PasswordPolicyResponseControl extractControl(DirContext dirCtx) {
 		LdapContext ctx = (LdapContext) dirCtx;
 		Control[] ctrls = null;

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationGrantRequestEntityUtils.java

@@ -40,6 +40,9 @@ final class OAuth2AuthorizationGrantRequestEntityUtils {
 
 	private static HttpHeaders DEFAULT_TOKEN_REQUEST_HEADERS = getDefaultTokenRequestHeaders();
 
+	private OAuth2AuthorizationGrantRequestEntityUtils() {
+	}
+
 	static HttpHeaders getTokenRequestHeaders(ClientRegistration clientRegistration) {
 		HttpHeaders headers = new HttpHeaders();
 		headers.addAll(DEFAULT_TOKEN_REQUEST_HEADERS);

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/TestOAuth2AuthenticationTokens.java

@@ -25,7 +25,10 @@ import org.springframework.security.oauth2.core.user.TestOAuth2Users;
  * @author Josh Cummings
  * @since 5.2
  */
-public class TestOAuth2AuthenticationTokens {
+public final class TestOAuth2AuthenticationTokens {
+
+	private TestOAuth2AuthenticationTokens() {
+	}
 
 	public static OAuth2AuthenticationToken authenticated() {
 		DefaultOAuth2User principal = TestOAuth2Users.create();

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/TestOAuth2AuthorizationCodeAuthenticationTokens.java

@@ -29,7 +29,10 @@ import org.springframework.security.oauth2.core.endpoint.TestOAuth2Authorization
  * @author Rob Winch
  * @since 5.1
  */
-public class TestOAuth2AuthorizationCodeAuthenticationTokens {
+public final class TestOAuth2AuthorizationCodeAuthenticationTokens {
+
+	private TestOAuth2AuthorizationCodeAuthenticationTokens() {
+	}
 
 	public static OAuth2AuthorizationCodeAuthenticationToken unauthenticated() {
 		ClientRegistration registration = TestClientRegistrations.clientRegistration().build();

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/TestClientRegistrations.java

@@ -23,7 +23,10 @@ import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
  * @author Rob Winch
  * @since 5.1
  */
-public class TestClientRegistrations {
+public final class TestClientRegistrations {
+
+	private TestClientRegistrations() {
+	}
 
 	public static ClientRegistration.Builder clientRegistration() {
 		return ClientRegistration.withRegistrationId("registration-id")

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/HttpMessageConverters.java

@@ -45,6 +45,9 @@ final class HttpMessageConverters {
 		jsonbPresent = ClassUtils.isPresent("javax.json.bind.Jsonb", classLoader);
 	}
 
+	private HttpMessageConverters() {
+	}
+
 	static GenericHttpMessageConverter<Object> getJsonMessageConverter() {
 		if (jackson2Present) {
 			return new MappingJackson2HttpMessageConverter();

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/TestOAuth2AccessTokens.java

@@ -25,7 +25,10 @@ import java.util.HashSet;
  * @author Rob Winch
  * @since 5.1
  */
-public class TestOAuth2AccessTokens {
+public final class TestOAuth2AccessTokens {
+
+	private TestOAuth2AccessTokens() {
+	}
 
 	public static OAuth2AccessToken noScopes() {
 		return new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "no-scopes", Instant.now(),

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/TestOAuth2RefreshTokens.java

@@ -22,7 +22,10 @@ import java.time.Instant;
  * @author Rob Winch
  * @since 5.1
  */
-public class TestOAuth2RefreshTokens {
+public final class TestOAuth2RefreshTokens {
+
+	private TestOAuth2RefreshTokens() {
+	}
 
 	public static OAuth2RefreshToken refreshToken() {
 		return new OAuth2RefreshToken("refresh-token", Instant.now());

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/TestOAuth2AccessTokenResponses.java

@@ -26,7 +26,10 @@ import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames
  * @author Rob Winch
  * @since 5.1
  */
-public class TestOAuth2AccessTokenResponses {
+public final class TestOAuth2AccessTokenResponses {
+
+	private TestOAuth2AccessTokenResponses() {
+	}
 
 	public static OAuth2AccessTokenResponse.Builder accessTokenResponse() {
 		return OAuth2AccessTokenResponse.withToken("token").tokenType(OAuth2AccessToken.TokenType.BEARER);

