Make classes final where possible

Update classes that have private constructors so that they are also
declared final. In a few cases, inner-classes used private constructors
but were subclassed. These have now been changed to have package-private
constructors.

Issue gh-8945

acl/src/test/java/org/springframework/security/acls/jdbc/JdbcMutableAclServiceTests.java

@@ -550,7 +550,7 @@ public class JdbcMutableAclServiceTests extends AbstractTransactionalJUnit4Sprin
 	 */
 	private class CustomJdbcMutableAclService extends JdbcMutableAclService {
 
-		private CustomJdbcMutableAclService(DataSource dataSource, LookupStrategy lookupStrategy, AclCache aclCache) {
+		CustomJdbcMutableAclService(DataSource dataSource, LookupStrategy lookupStrategy, AclCache aclCache) {
 			super(dataSource, lookupStrategy, aclCache);
 		}
 

config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/provisioning/UserDetailsManagerConfigurer.java

@@ -104,7 +104,7 @@ public class UserDetailsManagerConfigurer<B extends ProviderManagerBuilder<B>, C
 	 * Builds the user to be added. At minimum the username, password, and authorities
 	 * should provided. The remaining attributes have reasonable defaults.
 	 */
-	public class UserDetailsBuilder {
+	public final class UserDetailsBuilder {
 
 		private UserBuilder user;
 

config/src/main/java/org/springframework/security/config/annotation/rsocket/RSocketSecurity.java

@@ -164,7 +164,7 @@ public class RSocketSecurity {
 	/**
 	 * @since 5.3
 	 */
-	public class SimpleAuthenticationSpec {
+	public final class SimpleAuthenticationSpec {
 
 		private ReactiveAuthenticationManager authenticationManager;
 
@@ -208,7 +208,7 @@ public class RSocketSecurity {
 		return this;
 	}
 
-	public class BasicAuthenticationSpec {
+	public final class BasicAuthenticationSpec {
 
 		private ReactiveAuthenticationManager authenticationManager;
 
@@ -244,7 +244,7 @@ public class RSocketSecurity {
 		return this;
 	}
 
-	public class JwtSpec {
+	public final class JwtSpec {
 
 		private ReactiveAuthenticationManager authenticationManager;
 
@@ -370,7 +370,7 @@ public class RSocketSecurity {
 			return new Access(matcher);
 		}
 
-		public class Access {
+		public final class Access {
 
 			private final PayloadExchangeMatcher matcher;
 

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -2942,10 +2942,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 
 		protected List<RequestMatcher> matchers = new ArrayList<>();
 
-		/**
-		 * @param context
-		 */
-		private RequestMatcherConfigurer(ApplicationContext context) {
+		RequestMatcherConfigurer(ApplicationContext context) {
 			setApplicationContext(context);
 		}
 

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

@@ -337,7 +337,7 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 	 */
 	public class IgnoredRequestConfigurer extends AbstractRequestMatcherRegistry<IgnoredRequestConfigurer> {
 
-		private IgnoredRequestConfigurer(ApplicationContext context) {
+		IgnoredRequestConfigurer(ApplicationContext context) {
 			setApplicationContext(context);
 		}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ChannelSecurityConfigurer.java

@@ -220,7 +220,7 @@ public final class ChannelSecurityConfigurer<H extends HttpSecurityBuilder<H>>
 
 		protected List<? extends RequestMatcher> requestMatchers;
 
-		private RequiresChannelUrl(List<? extends RequestMatcher> requestMatchers) {
+		RequiresChannelUrl(List<? extends RequestMatcher> requestMatchers) {
 			this.requestMatchers = requestMatchers;
 		}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java

@@ -303,8 +303,8 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @since 5.2
 	 */
 	private SessionAuthenticationStrategy getSessionAuthenticationStrategy() {
-		if (sessionAuthenticationStrategy != null) {
-			return sessionAuthenticationStrategy;
+		if (this.sessionAuthenticationStrategy != null) {
+			return this.sessionAuthenticationStrategy;
 		}
 		else {
 			return new CsrfAuthenticationStrategy(this.csrfTokenRepository);
@@ -321,10 +321,7 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 	 */
 	private class IgnoreCsrfProtectionRegistry extends AbstractRequestMatcherRegistry<IgnoreCsrfProtectionRegistry> {
 
-		/**
-		 * @param context
-		 */
-		private IgnoreCsrfProtectionRegistry(ApplicationContext context) {
+		IgnoreCsrfProtectionRegistry(ApplicationContext context) {
 			setApplicationContext(context);
 		}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java

@@ -109,7 +109,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
 		return REGISTRY;
 	}
 
-	public class ExpressionInterceptUrlRegistry extends
+	public final class ExpressionInterceptUrlRegistry extends
 			ExpressionUrlAuthorizationConfigurer<H>.AbstractInterceptUrlRegistry<ExpressionInterceptUrlRegistry, AuthorizedUrl> {
 
 		/**
@@ -130,7 +130,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
 		}
 
 		@Override
-		protected final AuthorizedUrl chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
+		protected AuthorizedUrl chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
 			return new AuthorizedUrl(requestMatchers);
 		}
 
@@ -267,7 +267,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
 	 *
 	 * @author Rob Winch
 	 */
-	public class MvcMatchersAuthorizedUrl extends AuthorizedUrl {
+	public final class MvcMatchersAuthorizedUrl extends AuthorizedUrl {
 
 		/**
 		 * Creates a new instance
@@ -296,7 +296,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
 		 * Creates a new instance
 		 * @param requestMatchers the {@link RequestMatcher} instances to map
 		 */
-		private AuthorizedUrl(List<? extends RequestMatcher> requestMatchers) {
+		AuthorizedUrl(List<? extends RequestMatcher> requestMatchers) {
 			this.requestMatchers = requestMatchers;
 		}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java

@@ -113,7 +113,7 @@ public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
 		return this;
 	}
 
-	public class StandardInterceptUrlRegistry extends
+	public final class StandardInterceptUrlRegistry extends
 			ExpressionUrlAuthorizationConfigurer<H>.AbstractInterceptUrlRegistry<StandardInterceptUrlRegistry, AuthorizedUrl> {
 
 		/**
@@ -134,7 +134,7 @@ public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
 		}
 
 		@Override
-		protected final AuthorizedUrl chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
+		protected AuthorizedUrl chainRequestMatchersInternal(List<RequestMatcher> requestMatchers) {
 			return new AuthorizedUrl(requestMatchers);
 		}
 
@@ -275,7 +275,7 @@ public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
 		 * @param requestMatchers the {@link RequestMatcher} instances to map to some
 		 * {@link ConfigAttribute} instances.
 		 */
-		private AuthorizedUrl(List<? extends RequestMatcher> requestMatchers) {
+		AuthorizedUrl(List<? extends RequestMatcher> requestMatchers) {
 			Assert.notEmpty(requestMatchers, "requestMatchers must contain at least one value");
 			this.requestMatchers = requestMatchers;
 		}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java

@@ -154,7 +154,7 @@ public final class OAuth2ClientConfigurer<B extends HttpSecurityBuilder<B>>
 	/**
 	 * Configuration options for the OAuth 2.0 Authorization Code Grant.
 	 */
-	public class AuthorizationCodeGrantConfigurer {
+	public final class AuthorizationCodeGrantConfigurer {
 
 		private OAuth2AuthorizationRequestResolver authorizationRequestResolver;
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java

@@ -224,7 +224,7 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 	/**
 	 * Configuration options for the Authorization Server's Authorization Endpoint.
 	 */
-	public class AuthorizationEndpointConfig {
+	public final class AuthorizationEndpointConfig {
 
 		private String authorizationRequestBaseUri;
 
@@ -308,7 +308,7 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 	/**
 	 * Configuration options for the Authorization Server's Token Endpoint.
 	 */
-	public class TokenEndpointConfig {
+	public final class TokenEndpointConfig {
 
 		private OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient;
 