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/TestOAuth2AuthorizationExchanges.java

@@ -21,7 +21,10 @@ package org.springframework.security.oauth2.core.endpoint;
  * @author Eddú Meléndez
  * @since 5.1
  */
-public class TestOAuth2AuthorizationExchanges {
+public final class TestOAuth2AuthorizationExchanges {
+
+	private TestOAuth2AuthorizationExchanges() {
+	}
 
 	public static OAuth2AuthorizationExchange success() {
 		OAuth2AuthorizationRequest request = TestOAuth2AuthorizationRequests.request().build();

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/TestOAuth2AuthorizationRequests.java

@@ -23,7 +23,10 @@ import java.util.Map;
  * @author Rob Winch
  * @since 5.1
  */
-public class TestOAuth2AuthorizationRequests {
+public final class TestOAuth2AuthorizationRequests {
+
+	private TestOAuth2AuthorizationRequests() {
+	}
 
 	public static OAuth2AuthorizationRequest.Builder request() {
 		String registrationId = "registration-id";

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/TestOAuth2AuthorizationResponses.java

@@ -20,7 +20,10 @@ package org.springframework.security.oauth2.core.endpoint;
  * @author Rob Winch
  * @since 5.1
  */
-public class TestOAuth2AuthorizationResponses {
+public final class TestOAuth2AuthorizationResponses {
+
+	private TestOAuth2AuthorizationResponses() {
+	}
 
 	public static OAuth2AuthorizationResponse.Builder success() {
 		return OAuth2AuthorizationResponse.success("authorization-code").state("state")

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/oidc/TestOidcIdTokens.java

@@ -23,7 +23,10 @@ import java.time.Instant;
  *
  * @author Josh Cummings
  */
-public class TestOidcIdTokens {
+public final class TestOidcIdTokens {
+
+	private TestOidcIdTokens() {
+	}
 
 	public static OidcIdToken.Builder idToken() {
 		return OidcIdToken.withTokenValue("id-token").issuer("https://example.com").subject("subject")

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/oidc/user/TestOidcUsers.java

@@ -30,7 +30,10 @@ import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
 /**
  * @author Joe Grandja
  */
-public class TestOidcUsers {
+public final class TestOidcUsers {
+
+	private TestOidcUsers() {
+	}
 
 	public static DefaultOidcUser create() {
 		OidcIdToken idToken = idToken();

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/user/TestOAuth2Users.java

@@ -28,7 +28,10 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
 /**
  * @author Rob Winch
  */
-public class TestOAuth2Users {
+public final class TestOAuth2Users {
+
+	private TestOAuth2Users() {
+	}
 
 	public static DefaultOAuth2User create() {
 		String nameAttributeKey = "username";

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoderProviderConfigurationUtils.java

@@ -38,7 +38,7 @@ import org.springframework.web.util.UriComponentsBuilder;
  * @author Rafiullah Hamedy
  * @since 5.2
  */
-class JwtDecoderProviderConfigurationUtils {
+final class JwtDecoderProviderConfigurationUtils {
 
 	private static final String OIDC_METADATA_PATH = "/.well-known/openid-configuration";
 
@@ -49,6 +49,9 @@ class JwtDecoderProviderConfigurationUtils {
 	private static final ParameterizedTypeReference<Map<String, Object>> typeReference = new ParameterizedTypeReference<Map<String, Object>>() {
 	};
 
+	private JwtDecoderProviderConfigurationUtils() {
+	}
+
 	static Map<String, Object> getConfigurationForOidcIssuerLocation(String oidcIssuerLocation) {
 		return getConfiguration(oidcIssuerLocation, oidc(URI.create(oidcIssuerLocation)));
 	}

oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jose/TestKeys.java

@@ -32,10 +32,9 @@ import javax.crypto.spec.SecretKeySpec;
  * @author Joe Grandja
  * @since 5.2
  */
-public class TestKeys {
+public final class TestKeys {
 
 	public static final KeyFactory kf;
-
 	static {
 		try {
 			kf = KeyFactory.getInstance("RSA");
@@ -57,12 +56,11 @@ public class TestKeys {
 			+ "kJdJ/ZIV+WW4noDdzpKqHcwmB8FsrumlVY/DNVvUSDIipiq9PbP4H99TXN1o746o"
 			+ "RaNa07rq1hoCgMSSy+85SagCoxlmyE+D+of9SsMY8Ol9t0rdzpobBuhyJ/o5dfvj" + "KwIDAQAB";
 