@@ -364,7 +364,7 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 	/**
 	 * Configuration options for the Client's Redirection Endpoint.
 	 */
-	public class RedirectionEndpointConfig {
+	public final class RedirectionEndpointConfig {
 
 		private String authorizationResponseBaseUri;
 
@@ -416,7 +416,7 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 	/**
 	 * Configuration options for the Authorization Server's UserInfo Endpoint.
 	 */
-	public class UserInfoEndpointConfig {
+	public final class UserInfoEndpointConfig {
 
 		private OAuth2UserService<OAuth2UserRequest, OAuth2User> userService;
 

config/src/main/java/org/springframework/security/config/annotation/web/messaging/MessageSecurityMetadataSourceRegistry.java

@@ -251,7 +251,7 @@ public class MessageSecurityMetadataSourceRegistry {
 	 * Represents the security constraint to be applied to the {@link MessageMatcher}
 	 * instances.
 	 */
-	public class Constraint {
+	public final class Constraint {
 
 		private final List<? extends MatcherBuilder> messageMatchers;
 
@@ -409,7 +409,7 @@ public class MessageSecurityMetadataSourceRegistry {
 		return "hasAnyAuthority('" + anyAuthorities + "')";
 	}
 
-	private static class PreBuiltMatcherBuilder implements MatcherBuilder {
+	private final static class PreBuiltMatcherBuilder implements MatcherBuilder {
 
 		private MessageMatcher<?> matcher;
 
@@ -423,7 +423,7 @@ public class MessageSecurityMetadataSourceRegistry {
 
 	}
 
-	private class PathMatcherMessageMatcherBuilder implements MatcherBuilder {
+	private final class PathMatcherMessageMatcherBuilder implements MatcherBuilder {
 
 		private final String pattern;
 

config/src/main/java/org/springframework/security/config/http/GrantedAuthorityDefaultsParserUtils.java

@@ -27,7 +27,10 @@ import org.springframework.security.config.core.GrantedAuthorityDefaults;
  * @author Rob Winch
  * @since 4.2
  */
-class GrantedAuthorityDefaultsParserUtils {
+final class GrantedAuthorityDefaultsParserUtils {
+
+	private GrantedAuthorityDefaultsParserUtils() {
+	}
 
 	static RootBeanDefinition registerWithDefaultRolePrefix(ParserContext pc,
 			Class<? extends AbstractGrantedAuthorityDefaultsBeanFactory> beanFactoryClass) {
@@ -60,7 +63,4 @@ class GrantedAuthorityDefaultsParserUtils {
 
 	}
 
-	private GrantedAuthorityDefaultsParserUtils() {
-	}
-
 }

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -628,10 +628,13 @@ public class ServerHttpSecurity {
 	 * Configures CORS support within Spring Security. This ensures that the
 	 * {@link CorsWebFilter} is place in the correct order.
 	 */
-	public class CorsSpec {
+	public final class CorsSpec {
 
 		private CorsWebFilter corsFilter;
 
+		private CorsSpec() {
+		}
+
 		/**
 		 * Configures the {@link CorsConfigurationSource} to be used
 		 * @param source the source to use
@@ -683,9 +686,6 @@ public class ServerHttpSecurity {
 			return this.corsFilter;
 		}
 
-		private CorsSpec() {
-		}
-
 	}
 
 	/**
@@ -874,12 +874,15 @@ public class ServerHttpSecurity {
 	 * @since 5.2
 	 * @see #x509()
 	 */
-	public class X509Spec {
+	public final class X509Spec {
 
 		private X509PrincipalExtractor principalExtractor;
 
 		private ReactiveAuthenticationManager authenticationManager;
 
+		private X509Spec() {
+		}
+
 		public X509Spec principalExtractor(X509PrincipalExtractor principalExtractor) {
 			this.principalExtractor = principalExtractor;
 			return this;
@@ -923,9 +926,6 @@ public class ServerHttpSecurity {
 			return authenticationManager;
 		}
 
-		private X509Spec() {
-		}
-
 	}
 
 	/**
@@ -981,7 +981,7 @@ public class ServerHttpSecurity {
 		return this;
 	}
 
-	public class OAuth2LoginSpec {
+	public final class OAuth2LoginSpec {
 
 		private ReactiveClientRegistrationRepository clientRegistrationRepository;
 
@@ -1003,6 +1003,9 @@ public class ServerHttpSecurity {
 
 		private ServerAuthenticationFailureHandler authenticationFailureHandler;
 
+		private OAuth2LoginSpec() {
+		}
+
 		/**
 		 * Configures the {@link ReactiveAuthenticationManager} to use. The default is
 		 * {@link OAuth2AuthorizationCodeReactiveAuthenticationManager}
@@ -1378,9 +1381,6 @@ public class ServerHttpSecurity {
 			return service;
 		}
 
-		private OAuth2LoginSpec() {
-		}
-
 	}
 
 	/**
@@ -1434,7 +1434,7 @@ public class ServerHttpSecurity {
 		return this;
 	}
 
-	public class OAuth2ClientSpec {
+	public final class OAuth2ClientSpec {
 
 		private ReactiveClientRegistrationRepository clientRegistrationRepository;
 
@@ -1446,6 +1446,9 @@ public class ServerHttpSecurity {
 
 		private ServerAuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository;
 
+		private OAuth2ClientSpec() {
+		}
+
 		/**
 		 * Sets the converter to use
 		 * @param authenticationConverter the converter to use
@@ -1595,9 +1598,6 @@ public class ServerHttpSecurity {
 			return service;
 		}
 
-		private OAuth2ClientSpec() {
-		}
-
 	}
 
 	/**
@@ -1794,8 +1794,9 @@ public class ServerHttpSecurity {
 
 			if (this.authenticationManagerResolver != null) {
 				AuthenticationWebFilter oauth2 = new AuthenticationWebFilter(this.authenticationManagerResolver);
-				oauth2.setServerAuthenticationConverter(bearerTokenConverter);
-				oauth2.setAuthenticationFailureHandler(new ServerAuthenticationEntryPointFailureHandler(entryPoint));
+				oauth2.setServerAuthenticationConverter(this.bearerTokenConverter);
+				oauth2.setAuthenticationFailureHandler(
+						new ServerAuthenticationEntryPointFailureHandler(this.entryPoint));
 				http.addFilterAt(oauth2, SecurityWebFiltersOrder.AUTHENTICATION);
 			}
 			else if (this.jwt != null) {
@@ -1961,8 +1962,9 @@ public class ServerHttpSecurity {
 			protected void configure(ServerHttpSecurity http) {
 				ReactiveAuthenticationManager authenticationManager = getAuthenticationManager();
 				AuthenticationWebFilter oauth2 = new BearerTokenAuthenticationWebFilter(authenticationManager);
-				oauth2.setServerAuthenticationConverter(bearerTokenConverter);
-				oauth2.setAuthenticationFailureHandler(new ServerAuthenticationEntryPointFailureHandler(entryPoint));
+				oauth2.setServerAuthenticationConverter(OAuth2ResourceServerSpec.this.bearerTokenConverter);
+				oauth2.setAuthenticationFailureHandler(
+						new ServerAuthenticationEntryPointFailureHandler(OAuth2ResourceServerSpec.this.entryPoint));
 				// @formatter:off
 				http
 					.addFilterAt(oauth2, SecurityWebFiltersOrder.AUTHENTICATION);
@@ -2003,7 +2005,7 @@ public class ServerHttpSecurity {
 		 * @author Josh Cummings
 		 * @since 5.2
 		 */
-		public class OpaqueTokenSpec {
+		public final class OpaqueTokenSpec {
 
 			private String introspectionUri;
 
@@ -2013,6 +2015,9 @@ public class ServerHttpSecurity {
 
 			private Supplier<ReactiveOpaqueTokenIntrospector> introspector;
 