-	public static final RSAPublicKey DEFAULT_PUBLIC_KEY = publicKey();
-
-	private static RSAPublicKey publicKey() {
+	public static final RSAPublicKey DEFAULT_PUBLIC_KEY;
+	static {
 		X509EncodedKeySpec spec = new X509EncodedKeySpec(Base64.getDecoder().decode(DEFAULT_RSA_PUBLIC_KEY));
 		try {
-			return (RSAPublicKey) kf.generatePublic(spec);
+			DEFAULT_PUBLIC_KEY = (RSAPublicKey) kf.generatePublic(spec);
 		}
 		catch (InvalidKeySpecException ex) {
 			throw new IllegalArgumentException(ex);
@@ -95,16 +93,19 @@ public class TestKeys {
 			+ "c5TVvhG/ubfBspI5DhQqIGijnVBzFT//UfIYMSKJo75qqBEyP2EJSmCsunWsAFsM"
 			+ "TszuiGTkrKcZy9G0wJqPztZZl2F2+bJgnA6nBEV7g5PA4Af+QSmaIhRwqGDAuROR" + "47jndeyIaMTNETEmOnms+as17g==";
 
-	public static final RSAPrivateKey DEFAULT_PRIVATE_KEY = privateKey();
+	public static final RSAPrivateKey DEFAULT_PRIVATE_KEY;
 
-	private static RSAPrivateKey privateKey() {
+	static {
 		PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(Base64.getDecoder().decode(DEFAULT_RSA_PRIVATE_KEY));
 		try {
-			return (RSAPrivateKey) kf.generatePrivate(spec);
+			DEFAULT_PRIVATE_KEY = (RSAPrivateKey) kf.generatePrivate(spec);
 		}
 		catch (InvalidKeySpecException ex) {
 			throw new IllegalArgumentException(ex);
 		}
 	}
 
+	private TestKeys() {
+	}
+
 }

oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/TestJwts.java

@@ -19,7 +19,10 @@ package org.springframework.security.oauth2.jwt;
 import java.time.Instant;
 import java.util.Arrays;
 
-public class TestJwts {
+public final class TestJwts {
+
+	private TestJwts() {
+	}
 
 	public static Jwt.Builder jwt() {
 		return Jwt.withTokenValue("token").header("alg", "none").audience(Arrays.asList("https://audience.example.org"))

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/core/TestOAuth2AuthenticatedPrincipals.java

@@ -36,7 +36,10 @@ import org.springframework.security.oauth2.server.resource.introspection.OAuth2I
  *
  * @author Josh Cummings
  */
-public class TestOAuth2AuthenticatedPrincipals {
+public final class TestOAuth2AuthenticatedPrincipals {
+
+	private TestOAuth2AuthenticatedPrincipals() {
+	}
 
 	public static OAuth2AuthenticatedPrincipal active() {
 		return active(attributes -> {

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/TestBearerTokenAuthentications.java

@@ -33,7 +33,10 @@ import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
  *
  * @author Josh Cummings
  */
-public class TestBearerTokenAuthentications {
+public final class TestBearerTokenAuthentications {
+
+	private TestBearerTokenAuthentications() {
+	}
 
 	public static BearerTokenAuthentication bearer() {
 		Collection<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("SCOPE_USER");

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/OpenSamlInitializationService.java

@@ -74,12 +74,15 @@ import org.springframework.security.saml2.Saml2Exception;
  * @author Josh Cummings
  * @since 5.4
  */
-public class OpenSamlInitializationService {
+public final class OpenSamlInitializationService {
 
 	private static final Log log = LogFactory.getLog(OpenSamlInitializationService.class);
 
 	private static final AtomicBoolean initialized = new AtomicBoolean(false);
 
+	private OpenSamlInitializationService() {
+	}
+
 	/**
 	 * Ready OpenSAML for use and configure it with reasonable defaults.
 	 *