+			private OpaqueTokenSpec() {
+			}
+
 			/**
 			 * Configures the URI of the Introspection endpoint
 			 * @param introspectionUri The URI of the Introspection endpoint
@@ -2071,14 +2076,12 @@ public class ServerHttpSecurity {
 			protected void configure(ServerHttpSecurity http) {
 				ReactiveAuthenticationManager authenticationManager = getAuthenticationManager();
 				AuthenticationWebFilter oauth2 = new BearerTokenAuthenticationWebFilter(authenticationManager);
-				oauth2.setServerAuthenticationConverter(bearerTokenConverter);
-				oauth2.setAuthenticationFailureHandler(new ServerAuthenticationEntryPointFailureHandler(entryPoint));
+				oauth2.setServerAuthenticationConverter(OAuth2ResourceServerSpec.this.bearerTokenConverter);
+				oauth2.setAuthenticationFailureHandler(
+						new ServerAuthenticationEntryPointFailureHandler(OAuth2ResourceServerSpec.this.entryPoint));
 				http.addFilterAt(oauth2, SecurityWebFiltersOrder.AUTHENTICATION);
 			}
 
-			private OpaqueTokenSpec() {
-			}
-
 		}
 
 		public ServerHttpSecurity and() {
@@ -2820,7 +2823,7 @@ public class ServerHttpSecurity {
 	 * @since 5.0
 	 * @see #csrf()
 	 */
-	public class CsrfSpec {
+	public final class CsrfSpec {
 
 		private CsrfWebFilter filter = new CsrfWebFilter();
 
@@ -2917,7 +2920,7 @@ public class ServerHttpSecurity {
 	 * @since 5.0
 	 * @see #exceptionHandling()
 	 */
-	public class ExceptionHandlingSpec {
+	public final class ExceptionHandlingSpec {
 
 		/**
 		 * Configures what to do when the application request authentication
@@ -2963,7 +2966,7 @@ public class ServerHttpSecurity {
 	 * @since 5.0
 	 * @see #requestCache()
 	 */
-	public class RequestCacheSpec {
+	public final class RequestCacheSpec {
 
 		private ServerRequestCache requestCache = new WebSessionServerRequestCache();
 
@@ -3013,7 +3016,7 @@ public class ServerHttpSecurity {
 	 * @since 5.0
 	 * @see #httpBasic()
 	 */
-	public class HttpBasicSpec {
+	public final class HttpBasicSpec {
 
 		private ReactiveAuthenticationManager authenticationManager;
 
@@ -3104,7 +3107,7 @@ public class ServerHttpSecurity {
 	 * @since 5.0
 	 * @see #formLogin()
 	 */
-	public class FormLoginSpec {
+	public final class FormLoginSpec {
 
 		private final RedirectServerAuthenticationSuccessHandler defaultSuccessHandler = new RedirectServerAuthenticationSuccessHandler(
 				"/");
@@ -3282,7 +3285,7 @@ public class ServerHttpSecurity {
 
 	}
 
-	private class LoginPageSpec {
+	private final class LoginPageSpec {
 
 		protected void configure(ServerHttpSecurity http) {
 			if (http.authenticationEntryPoint != null) {
@@ -3321,7 +3324,7 @@ public class ServerHttpSecurity {
 	 * @since 5.0
 	 * @see #headers()
 	 */
-	public class HeaderSpec {
+	public final class HeaderSpec {
 
 		private final List<ServerHttpHeadersWriter> writers;
 
@@ -3535,7 +3538,7 @@ public class ServerHttpSecurity {
 		 *
 		 * @see #cache()
 		 */
-		public class CacheSpec {
+		public final class CacheSpec {
 
 			/**
 			 * Disables cache control response headers
@@ -3556,7 +3559,7 @@ public class ServerHttpSecurity {
 		 *
 		 * @see #contentTypeOptions()
 		 */
-		public class ContentTypeOptionsSpec {
+		public final class ContentTypeOptionsSpec {
 
 			/**
 			 * Disables the content type options response header
@@ -3577,7 +3580,7 @@ public class ServerHttpSecurity {
 		 *
 		 * @see #frameOptions()
 		 */
-		public class FrameOptionsSpec {
+		public final class FrameOptionsSpec {
 
 			/**
 			 * The mode to configure. Default is
@@ -3618,7 +3621,7 @@ public class ServerHttpSecurity {
 		 *
 		 * @see #hsts()
 		 */
-		public class HstsSpec {
+		public final class HstsSpec {
 
 			/**
 			 * Configures the max age. Default is one year.
@@ -3687,7 +3690,10 @@ public class ServerHttpSecurity {
 		 *
 		 * @see #xssProtection()
 		 */
-		public class XssProtectionSpec {
+		public final class XssProtectionSpec {
+
+			private XssProtectionSpec() {
+			}
 
 			/**
 			 * Disables the x-xss-protection response header
@@ -3698,9 +3704,6 @@ public class ServerHttpSecurity {
 				return HeaderSpec.this;
 			}
 
-			private XssProtectionSpec() {
-			}
-
 		}
 
 		/**
@@ -3709,7 +3712,7 @@ public class ServerHttpSecurity {
 		 * @since 5.1
 		 * @see #contentSecurityPolicy(String)
 		 */
-		public class ContentSecurityPolicySpec {
+		public final class ContentSecurityPolicySpec {
 
 			private static final String DEFAULT_SRC_SELF_POLICY = "default-src 'self'";
 
@@ -3760,7 +3763,7 @@ public class ServerHttpSecurity {
 		 * @since 5.1
 		 * @see #featurePolicy(String)
 		 */
-		public class FeaturePolicySpec {
+		public final class FeaturePolicySpec {
 
 			/**
 			 * Allows method chaining to continue configuring the
@@ -3784,7 +3787,11 @@ public class ServerHttpSecurity {
 		 * @see #referrerPolicy()
 		 * @see #referrerPolicy(ReferrerPolicy)
 		 */
-		public class ReferrerPolicySpec {
+		public final class ReferrerPolicySpec {
+
+			private ReferrerPolicySpec(ReferrerPolicy referrerPolicy) {
+				HeaderSpec.this.referrerPolicy.setPolicy(referrerPolicy);
+			}
 
 			/**
 			 * Sets the policy to be used in the response header.
@@ -3808,10 +3815,6 @@ public class ServerHttpSecurity {
 			private ReferrerPolicySpec() {
 			}
 
-			private ReferrerPolicySpec(ReferrerPolicy referrerPolicy) {
-				HeaderSpec.this.referrerPolicy.setPolicy(referrerPolicy);
-			}
-
 		}
 
 		private HeaderSpec() {
@@ -4095,17 +4098,18 @@ public class ServerHttpSecurity {
 		}
 
 		protected void configure(ServerHttpSecurity http) {
-			if (authenticationFilter == null) {
-				authenticationFilter = new AnonymousAuthenticationWebFilter(getKey(), principal, authorities);
+			if (this.authenticationFilter == null) {
+				this.authenticationFilter = new AnonymousAuthenticationWebFilter(getKey(), this.principal,
+						this.authorities);
 			}
-			http.addFilterAt(authenticationFilter, SecurityWebFiltersOrder.ANONYMOUS_AUTHENTICATION);
+			http.addFilterAt(this.authenticationFilter, SecurityWebFiltersOrder.ANONYMOUS_AUTHENTICATION);
 		}
 
 		private String getKey() {
-			if (key == null) {
-				key = UUID.randomUUID().toString();
+			if (this.key == null) {
+				this.key = UUID.randomUUID().toString();
 			}
-			return key;
+			return this.key;
 		}
 
 		private AnonymousSpec() {

config/src/test/java/org/springframework/security/config/annotation/web/AbstractConfiguredSecurityBuilderTests.java

@@ -144,7 +144,7 @@ public class AbstractConfiguredSecurityBuilderTests {
 
 	}
 
-	private static class TestConfiguredSecurityBuilder
+	private static final class TestConfiguredSecurityBuilder
 			extends AbstractConfiguredSecurityBuilder<Object, TestConfiguredSecurityBuilder> {
 
 		private TestConfiguredSecurityBuilder(ObjectPostProcessor<Object> objectPostProcessor) {

config/src/test/java/org/springframework/security/htmlunit/server/WebTestClientHtmlUnitDriverBuilder.java