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Utils.java

@@ -35,6 +35,9 @@ final class Saml2Utils {
 
 	private static Base64 BASE64 = new Base64(0, new byte[] { '\n' });
 
+	private Saml2Utils() {
+	}
+
 	static String samlEncode(byte[] b) {
 		return BASE64.encodeAsString(b);
 	}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistrations.java

@@ -34,6 +34,9 @@ public final class RelyingPartyRegistrations {
 	private static final RestOperations rest = new RestTemplate(
 			Arrays.asList(new OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter()));
 
+	private RelyingPartyRegistrations() {
+	}
+
 	/**
 	 * Return a {@link RelyingPartyRegistration.Builder} based off of the given SAML 2.0
 	 * Asserting Party (IDP) metadata.

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2ServletUtils.java

@@ -34,6 +34,9 @@ final class Saml2ServletUtils {
 
 	private static final char PATH_DELIMITER = '/';
 
+	private Saml2ServletUtils() {
+	}
+
 	static String resolveUrlTemplate(String template, String baseUrl, RelyingPartyRegistration relyingParty) {
 		if (!StringUtils.hasText(template)) {
 			return baseUrl;

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/core/Saml2Utils.java

@@ -32,6 +32,9 @@ public final class Saml2Utils {
 
 	private static Base64 BASE64 = new Base64(0, new byte[] { '\n' });
 
+	private Saml2Utils() {
+	}
+
 	public static String samlEncode(byte[] b) {
 		return BASE64.encodeAsString(b);
 	}

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/core/TestSaml2X509Credentials.java

@@ -31,6 +31,9 @@ import org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509Cred
 
 public final class TestSaml2X509Credentials {
 
+	private TestSaml2X509Credentials() {
+	}
+
 	public static Saml2X509Credential assertingPartySigningCredential() {
 		return new Saml2X509Credential(idpPrivateKey(), idpCertificate(), Saml2X509CredentialType.SIGNING);
 	}

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/credentials/TestSaml2X509Credentials.java

@@ -31,6 +31,9 @@ import org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X
 
 public final class TestSaml2X509Credentials {
 
+	private TestSaml2X509Credentials() {
+	}
+
 	public static Saml2X509Credential assertingPartySigningCredential() {
 		return new Saml2X509Credential(idpPrivateKey(), idpCertificate(), Saml2X509CredentialType.SIGNING);
 	}

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/TestOpenSamlObjects.java

@@ -97,6 +97,9 @@ final class TestOpenSamlObjects {
 	private static SecretKey SECRET_KEY = new SecretKeySpec(
 			Base64.getDecoder().decode("shOnwNMoCv88HKMEa91+FlYoD5RNvzMTAL5LGxZKIFk="), "AES");
 
+	private TestOpenSamlObjects() {
+	}
+
 	static Response response() {
 		return response(DESTINATION, ASSERTING_PARTY_ENTITY_ID);
 	}

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/TestSaml2AuthenticationRequestContexts.java

@@ -21,7 +21,10 @@ import org.springframework.security.saml2.provider.service.registration.TestRely
 /**
  * Test {@link Saml2AuthenticationRequestContext}s
  */
-public class TestSaml2AuthenticationRequestContexts {
+public final class TestSaml2AuthenticationRequestContexts {
+
+	private TestSaml2AuthenticationRequestContexts() {
+	}
 
 	public static Saml2AuthenticationRequestContext.Builder authenticationRequestContext() {
 		return Saml2AuthenticationRequestContext.builder().relayState("relayState").issuer("issuer")

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/registration/TestRelyingPartyRegistrations.java

@@ -23,7 +23,10 @@ import org.springframework.security.saml2.provider.service.servlet.filter.Saml2W
 /**
  * Preconfigured test data for {@link RelyingPartyRegistration} objects
  */
-public class TestRelyingPartyRegistrations {
+public final class TestRelyingPartyRegistrations {
+
+	private TestRelyingPartyRegistrations() {
+	}
 
 	public static RelyingPartyRegistration.Builder relyingPartyRegistration() {
 		String registrationId = "simplesamlphp";

taglibs/src/main/java/org/springframework/security/taglibs/TagLibConfig.java

@@ -51,6 +51,9 @@ public final class TagLibConfig {
 		}
 	}
 
+	private TagLibConfig() {
+	}
+
 	/**
 	 * Returns EVAL_BODY_INCLUDE if the authorized flag is true or UI security has been
 	 * disabled. Otherwise returns SKIP_BODY.