@@ -30,7 +30,7 @@ import org.springframework.test.web.servlet.htmlunit.webdriver.WebConnectionHtml
  * @author Rob Winch
  * @since 5.0
  */
-public class WebTestClientHtmlUnitDriverBuilder {
+public final class WebTestClientHtmlUnitDriverBuilder {
 
 	private final WebTestClient webTestClient;
 

core/src/main/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManager.java

@@ -34,6 +34,9 @@ public class AuthenticatedReactiveAuthorizationManager<T> implements ReactiveAut
 
 	private AuthenticationTrustResolver authTrustResolver = new AuthenticationTrustResolverImpl();
 
+	AuthenticatedReactiveAuthorizationManager() {
+	}
+
 	@Override
 	public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
 		return authentication.filter(this::isNotAnonymous).map(a -> new AuthorizationDecision(a.isAuthenticated()))
@@ -59,7 +62,4 @@ public class AuthenticatedReactiveAuthorizationManager<T> implements ReactiveAut
 		return new AuthenticatedReactiveAuthorizationManager<>();
 	}
 
-	private AuthenticatedReactiveAuthorizationManager() {
-	}
-
 }

core/src/main/java/org/springframework/security/authorization/AuthorityReactiveAuthorizationManager.java

@@ -36,7 +36,7 @@ public class AuthorityReactiveAuthorizationManager<T> implements ReactiveAuthori
 
 	private final List<String> authorities;
 
-	private AuthorityReactiveAuthorizationManager(String... authorities) {
+	AuthorityReactiveAuthorizationManager(String... authorities) {
 		this.authorities = Arrays.asList(authorities);
 	}
 

core/src/main/java/org/springframework/security/core/userdetails/User.java

@@ -334,7 +334,7 @@ public class User implements UserDetails, CredentialsContainer {
 	 * Builds the user to be added. At minimum the username, password, and authorities
 	 * should provided. The remaining attributes have reasonable defaults.
 	 */
-	public static class UserBuilder {
+	public static final class UserBuilder {
 
 		private String username;
 

core/src/test/java/org/springframework/security/PopulatedDatabase.java

@@ -26,7 +26,7 @@ import org.springframework.jdbc.core.JdbcTemplate;
  *
  * @author Ben Alex
  */
-public class PopulatedDatabase {
+public final class PopulatedDatabase {
 
 	private static TestDataSource dataSource = null;
 

crypto/src/main/java/org/springframework/security/crypto/encrypt/CipherUtils.java

@@ -36,7 +36,10 @@ import javax.crypto.spec.PBEParameterSpec;
  *
  * @author Keith Donald
  */
-class CipherUtils {
+final class CipherUtils {
+
+	private CipherUtils() {
+	}
 
 	/**
 	 * Generates a SecretKey.
@@ -138,7 +141,4 @@ class CipherUtils {
 		}
 	}
 
-	private CipherUtils() {
-	}
-
 }

crypto/src/main/java/org/springframework/security/crypto/encrypt/Encryptors.java

@@ -24,7 +24,10 @@ import org.springframework.security.crypto.keygen.KeyGenerators;
  *
  * @author Keith Donald
  */
-public class Encryptors {
+public final class Encryptors {
+
+	private Encryptors() {
+	}
 
 	/**
 	 * Creates a standard password-based bytes encryptor using 256 bit AES encryption with
@@ -112,9 +115,6 @@ public class Encryptors {
 		return NO_OP_TEXT_INSTANCE;
 	}
 
-	private Encryptors() {
-	}
-
 	private static final TextEncryptor NO_OP_TEXT_INSTANCE = new NoOpTextEncryptor();
 
 	private static final class NoOpTextEncryptor implements TextEncryptor {

crypto/src/main/java/org/springframework/security/crypto/factory/PasswordEncoderFactories.java

@@ -32,7 +32,10 @@ import org.springframework.security.crypto.scrypt.SCryptPasswordEncoder;
  * @author Rob Winch
  * @since 5.0
  */
-public class PasswordEncoderFactories {
+public final class PasswordEncoderFactories {
+
+	private PasswordEncoderFactories() {
+	}
 
 	/**
 	 * Creates a {@link DelegatingPasswordEncoder} with default mappings. Additional
@@ -79,7 +82,4 @@ public class PasswordEncoderFactories {
 		return new DelegatingPasswordEncoder(encodingId, encoders);
 	}
 
-	private PasswordEncoderFactories() {
-	}
-
 }

crypto/src/main/java/org/springframework/security/crypto/keygen/KeyGenerators.java

@@ -23,7 +23,10 @@ import java.security.SecureRandom;
  *
  * @author Keith Donald
  */
-public class KeyGenerators {
+public final class KeyGenerators {
+
+	private KeyGenerators() {
+	}
 
 	/**
 	 * Create a {@link BytesKeyGenerator} that uses a {@link SecureRandom} to generate
@@ -59,9 +62,4 @@ public class KeyGenerators {
 		return new HexEncodingStringKeyGenerator(secureRandom());
 	}
 
-	// internal helpers
-
-	private KeyGenerators() {
-	}
-
 }

crypto/src/main/java/org/springframework/security/crypto/password/PasswordEncoderUtils.java

@@ -24,7 +24,10 @@ import org.springframework.security.crypto.codec.Utf8;
  *
  * @author Rob Winch
  */
-class PasswordEncoderUtils {
+final class PasswordEncoderUtils {
+
+	private PasswordEncoderUtils() {
+	}
 
 	/**
 	 * Constant time comparison to prevent against timing attacks.
@@ -43,12 +46,9 @@ class PasswordEncoderUtils {
 		if (s == null) {
 			return null;
 		}
-
-		return Utf8.encode(s); // need to check if Utf8.encode() runs in constant time
-								// (probably not). This may leak length of string.
-	}
-
-	private PasswordEncoderUtils() {
+		// need to check if Utf8.encode() runs in constant time (probably not).
+		// This may leak length of string.
+		return Utf8.encode(s);
 	}
 
 }

crypto/src/main/java/org/springframework/security/crypto/util/EncodingUtils.java

@@ -22,7 +22,10 @@ package org.springframework.security.crypto.util;
  *
  * @author Keith Donald
  */
-public class EncodingUtils {
+public final class EncodingUtils {
+
+	private EncodingUtils() {
+	}
 
 	/**
 	 * Combine the individual byte arrays into one array.
@@ -54,7 +57,4 @@ public class EncodingUtils {
 		return subarray;
 	}
 
-	private EncodingUtils() {
-	}
-
 }

etc/checkstyle/checkstyle-suppressions.xml

@@ -3,7 +3,6 @@
 		"-//Checkstyle//DTD SuppressionFilter Configuration 1.2//EN"
 		"https://checkstyle.org/dtds/suppressions_1_2.dtd">
 <suppressions>
-	<suppress files=".*" checks="FinalClass" />
 	<suppress files=".*" checks="InnerAssignment" />
 	<suppress files=".*" checks="InnerTypeLast" />
 	<suppress files=".*" checks="InterfaceIsType" />

messaging/src/test/java/org/springframework/security/messaging/handler/invocation/ResolvableMethod.java

@@ -127,7 +127,7 @@ import static java.util.stream.Collectors.joining;
  * @author Rossen Stoyanchev
  * @since 5.2
  */
-public class ResolvableMethod {
+public final class ResolvableMethod {
 
 	private static final Log logger = LogFactory.getLog(ResolvableMethod.class);
 
@@ -258,7 +258,7 @@ public class ResolvableMethod {
 	/**
 	 * Builder for {@code ResolvableMethod}.
 	 */
-	public static class Builder<T> {
+	public static final class Builder<T> {
 
 		private final Class<?> objectClass;
 
@@ -400,7 +400,7 @@ public class ResolvableMethod {
 		 * <p>
 		 * {@code build().method()}
 		 */
-		public final Method resolveMethod() {
+		public Method resolveMethod() {
 			return method().method();
 		}
 
@@ -418,7 +418,7 @@ public class ResolvableMethod {
 		 * <p>
 		 * {@code build().returnType()}
 		 */
-		public final MethodParameter resolveReturnType() {
+		public MethodParameter resolveReturnType() {
 			return method().returnType();
 		}
 
@@ -466,7 +466,7 @@ public class ResolvableMethod {
 	/**
 	 * Predicate with a descriptive label.
 	 */
-	private static class LabeledPredicate<T> implements Predicate<T> {
+	private static final class LabeledPredicate<T> implements Predicate<T> {
 
 		private final String label;
 
@@ -507,7 +507,7 @@ public class ResolvableMethod {
 	/**
 	 * Resolver for method arguments.
 	 */
-	public class ArgResolver {
+	public final class ArgResolver {
 
 		private final List<Predicate<MethodParameter>> filters = new ArrayList<>(4);
 
@@ -578,7 +578,7 @@ public class ResolvableMethod {
 		/**
 		 * Resolve the argument.
 		 */
-		public final MethodParameter arg() {
+		public MethodParameter arg() {
 			List<MethodParameter> matches = applyFilters();
 			Assert.state(!matches.isEmpty(), () -> "No matching arg in method\n" + formatMethod());
 			Assert.state(matches.size() == 1,
@@ -588,8 +588,8 @@ public class ResolvableMethod {
 
 		private List<MethodParameter> applyFilters() {
 			List<MethodParameter> matches = new ArrayList<>();
-			for (int i = 0; i < method.getParameterCount(); i++) {
-				MethodParameter param = new SynthesizingMethodParameter(method, i);
+			for (int i = 0; i < ResolvableMethod.this.method.getParameterCount(); i++) {
+				MethodParameter param = new SynthesizingMethodParameter(ResolvableMethod.this.method, i);
 				param.initParameterNameDiscovery(nameDiscoverer);
 				if (this.filters.stream().allMatch(p -> p.test(param))) {
 					matches.add(param);

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizationContext.java

@@ -140,7 +140,7 @@ public final class OAuth2AuthorizationContext {
 	/**
 	 * A builder for {@link OAuth2AuthorizationContext}.
 	 */
-	public static class Builder {
+	public static final class Builder {
 
 		private ClientRegistration clientRegistration;
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizeRequest.java

@@ -122,7 +122,7 @@ public final class OAuth2AuthorizeRequest {
 	/**
 	 * A builder for {@link OAuth2AuthorizeRequest}.
 	 */
-	public static class Builder {
+	public static final class Builder {
 
 		private String clientRegistrationId;
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java

@@ -89,7 +89,7 @@ public final class OAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code authorization_code} grant.
 	 */
-	public class AuthorizationCodeGrantBuilder implements Builder {
+	public final class AuthorizationCodeGrantBuilder implements Builder {
 
 		private AuthorizationCodeGrantBuilder() {
 		}
@@ -131,7 +131,7 @@ public final class OAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code refresh_token} grant.
 	 */
-	public class RefreshTokenGrantBuilder implements Builder {
+	public final class RefreshTokenGrantBuilder implements Builder {
 
 		private OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient;
 
@@ -226,7 +226,7 @@ public final class OAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code client_credentials} grant.
 	 */
-	public class ClientCredentialsGrantBuilder implements Builder {
+	public final class ClientCredentialsGrantBuilder implements Builder {
 
 		private OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient;
 
@@ -319,7 +319,7 @@ public final class OAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code password} grant.
 	 */
-	public class PasswordGrantBuilder implements Builder {
+	public final class PasswordGrantBuilder implements Builder {
 
 		private OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient;
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java

@@ -89,7 +89,7 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code authorization_code} grant.
 	 */
-	public class AuthorizationCodeGrantBuilder implements Builder {
+	public final class AuthorizationCodeGrantBuilder implements Builder {
 
 		private AuthorizationCodeGrantBuilder() {
 		}
@@ -133,7 +133,7 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code refresh_token} grant.
 	 */
-	public class RefreshTokenGrantBuilder implements Builder {
+	public final class RefreshTokenGrantBuilder implements Builder {
 
 		private ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient;
 
@@ -230,7 +230,7 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code client_credentials} grant.
 	 */
-	public class ClientCredentialsGrantBuilder implements Builder {
+	public final class ClientCredentialsGrantBuilder implements Builder {
 
 		private ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient;
 
@@ -325,7 +325,7 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * A builder for the {@code password} grant.
 	 */
-	public class PasswordGrantBuilder implements Builder {
+	public final class PasswordGrantBuilder implements Builder {
 
 		private ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient;
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java

@@ -195,7 +195,7 @@ public final class ClientRegistration implements Serializable {
 
 		private Map<String, Object> configurationMetadata = Collections.emptyMap();
 
-		private ProviderDetails() {
+		ProviderDetails() {
 		}
 
 		/**
@@ -263,7 +263,7 @@ public final class ClientRegistration implements Serializable {
 
 			private String userNameAttributeName;
 
-			private UserInfoEndpoint() {
+			UserInfoEndpoint() {
 			}
 
 			/**
@@ -322,7 +322,7 @@ public final class ClientRegistration implements Serializable {
 	/**
 	 * A builder for {@link ClientRegistration}.
 	 */
-	public static class Builder implements Serializable {
+	public static final class Builder implements Serializable {
 
 		private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java

@@ -131,7 +131,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 	private final Mono<Authentication> currentAuthenticationMono = ReactiveSecurityContextHolder.getContext()
 			.map(SecurityContext::getAuthentication).defaultIfEmpty(ANONYMOUS_USER_TOKEN);
 
-	private final Mono<String> clientRegistrationIdMono = currentAuthenticationMono
+	private final Mono<String> clientRegistrationIdMono = this.currentAuthenticationMono
 			.filter(t -> this.defaultOAuth2AuthorizedClient && t instanceof OAuth2AuthenticationToken)
 			.cast(OAuth2AuthenticationToken.class).map(OAuth2AuthenticationToken::getAuthorizedClientRegistrationId);
 
@@ -472,7 +472,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 	private Mono<String> effectiveClientRegistrationId(ClientRequest request) {
 		return Mono.justOrEmpty(clientRegistrationId(request))
 				.switchIfEmpty(Mono.justOrEmpty(this.defaultClientRegistrationId))
-				.switchIfEmpty(clientRegistrationIdMono);
+				.switchIfEmpty(this.clientRegistrationIdMono);
 	}
 
 	/**
@@ -488,7 +488,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 	 * {@link ServerWebExchange} that is active for the given request.
 	 */
 	private Mono<Optional<ServerWebExchange>> effectiveServerWebExchange(ClientRequest request) {
-		return Mono.justOrEmpty(serverWebExchange(request)).switchIfEmpty(currentServerWebExchangeMono)
+		return Mono.justOrEmpty(serverWebExchange(request)).switchIfEmpty(this.currentServerWebExchangeMono)
 				.map(Optional::of).defaultIfEmpty(Optional.empty());
 	}
 
@@ -534,7 +534,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 		this.clientResponseHandler = new AuthorizationFailureForwarder(authorizationFailureHandler);
 	}
 
-	private static class UnAuthenticatedReactiveOAuth2AuthorizedClientManager
+	private static final class UnAuthenticatedReactiveOAuth2AuthorizedClientManager
 			implements ReactiveOAuth2AuthorizedClientManager {
 
 		private final ReactiveClientRegistrationRepository clientRegistrationRepository;
@@ -628,7 +628,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 	 *
 	 * @since 5.3
 	 */
-	private class AuthorizationFailureForwarder implements ClientResponseHandler {
+	private final class AuthorizationFailureForwarder implements ClientResponseHandler {
 
 		/**
 		 * A map of HTTP Status Code to OAuth 2.0 Error codes for HTTP status codes that
@@ -667,7 +667,9 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 
 				Mono<String> clientRegistrationId = effectiveClientRegistrationId(request);
 
-				return Mono.zip(currentAuthenticationMono, serverWebExchange, clientRegistrationId)
+				return Mono
+						.zip(ServerOAuth2AuthorizedClientExchangeFilterFunction.this.currentAuthenticationMono,
+								serverWebExchange, clientRegistrationId)
 						.flatMap(tuple3 -> handleAuthorizationFailure(tuple3.getT1(), // Authentication
 																						// principal
 								tuple3.getT2().orElse(null), // ServerWebExchange exchange
@@ -723,7 +725,9 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 
 				Mono<String> clientRegistrationId = effectiveClientRegistrationId(request);
 
-				return Mono.zip(currentAuthenticationMono, serverWebExchange, clientRegistrationId)
+				return Mono
+						.zip(ServerOAuth2AuthorizedClientExchangeFilterFunction.this.currentAuthenticationMono,
+								serverWebExchange, clientRegistrationId)
 						.flatMap(tuple3 -> handleAuthorizationFailure(tuple3.getT1(), // Authentication
 																						// principal
 								tuple3.getT2().orElse(null), // ServerWebExchange exchange
@@ -744,11 +748,13 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
 		private Mono<Void> handleAuthorizationException(ClientRequest request, OAuth2AuthorizationException exception) {
 			Mono<Optional<ServerWebExchange>> serverWebExchange = effectiveServerWebExchange(request);
 
-			return Mono.zip(currentAuthenticationMono, serverWebExchange)
-					.flatMap(tuple2 -> handleAuthorizationFailure(tuple2.getT1(), // Authentication
+			return Mono.zip(ServerOAuth2AuthorizedClientExchangeFilterFunction.this.currentAuthenticationMono,
+					serverWebExchange).flatMap(
+							tuple2 -> handleAuthorizationFailure(tuple2.getT1(), // Authentication
 																					// principal
-							tuple2.getT2().orElse(null), // ServerWebExchange exchange
-							exception));
+									tuple2.getT2().orElse(null), // ServerWebExchange
+																	// exchange
+									exception));
 		}
 
 		/**

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunction.java

@@ -637,7 +637,7 @@ public final class ServletOAuth2AuthorizedClientExchangeFilterFunction implement
 	 *
 	 * @since 5.3
 	 */
-	private static class AuthorizationFailureForwarder implements ClientResponseHandler {
+	private static final class AuthorizationFailureForwarder implements ClientResponseHandler {
 
 		/**
 		 * A map of HTTP status code to OAuth 2.0 error code for HTTP status codes that

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/JdbcOAuth2AuthorizedClientServiceTests.java

@@ -398,7 +398,7 @@ public class JdbcOAuth2AuthorizedClientServiceTests {
 		return new OAuth2AuthorizedClient(clientRegistration, principal.getName(), accessToken, refreshToken);
 	}
 
-	private static class CustomTableDefinitionJdbcOAuth2AuthorizedClientService
+	private final static class CustomTableDefinitionJdbcOAuth2AuthorizedClientService
 			extends JdbcOAuth2AuthorizedClientService {
 
 		private static final String COLUMN_NAMES = "clientRegistrationId, " + "principalName, " + "accessTokenType, "
@@ -453,7 +453,7 @@ public class JdbcOAuth2AuthorizedClientServiceTests {
 			this.jdbcOperations.update(REMOVE_AUTHORIZED_CLIENT_SQL, pss);
 		}
 
-		private static class OAuth2AuthorizedClientRowMapper implements RowMapper<OAuth2AuthorizedClient> {
+		private final static class OAuth2AuthorizedClientRowMapper implements RowMapper<OAuth2AuthorizedClient> {
 
 			private final ClientRegistrationRepository clientRegistrationRepository;
 

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/userinfo/DelegatingOAuth2UserServiceTests.java

@@ -47,8 +47,9 @@ public class DelegatingOAuth2UserServiceTests {
 	@Test(expected = IllegalArgumentException.class)
 	@SuppressWarnings("unchecked")
 	public void loadUserWhenUserRequestIsNullThenThrowIllegalArgumentException() {
+		OAuth2UserService<OAuth2UserRequest, OAuth2User> userService = mock(OAuth2UserService.class);
 		DelegatingOAuth2UserService<OAuth2UserRequest, OAuth2User> delegatingUserService = new DelegatingOAuth2UserService<>(
-				Arrays.asList(mock(OAuth2UserService.class), mock(OAuth2UserService.class)));
+				Arrays.asList(userService, userService));
 		delegatingUserService.loadUser(null);
 	}
 

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AccessTokenResponse.java

@@ -94,7 +94,7 @@ public final class OAuth2AccessTokenResponse {
 	/**
 	 * A builder for {@link OAuth2AccessTokenResponse}.
 	 */
-	public static class Builder {
+	public static final class Builder {
 
 		private String tokenValue;
 

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java

@@ -226,7 +226,7 @@ public final class OAuth2AuthorizationRequest implements Serializable {
 	/**
 	 * A builder for {@link OAuth2AuthorizationRequest}.
 	 */
-	public static class Builder {
+	public static final class Builder {
 
 		private String authorizationUri;
 

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponse.java

@@ -118,7 +118,7 @@ public final class OAuth2AuthorizationResponse {
 	/**
 	 * A builder for {@link OAuth2AuthorizationResponse}.
 	 */
-	public static class Builder {
+	public static final class Builder {
 
 		private String redirectUri;
 

rsocket/src/main/java/org/springframework/security/rsocket/authorization/PayloadExchangeMatcherReactiveAuthorizationManager.java

@@ -38,7 +38,7 @@ import org.springframework.util.Assert;
  * @author Rob Winch
  * @since 5.2
  */
-public class PayloadExchangeMatcherReactiveAuthorizationManager
+public final class PayloadExchangeMatcherReactiveAuthorizationManager
 		implements ReactiveAuthorizationManager<PayloadExchange> {
 
 	private final List<PayloadExchangeMatcherEntry<ReactiveAuthorizationManager<PayloadExchangeAuthorizationContext>>> mappings;
@@ -63,7 +63,7 @@ public class PayloadExchangeMatcherReactiveAuthorizationManager
 		return new PayloadExchangeMatcherReactiveAuthorizationManager.Builder();
 	}
 
-	public static class Builder {
+	public static final class Builder {
 
 		private final List<PayloadExchangeMatcherEntry<ReactiveAuthorizationManager<PayloadExchangeAuthorizationContext>>> mappings = new ArrayList<>();
 

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java

@@ -673,7 +673,7 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 	 *
 	 * @since 5.4
 	 */
-	public static class Tuple {
+	public static final class Tuple {
 
 		private final Saml2AuthenticationToken authentication;
 

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationRequest.java

@@ -119,7 +119,7 @@ public final class Saml2AuthenticationRequest {
 	/**
 	 * A builder for {@link Saml2AuthenticationRequest}.
 	 */
-	public static class Builder {
+	public static final class Builder {
 
 		private String issuer;
 

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationRequestContext.java

@@ -108,7 +108,7 @@ public class Saml2AuthenticationRequestContext {
 	/**
 	 * A builder for {@link Saml2AuthenticationRequestContext}.
 	 */
-	public static class Builder {
+	public static final class Builder {
 
 		private String issuer;
 

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2PostAuthenticationRequest.java

@@ -31,7 +31,7 @@ import static org.springframework.security.saml2.provider.service.registration.S
  */
 public class Saml2PostAuthenticationRequest extends AbstractSaml2AuthenticationRequest {
 
-	private Saml2PostAuthenticationRequest(String samlRequest, String relayState, String authenticationRequestUri) {
+	Saml2PostAuthenticationRequest(String samlRequest, String relayState, String authenticationRequestUri) {
 		super(samlRequest, relayState, authenticationRequestUri);
 	}
 
@@ -59,7 +59,7 @@ public class Saml2PostAuthenticationRequest extends AbstractSaml2AuthenticationR
 	/**
 	 * Builder class for a {@link Saml2PostAuthenticationRequest} object.
 	 */
-	public static class Builder extends AbstractSaml2AuthenticationRequest.Builder<Builder> {
+	public static final class Builder extends AbstractSaml2AuthenticationRequest.Builder<Builder> {
 
 		private Builder() {
 			super();

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2RedirectAuthenticationRequest.java

@@ -29,7 +29,7 @@ import static org.springframework.security.saml2.provider.service.registration.S
  * @since 5.3
  * @see Saml2AuthenticationRequestFactory
  */
-public class Saml2RedirectAuthenticationRequest extends AbstractSaml2AuthenticationRequest {
+public final class Saml2RedirectAuthenticationRequest extends AbstractSaml2AuthenticationRequest {
 
 	private final String sigAlg;
 
@@ -82,7 +82,7 @@ public class Saml2RedirectAuthenticationRequest extends AbstractSaml2Authenticat
 	/**
 	 * Builder class for a {@link Saml2RedirectAuthenticationRequest} object.
 	 */
-	public static class Builder extends AbstractSaml2AuthenticationRequest.Builder<Builder> {
+	public static final class Builder extends AbstractSaml2AuthenticationRequest.Builder<Builder> {
 
 		private String sigAlg;
 

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java

@@ -28,6 +28,8 @@ import java.util.function.Consumer;
 import java.util.function.Function;
 
 import org.springframework.security.saml2.core.Saml2X509Credential;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.AssertingPartyDetails;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.ProviderDetails;
 import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
 import org.springframework.util.Assert;
 
@@ -69,7 +71,7 @@ import org.springframework.util.Assert;
  * @author Josh Cummings
  * @since 5.2
  */
-public class RelyingPartyRegistration {
+public final class RelyingPartyRegistration {
 
 	private final String registrationId;
 

test/src/main/java/org/springframework/security/test/context/support/WithUserDetailsSecurityContextFactory.java

@@ -87,7 +87,7 @@ final class WithUserDetailsSecurityContextFactory implements WithSecurityContext
 		}
 	}
 
-	private class ReactiveUserDetailsServiceAdapter implements UserDetailsService {
+	private final class ReactiveUserDetailsServiceAdapter implements UserDetailsService {
 
 		private final ReactiveUserDetailsService userDetailsService;
 

test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java

@@ -242,7 +242,10 @@ public class SecurityMockServerConfigurers {
 		return new CsrfMutator();
 	}
 
-	public static class CsrfMutator implements WebTestClientConfigurer, MockServerConfigurer {
+	public static final class CsrfMutator implements WebTestClientConfigurer, MockServerConfigurer {
+
+		private CsrfMutator() {
+		}
 
 		@Override
 		public void afterConfigurerAdded(WebTestClient.Builder builder,
@@ -262,9 +265,6 @@ public class SecurityMockServerConfigurers {
 
 		}
 
-		private CsrfMutator() {
-		}
-
 	}
 
 	/**
@@ -272,7 +272,7 @@ public class SecurityMockServerConfigurers {
 	 * SecurityMockServerConfigurers#mockUser(UserDetails)}}. Defaults to use a password
 	 * of "password" and granted authorities of "ROLE_USER".
 	 */
-	public static class UserExchangeMutator implements WebTestClientConfigurer, MockServerConfigurer {
+	public static final class UserExchangeMutator implements WebTestClientConfigurer, MockServerConfigurer {
 
 		private final User.UserBuilder userBuilder;
 
@@ -376,7 +376,7 @@ public class SecurityMockServerConfigurers {
 
 	}
 
-	private static class MutatorWebTestClientConfigurer implements WebTestClientConfigurer, MockServerConfigurer {
+	private static final class MutatorWebTestClientConfigurer implements WebTestClientConfigurer, MockServerConfigurer {
 
 		private final Supplier<Mono<SecurityContext>> context;
 
@@ -402,7 +402,7 @@ public class SecurityMockServerConfigurers {
 
 	}
 
-	private static class SetupMutatorFilter implements WebFilter {
+	private static final class SetupMutatorFilter implements WebFilter {
 
 		private final Supplier<Mono<SecurityContext>> context;
 
@@ -443,7 +443,7 @@ public class SecurityMockServerConfigurers {
 	 * @author Josh Cummings
 	 * @since 5.2
 	 */
-	public static class JwtMutator implements WebTestClientConfigurer, MockServerConfigurer {
+	public static final class JwtMutator implements WebTestClientConfigurer, MockServerConfigurer {
 
 		private Jwt jwt;
 
@@ -1149,7 +1149,7 @@ public class SecurityMockServerConfigurers {
 		 * Used to wrap the {@link OAuth2AuthorizedClientManager} to provide support for
 		 * testing when the request is wrapped
 		 */
-		private static class TestReactiveOAuth2AuthorizedClientManager
+		private static final class TestReactiveOAuth2AuthorizedClientManager
 				implements ReactiveOAuth2AuthorizedClientManager {
 
 			final static String TOKEN_ATTR_NAME = TestReactiveOAuth2AuthorizedClientManager.class.getName()
@@ -1186,10 +1186,13 @@ public class SecurityMockServerConfigurers {
 
 		}
 
-		private static class OAuth2ClientServerTestUtils {
+		private static final class OAuth2ClientServerTestUtils {
 
 			private static final ServerOAuth2AuthorizedClientRepository DEFAULT_CLIENT_REPO = new WebSessionServerOAuth2AuthorizedClientRepository();
 
+			private OAuth2ClientServerTestUtils() {
+			}
+
 			/**
 			 * Gets the {@link ReactiveOAuth2AuthorizedClientManager} for the specified
 			 * {@link ServerWebExchange}. If one is not found, one based off of
@@ -1278,9 +1281,6 @@ public class SecurityMockServerConfigurers {
 
 			}
 
-			private OAuth2ClientServerTestUtils() {
-			}
-
 		}
 
 	}

test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java

@@ -457,7 +457,7 @@ public final class SecurityMockMvcRequestPostProcessors {
 	/**
 	 * Populates the X509Certificate instances onto the request
 	 */
-	private static class X509RequestPostProcessor implements RequestPostProcessor {
+	private static final class X509RequestPostProcessor implements RequestPostProcessor {
 
 		private final X509Certificate[] certificates;
 
@@ -480,12 +480,15 @@ public final class SecurityMockMvcRequestPostProcessors {
 	 * @author Rob Winch
 	 * @since 4.0
 	 */
-	public static class CsrfRequestPostProcessor implements RequestPostProcessor {
+	public static final class CsrfRequestPostProcessor implements RequestPostProcessor {
 
 		private boolean asHeader;
 
 		private boolean useInvalidToken;
 
+		private CsrfRequestPostProcessor() {
+		}
+
 		/*
 		 * (non-Javadoc)
 		 *
@@ -531,9 +534,6 @@ public final class SecurityMockMvcRequestPostProcessors {
 			return this;
 		}
 
-		private CsrfRequestPostProcessor() {
-		}
-
 		/**
 		 * Used to wrap the CsrfTokenRepository to provide support for testing when the
 		 * request is wrapped (i.e. Spring Session is in use).
@@ -759,7 +759,7 @@ public final class SecurityMockMvcRequestPostProcessors {
 		 * Used to wrap the SecurityContextRepository to provide support for testing in
 		 * stateless mode
 		 */
-		static class TestSecurityContextRepository implements SecurityContextRepository {
+		static final class TestSecurityContextRepository implements SecurityContextRepository {
 
 			private final static String ATTR_NAME = TestSecurityContextRepository.class.getName().concat(".REPO");
 
@@ -1035,7 +1035,7 @@ public final class SecurityMockMvcRequestPostProcessors {
 
 	}
 
-	private static class HttpBasicRequestPostProcessor implements RequestPostProcessor {
+	private static final class HttpBasicRequestPostProcessor implements RequestPostProcessor {
 
 		private String headerValue;
 
@@ -1648,7 +1648,7 @@ public final class SecurityMockMvcRequestPostProcessors {
 		 * Used to wrap the {@link OAuth2AuthorizedClientManager} to provide support for
 		 * testing when the request is wrapped
 		 */
-		private static class TestOAuth2AuthorizedClientManager implements OAuth2AuthorizedClientManager {
+		private static final class TestOAuth2AuthorizedClientManager implements OAuth2AuthorizedClientManager {
 
 			final static String TOKEN_ATTR_NAME = TestOAuth2AuthorizedClientManager.class.getName().concat(".TOKEN");
 
@@ -1682,7 +1682,7 @@ public final class SecurityMockMvcRequestPostProcessors {
 
 		}
 
-		private static class OAuth2ClientServletTestUtils {
+		private static final class OAuth2ClientServletTestUtils {
 
 			private static final OAuth2AuthorizedClientRepository DEFAULT_CLIENT_REPO = new HttpSessionOAuth2AuthorizedClientRepository();
 

web/src/main/java/org/springframework/security/web/FilterChainProxy.java

@@ -294,7 +294,7 @@ public class FilterChainProxy extends GenericFilterBean {
 	 * Internal {@code FilterChain} implementation that is used to pass a request through
 	 * the additional internal list of filters which match the request.
 	 */
-	private static class VirtualFilterChain implements FilterChain {
+	private static final class VirtualFilterChain implements FilterChain {
 
 		private final FilterChain originalChain;
 

web/src/main/java/org/springframework/security/web/server/authorization/DelegatingReactiveAuthorizationManager.java

@@ -35,7 +35,7 @@ import org.springframework.web.server.ServerWebExchange;
  * @author Mathieu Ouellet
  * @since 5.0
  */
-public class DelegatingReactiveAuthorizationManager implements ReactiveAuthorizationManager<ServerWebExchange> {
+public final class DelegatingReactiveAuthorizationManager implements ReactiveAuthorizationManager<ServerWebExchange> {
 
 	private static final Log logger = LogFactory.getLog(DelegatingReactiveAuthorizationManager.class);
 
@@ -63,7 +63,7 @@ public class DelegatingReactiveAuthorizationManager implements ReactiveAuthoriza
 		return new DelegatingReactiveAuthorizationManager.Builder();
 	}
 
-	public static class Builder {
+	public static final class Builder {
 
 		private final List<ServerWebExchangeMatcherEntry<ReactiveAuthorizationManager<AuthorizationContext>>> mappings = new ArrayList<>();
 

web/src/main/java/org/springframework/security/web/server/context/NoOpServerSecurityContextRepository.java

@@ -28,13 +28,15 @@ import org.springframework.web.server.ServerWebExchange;
  * @author Rob Winch
  * @since 5.0
  */
-public class NoOpServerSecurityContextRepository implements ServerSecurityContextRepository {
+public final class NoOpServerSecurityContextRepository implements ServerSecurityContextRepository {
 
 	private static final NoOpServerSecurityContextRepository INSTANCE = new NoOpServerSecurityContextRepository();
 
+	private NoOpServerSecurityContextRepository() {
+	}
+
 	public Mono<Void> save(ServerWebExchange exchange, SecurityContext context) {
 		return Mono.empty();
-
 	}
 
 	public Mono<SecurityContext> load(ServerWebExchange exchange) {
@@ -45,7 +47,4 @@ public class NoOpServerSecurityContextRepository implements ServerSecurityContex
 		return INSTANCE;
 	}
 
-	private NoOpServerSecurityContextRepository() {
-	}
-
 }

web/src/main/java/org/springframework/security/web/server/savedrequest/NoOpServerRequestCache.java

@@ -30,7 +30,10 @@ import org.springframework.web.server.ServerWebExchange;
  * @author Rob Winch
  * @since 5.0
  */
-public class NoOpServerRequestCache implements ServerRequestCache {
+public final class NoOpServerRequestCache implements ServerRequestCache {
+
+	private NoOpServerRequestCache() {
+	}
 
 	@Override
 	public Mono<Void> saveRequest(ServerWebExchange exchange) {
@@ -51,7 +54,4 @@ public class NoOpServerRequestCache implements ServerRequestCache {
 		return new NoOpServerRequestCache();
 	}
 
-	private NoOpServerRequestCache() {
-	}
-
 }

web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java

@@ -263,7 +263,7 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
 
 	}
 
-	private static class SpringAntMatcher implements Matcher {
+	private static final class SpringAntMatcher implements Matcher {
 
 		private final AntPathMatcher antMatcher;
 
@@ -296,7 +296,7 @@ public final class AntPathRequestMatcher implements RequestMatcher, RequestVaria
 	/**
 	 * Optimized matcher for trailing wildcards
 	 */
-	private static class SubpathMatcher implements Matcher {
+	private static final class SubpathMatcher implements Matcher {
 
 		private final String subpath;
 

web/src/test/java/org/springframework/security/test/web/reactive/server/WebTestHandler.java

@@ -30,7 +30,7 @@ import org.springframework.web.server.handler.FilteringWebHandler;
  * @author Rob Winch
  * @since 5.0
  */
-public class WebTestHandler {
+public final class WebTestHandler {
 
 	private final MockWebHandler webHandler = new MockWebHandler();
 
@@ -50,7 +50,7 @@ public class WebTestHandler {
 		return new WebHandlerResult(webHandler.exchange);
 	}
 
-	public static class WebHandlerResult {
+	public static final class WebHandlerResult {
 
 		private final ServerWebExchange exchange;
 

web/src/test/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServicesTests.java

@@ -138,7 +138,7 @@ public class PersistentTokenBasedRememberMeServicesTests {
 		return services;
 	}
 
-	private class MockTokenRepository implements PersistentTokenRepository {
+	private final class MockTokenRepository implements PersistentTokenRepository {
 
 		private PersistentRememberMeToken storedToken;
 

web/src/test/java/org/springframework/security/web/method/ResolvableMethod.java

@@ -126,7 +126,7 @@ import static java.util.stream.Collectors.joining;
  * @author Rossen Stoyanchev
  * @since 5.0
  */
-public class ResolvableMethod {
+public final class ResolvableMethod {
 
 	private static final Log logger = LogFactory.getLog(ResolvableMethod.class);
 
@@ -253,7 +253,7 @@ public class ResolvableMethod {
 	/**
 	 * Builder for {@code ResolvableMethod}.
 	 */
-	public static class Builder<T> {
+	public static final class Builder<T> {
 
 		private final Class<?> objectClass;
 
@@ -386,7 +386,7 @@ public class ResolvableMethod {
 		 * <p>
 		 * {@code build().method()}
 		 */
-		public final Method resolveMethod() {
+		public Method resolveMethod() {
 			return build().method();
 		}
 
@@ -404,7 +404,7 @@ public class ResolvableMethod {
 		 * <p>
 		 * {@code build().returnType()}
 		 */
-		public final MethodParameter resolveReturnType() {
+		public MethodParameter resolveReturnType() {
 			return build().returnType();
 		}
 
@@ -452,7 +452,7 @@ public class ResolvableMethod {
 	/**
 	 * Predicate with a descriptive label.
 	 */
-	private static class LabeledPredicate<T> implements Predicate<T> {
+	private static final class LabeledPredicate<T> implements Predicate<T> {
 
 		private final String label;
 
@@ -493,7 +493,7 @@ public class ResolvableMethod {
 	/**
 	 * Resolver for method arguments.
 	 */
-	public class ArgResolver {
+	public final class ArgResolver {
 
 		private final List<Predicate<MethodParameter>> filters = new ArrayList<>(4);
 
@@ -564,7 +564,7 @@ public class ResolvableMethod {
 		/**
 		 * Resolve the argument.
 		 */
-		public final MethodParameter arg() {
+		public MethodParameter arg() {
 			List<MethodParameter> matches = applyFilters();
 			Assert.state(!matches.isEmpty(), () -> "No matching arg in method\n" + formatMethod());
 			Assert.state(matches.size() == 1,