test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java

@@ -97,7 +97,10 @@ import org.springframework.web.server.adapter.WebHttpHandlerBuilder;
  * @author Rob Winch
  * @since 5.0
  */
-public class SecurityMockServerConfigurers {
+public final class SecurityMockServerConfigurers {
+
+	private SecurityMockServerConfigurers() {
+	}
 
 	/**
 	 * Sets up Spring Security's {@link WebTestClient} test support

test/src/main/java/org/springframework/security/test/web/servlet/setup/SecurityMockMvcConfigurers.java

@@ -30,6 +30,9 @@ import org.springframework.util.Assert;
  */
 public final class SecurityMockMvcConfigurers {
 
+	private SecurityMockMvcConfigurers() {
+	}
+
 	/**
 	 * Configures the MockMvcBuilder for use with Spring Security. Specifically the
 	 * configurer adds the Spring Bean named "springSecurityFilterChain" as a Filter. It

web/src/main/java/org/springframework/security/web/WebAttributes.java

@@ -52,4 +52,7 @@ public final class WebAttributes {
 	public static final String WEB_INVOCATION_PRIVILEGE_EVALUATOR_ATTRIBUTE = WebAttributes.class.getName()
 			+ ".WEB_INVOCATION_PRIVILEGE_EVALUATOR_ATTRIBUTE";
 
+	private WebAttributes() {
+	}
+
 }

web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthUtils.java

@@ -31,6 +31,9 @@ final class DigestAuthUtils {
 
 	private static final String[] EMPTY_STRING_ARRAY = new String[0];
 
+	private DigestAuthUtils() {
+	}
+
 	static String encodePasswordInA1Format(String username, String realm, String password) {
 		String a1 = username + ":" + realm + ":" + password;
 

web/src/main/java/org/springframework/security/web/savedrequest/FastHttpDateFormat.java

@@ -32,7 +32,7 @@ import java.util.TimeZone;
  * @author Remy Maucherat
  * @author Andrey Grebnev
  */
-public class FastHttpDateFormat {
+public final class FastHttpDateFormat {
 
 	/** HTTP date format. */
 	protected static final SimpleDateFormat format = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss zzz", Locale.US);
@@ -66,6 +66,9 @@ public class FastHttpDateFormat {
 	/** Parser cache. */
 	protected static final HashMap<String, Long> parseCache = new HashMap<>();
 
+	private FastHttpDateFormat() {
+	}
+
 	/**
 	 * Formats a specified date to HTTP format. If local format is not <code>null</code>,
 	 * it's used instead.

web/src/main/java/org/springframework/security/web/util/UrlUtils.java

@@ -30,6 +30,9 @@ import javax.servlet.http.HttpServletRequest;
  */
 public final class UrlUtils {
 
+	private UrlUtils() {
+	}
+
 	public static String buildFullRequestUrl(HttpServletRequest r) {
 		return buildFullRequestUrl(r.getScheme(), r.getServerName(), r.getServerPort(), r.getRequestURI(),
 				r.getQueryString());

web/src/test/java/org/springframework/security/test/web/reactive/server/WebTestClientBuilder.java

@@ -34,7 +34,10 @@ import org.springframework.web.server.WebFilter;
  * @since 5.0
  *
  */
-public class WebTestClientBuilder {
+public final class WebTestClientBuilder {
+
+	private WebTestClientBuilder() {
+	}
 
 	public static Builder bindToWebFilters(WebFilter... webFilters) {
 		return WebTestClient.bindToController(new Http200RestController()).webFilter(webFilters).configureClient();

web/src/test/java/org/springframework/security/web/authentication/preauth/x509/X509TestUtils.java

@@ -25,7 +25,10 @@ import java.security.cert.X509Certificate;
  *
  * @author Luke Taylor
  */
-public class X509TestUtils {
+public final class X509TestUtils {
+
+	private X509TestUtils() {
+	}
 
 	/**
 	 * Builds an X.509 certificate. In human-readable form it is: