Change interface with constants to final class

Closes gh-10960

etc/checkstyle/checkstyle-suppressions.xml

@@ -16,20 +16,7 @@
 	<suppress files="org[\\/]springframework[\\/]security[\\/]core[\\/]ComparableVersion\.java" checks=".*"/>
 
 	<!-- InterfaceIsType rules we can't fix until a major revision due to back compatibility -->
-	<suppress files="JwsAlgorithms\.java" checks="InterfaceIsType"/>
-	<suppress files="JwtClaimNames\.java" checks="InterfaceIsType"/>
-	<suppress files="OAuth2ErrorCodes\.java" checks="InterfaceIsType"/>
-	<suppress files="OAuth2ParameterNames\.java" checks="InterfaceIsType"/>
-	<suppress files="PkceParameterNames\.java" checks="InterfaceIsType"/>
-	<suppress files="IdTokenClaimNames\.java" checks="InterfaceIsType"/>
-	<suppress files="OidcScopes\.java" checks="InterfaceIsType"/>
-	<suppress files="StandardClaimNames\.java" checks="InterfaceIsType"/>
-	<suppress files="OidcParameterNames\.java" checks="InterfaceIsType"/>
-	<suppress files="BearerTokenErrorCodes\.java" checks="InterfaceIsType"/>
 	<suppress files="OAuth2IntrospectionClaimNames\.java" checks="InterfaceIsType"/>
-	<suppress files="OAuth2TokenIntrospectionClaimNames\.java" checks="InterfaceIsType"/>
-	<suppress files="Saml2ErrorCodes\.java" checks="InterfaceIsType"/>
-	<suppress files="Saml2ParameterNames\.java" checks="InterfaceIsType"/>
 
 	<!-- Method Visibility that we can't reduce -->
 	<suppress files="AbstractAclVoterTests\.java" checks="SpringMethodVisibility"/>

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2ErrorCodes.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,38 +22,38 @@ package org.springframework.security.oauth2.core;
  * @author Joe Grandja
  * @since 5.0
  */
-public interface OAuth2ErrorCodes {
+public final class OAuth2ErrorCodes {
 
 	/**
 	 * {@code invalid_request} - The request is missing a required parameter, includes an
 	 * invalid parameter value, includes a parameter more than once, or is otherwise
 	 * malformed.
 	 */
-	String INVALID_REQUEST = "invalid_request";
+	public static final String INVALID_REQUEST = "invalid_request";
 
 	/**
 	 * {@code unauthorized_client} - The client is not authorized to request an
 	 * authorization code or access token using this method.
 	 */
-	String UNAUTHORIZED_CLIENT = "unauthorized_client";
+	public static final String UNAUTHORIZED_CLIENT = "unauthorized_client";
 
 	/**
 	 * {@code access_denied} - The resource owner or authorization server denied the
 	 * request.
 	 */
-	String ACCESS_DENIED = "access_denied";
+	public static final String ACCESS_DENIED = "access_denied";
 
 	/**
 	 * {@code unsupported_response_type} - The authorization server does not support
 	 * obtaining an authorization code or access token using this method.
 	 */
-	String UNSUPPORTED_RESPONSE_TYPE = "unsupported_response_type";
+	public static final String UNSUPPORTED_RESPONSE_TYPE = "unsupported_response_type";
 
 	/**
 	 * {@code invalid_scope} - The requested scope is invalid, unknown, malformed or
 	 * exceeds the scope granted by the resource owner.
 	 */
-	String INVALID_SCOPE = "invalid_scope";
+	public static final String INVALID_SCOPE = "invalid_scope";
 
 	/**
 	 * {@code insufficient_scope} - The request requires higher privileges than provided
@@ -64,7 +64,7 @@ public interface OAuth2ErrorCodes {
 	 * @see <a href="https://tools.ietf.org/html/rfc6750#section-3.1">RFC-6750 - Section
 	 * 3.1 - Error Codes</a>
 	 */
-	String INSUFFICIENT_SCOPE = "insufficient_scope";
+	public static final String INSUFFICIENT_SCOPE = "insufficient_scope";
 
 	/**
 	 * {@code invalid_token} - The access token provided is expired, revoked, malformed,
@@ -75,7 +75,7 @@ public interface OAuth2ErrorCodes {
 	 * @see <a href="https://tools.ietf.org/html/rfc6750#section-3.1">RFC-6750 - Section
 	 * 3.1 - Error Codes</a>
 	 */
-	String INVALID_TOKEN = "invalid_token";
+	public static final String INVALID_TOKEN = "invalid_token";
 
 	/**
 	 * {@code server_error} - The authorization server encountered an unexpected condition
@@ -83,7 +83,7 @@ public interface OAuth2ErrorCodes {
 	 * 500 Internal Server Error HTTP status code cannot be returned to the client via a
 	 * HTTP redirect.)
 	 */
-	String SERVER_ERROR = "server_error";
+	public static final String SERVER_ERROR = "server_error";
 
 	/**
 	 * {@code temporarily_unavailable} - The authorization server is currently unable to
@@ -91,7 +91,7 @@ public interface OAuth2ErrorCodes {
 	 * (This error code is needed because a 503 Service Unavailable HTTP status code
 	 * cannot be returned to the client via an HTTP redirect.)
 	 */
-	String TEMPORARILY_UNAVAILABLE = "temporarily_unavailable";
+	public static final String TEMPORARILY_UNAVAILABLE = "temporarily_unavailable";
 
 	/**
 	 * {@code invalid_client} - Client authentication failed (e.g., unknown client, no
@@ -103,7 +103,7 @@ public interface OAuth2ErrorCodes {
 	 * include the &quot;WWW-Authenticate&quot; response header field matching the
 	 * authentication scheme used by the client.
 	 */
-	String INVALID_CLIENT = "invalid_client";
+	public static final String INVALID_CLIENT = "invalid_client";
 
 	/**
 	 * {@code invalid_grant} - The provided authorization grant (e.g., authorization code,
@@ -111,13 +111,13 @@ public interface OAuth2ErrorCodes {
 	 * match the redirection URI used in the authorization request, or was issued to
 	 * another client.
 	 */
-	String INVALID_GRANT = "invalid_grant";
+	public static final String INVALID_GRANT = "invalid_grant";
 
 	/**
 	 * {@code unsupported_grant_type} - The authorization grant type is not supported by
 	 * the authorization server.
 	 */
-	String UNSUPPORTED_GRANT_TYPE = "unsupported_grant_type";
+	public static final String UNSUPPORTED_GRANT_TYPE = "unsupported_grant_type";
 
 	/**
 	 * {@code unsupported_token_type} - The authorization server does not support the
@@ -127,7 +127,7 @@ public interface OAuth2ErrorCodes {
 	 * @see <a href="https://tools.ietf.org/html/rfc7009#section-2.2.1">RFC-7009 - Section
 	 * 2.2.1 - Error Response</a>
 	 */
-	String UNSUPPORTED_TOKEN_TYPE = "unsupported_token_type";
+	public static final String UNSUPPORTED_TOKEN_TYPE = "unsupported_token_type";
 
 	/**
 	 * {@code invalid_redirect_uri} - The value of one or more redirection URIs is
@@ -137,6 +137,9 @@ public interface OAuth2ErrorCodes {
 	 * @see <a href="https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2">RFC-7591
 	 * - Section 3.2.2 - Client Registration Error Response</a>
 	 */
-	String INVALID_REDIRECT_URI = "invalid_redirect_uri";
+	public static final String INVALID_REDIRECT_URI = "invalid_redirect_uri";
+
+	private OAuth2ErrorCodes() {
+	}
 
 }

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2TokenIntrospectionClaimNames.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,68 +29,71 @@ package org.springframework.security.oauth2.core;
  * "https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-introspection-response">OAuth
  * Parameters (IANA)</a>
  */
-public interface OAuth2TokenIntrospectionClaimNames {
+public final class OAuth2TokenIntrospectionClaimNames {
 
 	/**
 	 * {@code active} - Indicator whether or not the token is currently active
 	 */
-	String ACTIVE = "active";
+	public static final String ACTIVE = "active";
 
 	/**
 	 * {@code username} - A human-readable identifier for the resource owner that
 	 * authorized the token
 	 */
-	String USERNAME = "username";
+	public static final String USERNAME = "username";
 
 	/**
 	 * {@code client_id} - The Client identifier for the token
 	 */
-	String CLIENT_ID = "client_id";
+	public static final String CLIENT_ID = "client_id";
 
 	/**
 	 * {@code scope} - The scopes for the token
 	 */
-	String SCOPE = "scope";
+	public static final String SCOPE = "scope";
 
 	/**
 	 * {@code token_type} - The type of the token, for example {@code bearer}.
 	 */
-	String TOKEN_TYPE = "token_type";
+	public static final String TOKEN_TYPE = "token_type";
 
 	/**
 	 * {@code exp} - A timestamp indicating when the token expires
 	 */
-	String EXP = "exp";
+	public static final String EXP = "exp";
 
 	/**
 	 * {@code iat} - A timestamp indicating when the token was issued
 	 */
-	String IAT = "iat";
+	public static final String IAT = "iat";
 
 	/**
 	 * {@code nbf} - A timestamp indicating when the token is not to be used before
 	 */
-	String NBF = "nbf";
+	public static final String NBF = "nbf";
 
 	/**
 	 * {@code sub} - Usually a machine-readable identifier of the resource owner who
 	 * authorized the token
 	 */
-	String SUB = "sub";
+	public static final String SUB = "sub";
 
 	/**
 	 * {@code aud} - The intended audience for the token
 	 */
-	String AUD = "aud";
+	public static final String AUD = "aud";
 
 	/**
 	 * {@code iss} - The issuer of the token
 	 */
-	String ISS = "iss";
+	public static final String ISS = "iss";
 
 	/**
 	 * {@code jti} - The identifier for the token
 	 */
-	String JTI = "jti";
+	public static final String JTI = "jti";
+
+	private OAuth2TokenIntrospectionClaimNames() {
+	}
 
 }

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2ParameterNames.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,128 +26,131 @@ package org.springframework.security.oauth2.core.endpoint;
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-11.2">11.2
  * OAuth Parameters Registry</a>
  */
-public interface OAuth2ParameterNames {
+public final class OAuth2ParameterNames {
 
 	/**
 	 * {@code grant_type} - used in Access Token Request.
 	 */
-	String GRANT_TYPE = "grant_type";
+	public static final String GRANT_TYPE = "grant_type";
 
 	/**
 	 * {@code response_type} - used in Authorization Request.
 	 */
-	String RESPONSE_TYPE = "response_type";
+	public static final String RESPONSE_TYPE = "response_type";
 
 	/**
 	 * {@code client_id} - used in Authorization Request and Access Token Request.
 	 */
-	String CLIENT_ID = "client_id";
+	public static final String CLIENT_ID = "client_id";
 
 	/**
 	 * {@code client_secret} - used in Access Token Request.
 	 */
-	String CLIENT_SECRET = "client_secret";
+	public static final String CLIENT_SECRET = "client_secret";
 
 	/**
 	 * {@code client_assertion_type} - used in Access Token Request.
 	 * @since 5.5
 	 */
-	String CLIENT_ASSERTION_TYPE = "client_assertion_type";
+	public static final String CLIENT_ASSERTION_TYPE = "client_assertion_type";
 
 	/**
 	 * {@code client_assertion} - used in Access Token Request.
 	 * @since 5.5
 	 */
-	String CLIENT_ASSERTION = "client_assertion";
+	public static final String CLIENT_ASSERTION = "client_assertion";
 
 	/**
 	 * {@code assertion} - used in Access Token Request.
 	 * @since 5.5
 	 */
-	String ASSERTION = "assertion";
+	public static final String ASSERTION = "assertion";
 
 	/**
 	 * {@code redirect_uri} - used in Authorization Request and Access Token Request.
 	 */
-	String REDIRECT_URI = "redirect_uri";
+	public static final String REDIRECT_URI = "redirect_uri";
 
 	/**
 	 * {@code scope} - used in Authorization Request, Authorization Response, Access Token
 	 * Request and Access Token Response.
 	 */
-	String SCOPE = "scope";
+	public static final String SCOPE = "scope";
 
 	/**
 	 * {@code state} - used in Authorization Request and Authorization Response.
 	 */
-	String STATE = "state";
+	public static final String STATE = "state";
 
 	/**
 	 * {@code code} - used in Authorization Response and Access Token Request.
 	 */
-	String CODE = "code";
+	public static final String CODE = "code";
 
 	/**
 	 * {@code access_token} - used in Authorization Response and Access Token Response.
 	 */
-	String ACCESS_TOKEN = "access_token";
+	public static final String ACCESS_TOKEN = "access_token";
 
 	/**
 	 * {@code token_type} - used in Authorization Response and Access Token Response.
 	 */
-	String TOKEN_TYPE = "token_type";
+	public static final String TOKEN_TYPE = "token_type";
 
 	/**
 	 * {@code expires_in} - used in Authorization Response and Access Token Response.
 	 */
-	String EXPIRES_IN = "expires_in";
+	public static final String EXPIRES_IN = "expires_in";
 
 	/**
 	 * {@code refresh_token} - used in Access Token Request and Access Token Response.
 	 */
-	String REFRESH_TOKEN = "refresh_token";
+	public static final String REFRESH_TOKEN = "refresh_token";
 
 	/**
 	 * {@code username} - used in Access Token Request.
 	 */
-	String USERNAME = "username";
+	public static final String USERNAME = "username";
 
 	/**
 	 * {@code password} - used in Access Token Request.
 	 */
-	String PASSWORD = "password";
+	public static final String PASSWORD = "password";
 
 	/**
 	 * {@code error} - used in Authorization Response and Access Token Response.
 	 */
-	String ERROR = "error";
+	public static final String ERROR = "error";
 
 	/**
 	 * {@code error_description} - used in Authorization Response and Access Token
 	 * Response.
 	 */
-	String ERROR_DESCRIPTION = "error_description";
+	public static final String ERROR_DESCRIPTION = "error_description";
 
 	/**
 	 * {@code error_uri} - used in Authorization Response and Access Token Response.
 	 */
-	String ERROR_URI = "error_uri";
+	public static final String ERROR_URI = "error_uri";
 
 	/**
 	 * Non-standard parameter (used internally).
 	 */
-	String REGISTRATION_ID = "registration_id";
+	public static final String REGISTRATION_ID = "registration_id";
 
 	/**
 	 * {@code token} - used in Token Revocation Request.
 	 * @since 5.5
 	 */
-	String TOKEN = "token";
+	public static final String TOKEN = "token";
 
 	/**
 	 * {@code token_type_hint} - used in Token Revocation Request.
 	 * @since 5.5
 	 */
-	String TOKEN_TYPE_HINT = "token_type_hint";
+	public static final String TOKEN_TYPE_HINT = "token_type_hint";
+
+	private OAuth2ParameterNames() {
+	}
 
 }

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/PkceParameterNames.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,21 +26,24 @@ package org.springframework.security.oauth2.core.endpoint;
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7636#section-6.1">6.1
  * OAuth Parameters Registry</a>
  */
-public interface PkceParameterNames {
+public final class PkceParameterNames {
 
 	/**
 	 * {@code code_challenge} - used in Authorization Request.
 	 */
-	String CODE_CHALLENGE = "code_challenge";
+	public static final String CODE_CHALLENGE = "code_challenge";
 
 	/**
 	 * {@code code_challenge_method} - used in Authorization Request.
 	 */
-	String CODE_CHALLENGE_METHOD = "code_challenge_method";
+	public static final String CODE_CHALLENGE_METHOD = "code_challenge_method";
 
 	/**
 	 * {@code code_verifier} - used in Token Request.
 	 */
-	String CODE_VERIFIER = "code_verifier";
+	public static final String CODE_VERIFIER = "code_verifier";
+
+	private PkceParameterNames() {
+	}
 
 }

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/IdTokenClaimNames.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,68 +27,71 @@ package org.springframework.security.oauth2.core.oidc;
  * "https://openid.net/specs/openid-connect-core-1_0.html#IDToken">ID Token</a>
  */
 
-public interface IdTokenClaimNames {
+public final class IdTokenClaimNames {
 
 	/**
 	 * {@code iss} - the Issuer identifier
 	 */
-	String ISS = "iss";
+	public static final String ISS = "iss";
 
 	/**
 	 * {@code sub} - the Subject identifier
 	 */
-	String SUB = "sub";
+	public static final String SUB = "sub";
 
 	/**
 	 * {@code aud} - the Audience(s) that the ID Token is intended for
 	 */
-	String AUD = "aud";
+	public static final String AUD = "aud";
 
 	/**
 	 * {@code exp} - the Expiration time on or after which the ID Token MUST NOT be
 	 * accepted
 	 */
-	String EXP = "exp";
+	public static final String EXP = "exp";
 
 	/**
 	 * {@code iat} - the time at which the ID Token was issued
 	 */
-	String IAT = "iat";
+	public static final String IAT = "iat";
 
 	/**
 	 * {@code auth_time} - the time when the End-User authentication occurred
 	 */
-	String AUTH_TIME = "auth_time";
+	public static final String AUTH_TIME = "auth_time";
 
 	/**
 	 * {@code nonce} - a {@code String} value used to associate a Client session with an
 	 * ID Token, and to mitigate replay attacks.
 	 */
-	String NONCE = "nonce";
+	public static final String NONCE = "nonce";
 
 	/**
 	 * {@code acr} - the Authentication Context Class Reference
 	 */
-	String ACR = "acr";
+	public static final String ACR = "acr";
 
 	/**
 	 * {@code amr} - the Authentication Methods References
 	 */
-	String AMR = "amr";
+	public static final String AMR = "amr";
 
 	/**
 	 * {@code azp} - the Authorized party to which the ID Token was issued
 	 */
-	String AZP = "azp";
+	public static final String AZP = "azp";
 
 	/**
 	 * {@code at_hash} - the Access Token hash value
 	 */
-	String AT_HASH = "at_hash";
+	public static final String AT_HASH = "at_hash";
 
 	/**
 	 * {@code c_hash} - the Authorization Code hash value
 	 */
-	String C_HASH = "c_hash";
+	public static final String C_HASH = "c_hash";
+
+	private IdTokenClaimNames() {
+	}
 
 }

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/OidcScopes.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -33,35 +33,38 @@ import org.springframework.security.oauth2.core.OAuth2AccessToken;
  * "https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims">Requesting Claims
  * using Scope Values</a>
  */
-public interface OidcScopes {
+public final class OidcScopes {
 
 	/**
 	 * The {@code openid} scope is required for OpenID Connect Authentication Requests.
 	 */
-	String OPENID = "openid";
+	public static final String OPENID = "openid";
 
 	/**
 	 * The {@code profile} scope requests access to the default profile claims, which are:
 	 * {@code name, family_name, given_name, middle_name, nickname, preferred_username,
 	 * profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at}.
 	 */
-	String PROFILE = "profile";
+	public static final String PROFILE = "profile";
 
 	/**
 	 * The {@code email} scope requests access to the {@code email} and
 	 * {@code email_verified} claims.
 	 */
-	String EMAIL = "email";
+	public static final String EMAIL = "email";
 
 	/**
 	 * The {@code address} scope requests access to the {@code address} claim.
 	 */
-	String ADDRESS = "address";
+	public static final String ADDRESS = "address";
 
 	/**
 	 * The {@code phone} scope requests access to the {@code phone_number} and
 	 * {@code phone_number_verified} claims.
 	 */
-	String PHONE = "phone";
+	public static final String PHONE = "phone";
+
+	private OidcScopes() {
+	}
 
 }

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/StandardClaimNames.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,110 +31,113 @@ package org.springframework.security.oauth2.core.oidc;
  * @see <a target="_blank" href=
  * "https://openid.net/specs/openid-connect-core-1_0.html#IDToken">ID Token</a>
  */
-public interface StandardClaimNames {
+public final class StandardClaimNames {
 
 	/**
 	 * {@code sub} - the Subject identifier
 	 */
-	String SUB = "sub";
+	public static final String SUB = "sub";
 
 	/**
 	 * {@code name} - the user's full name
 	 */
-	String NAME = "name";
+	public static final String NAME = "name";
 
 	/**
 	 * {@code given_name} - the user's given name(s) or first name(s)
 	 */
-	String GIVEN_NAME = "given_name";
+	public static final String GIVEN_NAME = "given_name";
 
 	/**
 	 * {@code family_name} - the user's surname(s) or last name(s)
 	 */
-	String FAMILY_NAME = "family_name";
+	public static final String FAMILY_NAME = "family_name";
 
 	/**
 	 * {@code middle_name} - the user's middle name(s)
 	 */
-	String MIDDLE_NAME = "middle_name";
+	public static final String MIDDLE_NAME = "middle_name";
 
 	/**
 	 * {@code nickname} - the user's nick name that may or may not be the same as the
 	 * {@code given_name}
 	 */
-	String NICKNAME = "nickname";
+	public static final String NICKNAME = "nickname";
 
 	/**
 	 * {@code preferred_username} - the preferred username that the user wishes to be
 	 * referred to
 	 */
-	String PREFERRED_USERNAME = "preferred_username";
+	public static final String PREFERRED_USERNAME = "preferred_username";
 
 	/**
 	 * {@code profile} - the URL of the user's profile page
 	 */
-	String PROFILE = "profile";
+	public static final String PROFILE = "profile";
 
 	/**
 	 * {@code picture} - the URL of the user's profile picture
 	 */
-	String PICTURE = "picture";
+	public static final String PICTURE = "picture";
 
 	/**
 	 * {@code website} - the URL of the user's web page or blog
 	 */
-	String WEBSITE = "website";
+	public static final String WEBSITE = "website";
 
 	/**
 	 * {@code email} - the user's preferred e-mail address
 	 */
-	String EMAIL = "email";
+	public static final String EMAIL = "email";
 
 	/**
 	 * {@code email_verified} - {@code true} if the user's e-mail address has been
 	 * verified, otherwise {@code false}
 	 */
-	String EMAIL_VERIFIED = "email_verified";
+	public static final String EMAIL_VERIFIED = "email_verified";
 
 	/**
 	 * {@code gender} - the user's gender
 	 */
-	String GENDER = "gender";
+	public static final String GENDER = "gender";
 
 	/**
 	 * {@code birthdate} - the user's birth date
 	 */
-	String BIRTHDATE = "birthdate";
+	public static final String BIRTHDATE = "birthdate";
 
 	/**
 	 * {@code zoneinfo} - the user's time zone
 	 */
-	String ZONEINFO = "zoneinfo";
+	public static final String ZONEINFO = "zoneinfo";
 
 	/**
 	 * {@code locale} - the user's locale
 	 */
-	String LOCALE = "locale";
+	public static final String LOCALE = "locale";
 
 	/**
 	 * {@code phone_number} - the user's preferred phone number
 	 */
-	String PHONE_NUMBER = "phone_number";
+	public static final String PHONE_NUMBER = "phone_number";
 
 	/**
 	 * {@code phone_number_verified} - {@code true} if the user's phone number has been
 	 * verified, otherwise {@code false}
 	 */
-	String PHONE_NUMBER_VERIFIED = "phone_number_verified";
+	public static final String PHONE_NUMBER_VERIFIED = "phone_number_verified";
 
 	/**
 	 * {@code address} - the user's preferred postal address
 	 */
-	String ADDRESS = "address";
+	public static final String ADDRESS = "address";
 
 	/**
 	 * {@code updated_at} - the time the user's information was last updated
 	 */
-	String UPDATED_AT = "updated_at";
+	public static final String UPDATED_AT = "updated_at";
+
+	private StandardClaimNames() {
+	}
 
 }

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/endpoint/OidcParameterNames.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,16 +27,19 @@ package org.springframework.security.oauth2.core.oidc.endpoint;
  * "https://openid.net/specs/openid-connect-core-1_0.html#OAuthParametersRegistry">18.2
  * OAuth Parameters Registration</a>
  */
-public interface OidcParameterNames {
+public final class OidcParameterNames {
 
 	/**
 	 * {@code id_token} - used in the Access Token Response.
 	 */
-	String ID_TOKEN = "id_token";
+	public static final String ID_TOKEN = "id_token";
 
 	/**
 	 * {@code nonce} - used in the Authentication Request.
 	 */
-	String NONCE = "nonce";
+	public static final String NONCE = "nonce";
+
+	private OidcParameterNames() {
+	}
 
 }

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jose/jws/JwsAlgorithms.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,66 +31,69 @@ package org.springframework.security.oauth2.jose.jws;
  * "https://tools.ietf.org/html/rfc7518#section-3">Cryptographic Algorithms for Digital
  * Signatures and MACs</a>
  */
-public interface JwsAlgorithms {
+public final class JwsAlgorithms {
 
 	/**
 	 * HMAC using SHA-256 (Required)
 	 */
-	String HS256 = "HS256";
+	public static final String HS256 = "HS256";
 
 	/**
 	 * HMAC using SHA-384 (Optional)
 	 */
-	String HS384 = "HS384";
+	public static final String HS384 = "HS384";
 
 	/**
 	 * HMAC using SHA-512 (Optional)
 	 */
-	String HS512 = "HS512";
+	public static final String HS512 = "HS512";
 
 	/**
 	 * RSASSA-PKCS1-v1_5 using SHA-256 (Recommended)
 	 */
-	String RS256 = "RS256";
+	public static final String RS256 = "RS256";
 
 	/**
 	 * RSASSA-PKCS1-v1_5 using SHA-384 (Optional)
 	 */
-	String RS384 = "RS384";
+	public static final String RS384 = "RS384";
 
 	/**
 	 * RSASSA-PKCS1-v1_5 using SHA-512 (Optional)
 	 */
-	String RS512 = "RS512";
+	public static final String RS512 = "RS512";
 
 	/**
 	 * ECDSA using P-256 and SHA-256 (Recommended+)
 	 */
-	String ES256 = "ES256";
+	public static final String ES256 = "ES256";
 
 	/**
 	 * ECDSA using P-384 and SHA-384 (Optional)
 	 */
-	String ES384 = "ES384";
+	public static final String ES384 = "ES384";
 
 	/**
 	 * ECDSA using P-521 and SHA-512 (Optional)
 	 */
-	String ES512 = "ES512";
+	public static final String ES512 = "ES512";
 
 	/**
 	 * RSASSA-PSS using SHA-256 and MGF1 with SHA-256 (Optional)
 	 */
-	String PS256 = "PS256";
+	public static final String PS256 = "PS256";
 
 	/**
 	 * RSASSA-PSS using SHA-384 and MGF1 with SHA-384 (Optional)
 	 */
-	String PS384 = "PS384";
+	public static final String PS384 = "PS384";
 
 	/**
 	 * RSASSA-PSS using SHA-512 and MGF1 with SHA-512 (Optional)
 	 */
-	String PS512 = "PS512";
+	public static final String PS512 = "PS512";
+
+	private JwsAlgorithms() {
+	}
 
 }

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtClaimNames.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,45 +26,48 @@ package org.springframework.security.oauth2.jwt;
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7519#section-4">JWT
  * Claims</a>
  */
-public interface JwtClaimNames {
+public final class JwtClaimNames {
 
 	/**
 	 * {@code iss} - the Issuer claim identifies the principal that issued the JWT
 	 */
-	String ISS = "iss";
+	public static final String ISS = "iss";
 
 	/**
 	 * {@code sub} - the Subject claim identifies the principal that is the subject of the
 	 * JWT
 	 */
-	String SUB = "sub";
+	public static final String SUB = "sub";
 
 	/**
 	 * {@code aud} - the Audience claim identifies the recipient(s) that the JWT is
 	 * intended for
 	 */
-	String AUD = "aud";
+	public static final String AUD = "aud";
 
 	/**
 	 * {@code exp} - the Expiration time claim identifies the expiration time on or after
 	 * which the JWT MUST NOT be accepted for processing
 	 */
-	String EXP = "exp";
+	public static final String EXP = "exp";
 
 	/**
 	 * {@code nbf} - the Not Before claim identifies the time before which the JWT MUST
 	 * NOT be accepted for processing
 	 */
-	String NBF = "nbf";
+	public static final String NBF = "nbf";
 
 	/**
 	 * {@code iat} - The Issued at claim identifies the time at which the JWT was issued
 	 */
-	String IAT = "iat";
+	public static final String IAT = "iat";
 
 	/**
 	 * {@code jti} - The JWT ID claim provides a unique identifier for the JWT
 	 */
-	String JTI = "jti";
+	public static final String JTI = "jti";
+
+	private JwtClaimNames() {
+	}
 
 }

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/BearerTokenErrorCodes.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,25 +25,28 @@ package org.springframework.security.oauth2.server.resource;
  * @see <a href="https://tools.ietf.org/html/rfc6750#section-3.1" target="_blank">RFC 6750
  * Section 3.1: Error Codes</a>
  */
-public interface BearerTokenErrorCodes {
+public final class BearerTokenErrorCodes {
 
 	/**
 	 * {@code invalid_request} - The request is missing a required parameter, includes an
 	 * unsupported parameter or parameter value, repeats the same parameter, uses more
 	 * than one method for including an access token, or is otherwise malformed.
 	 */
-	String INVALID_REQUEST = "invalid_request";
+	public static final String INVALID_REQUEST = "invalid_request";
 
 	/**
 	 * {@code invalid_token} - The access token provided is expired, revoked, malformed,
 	 * or invalid for other reasons.
 	 */
-	String INVALID_TOKEN = "invalid_token";
+	public static final String INVALID_TOKEN = "invalid_token";
 
 	/**
 	 * {@code insufficient_scope} - The request requires higher privileges than provided
 	 * by the access token.
 	 */
-	String INSUFFICIENT_SCOPE = "insufficient_scope";
+	public static final String INSUFFICIENT_SCOPE = "insufficient_scope";
+
+	private BearerTokenErrorCodes() {
+	}
 
 }

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2ErrorCodes.java

@@ -21,7 +21,7 @@ package org.springframework.security.saml2.core;
  *
  * @since 5.2
  */
-public interface Saml2ErrorCodes {
+public final class Saml2ErrorCodes {
 
 	/**
 	 * SAML Data does not represent a SAML 2 Response object. A valid XML object was
@@ -29,34 +29,34 @@ public interface Saml2ErrorCodes {
 	 * {@code ResponseType} per specification
 	 * https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf#page=46
 	 */
-	String UNKNOWN_RESPONSE_CLASS = "unknown_response_class";
+	public static final String UNKNOWN_RESPONSE_CLASS = "unknown_response_class";
 
 	/**
 	 * The serialized AuthNRequest could not be deserialized correctly.
 	 *
 	 * @since 5.7
 	 */
-	String MALFORMED_REQUEST_DATA = "malformed_request_data";
+	public static final String MALFORMED_REQUEST_DATA = "malformed_request_data";
 
 	/**
 	 * The response data is malformed or incomplete. An invalid XML object was received,
 	 * and XML unmarshalling failed.
 	 */
-	String MALFORMED_RESPONSE_DATA = "malformed_response_data";
+	public static final String MALFORMED_RESPONSE_DATA = "malformed_response_data";
 
 	/**
 	 * Request is invalid in a general way.
 	 *
 	 * @since 5.6
 	 */
-	String INVALID_REQUEST = "invalid_request";
+	public static final String INVALID_REQUEST = "invalid_request";
 
 	/**
 	 * Response is invalid in a general way.
 	 *
 	 * @since 5.5
 	 */
-	String INVALID_RESPONSE = "invalid_response";
+	public static final String INVALID_RESPONSE = "invalid_response";
 
 	/**
 	 * Response destination does not match the request URL. A SAML 2 response object was
@@ -64,20 +64,20 @@ public interface Saml2ErrorCodes {
 	 * attribute in the Response object.
 	 * https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf#page=38
 	 */
-	String INVALID_DESTINATION = "invalid_destination";
+	public static final String INVALID_DESTINATION = "invalid_destination";
 
 	/**
 	 * The assertion was not valid. The assertion used for authentication failed
 	 * validation. Details around the failure will be present in the error description.
 	 */
-	String INVALID_ASSERTION = "invalid_assertion";
+	public static final String INVALID_ASSERTION = "invalid_assertion";
 
 	/**
 	 * The signature of response or assertion was invalid. Either the response or the
 	 * assertion was missing a signature or the signature could not be verified using the
 	 * system's configured credentials. Most commonly the IDP's X509 certificate.
 	 */
-	String INVALID_SIGNATURE = "invalid_signature";
+	public static final String INVALID_SIGNATURE = "invalid_signature";
 
 	/**
 	 * The assertion did not contain a subject element. The subject element, type
@@ -86,7 +86,7 @@ public interface Saml2ErrorCodes {
 	 *
 	 * https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf#page=18
 	 */
-	String SUBJECT_NOT_FOUND = "subject_not_found";
+	public static final String SUBJECT_NOT_FOUND = "subject_not_found";
 
 	/**
 	 * The subject did not contain a user identifier The assertion contained a subject
@@ -95,7 +95,7 @@ public interface Saml2ErrorCodes {
 	 *
 	 * https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf#page=18
 	 */
-	String USERNAME_NOT_FOUND = "username_not_found";
+	public static final String USERNAME_NOT_FOUND = "username_not_found";
 
 	/**
 	 * The system failed to decrypt an assertion or a name identifier. This error code
@@ -103,31 +103,34 @@ public interface Saml2ErrorCodes {
 	 * {@code EncryptedID} fails.
 	 * https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf#page=17
 	 */
-	String DECRYPTION_ERROR = "decryption_error";
+	public static final String DECRYPTION_ERROR = "decryption_error";
 
 	/**
 	 * An Issuer element contained a value that didn't
 	 * https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf#page=15
 	 */
-	String INVALID_ISSUER = "invalid_issuer";
+	public static final String INVALID_ISSUER = "invalid_issuer";
 
 	/**
 	 * An error happened during validation. Used when internal, non classified, errors are
 	 * caught during the authentication process.
 	 */
-	String INTERNAL_VALIDATION_ERROR = "internal_validation_error";
+	public static final String INTERNAL_VALIDATION_ERROR = "internal_validation_error";
 
 	/**
 	 * The relying party registration was not found. The registration ID did not
 	 * correspond to any relying party registration.
 	 */
-	String RELYING_PARTY_REGISTRATION_NOT_FOUND = "relying_party_registration_not_found";
+	public static final String RELYING_PARTY_REGISTRATION_NOT_FOUND = "relying_party_registration_not_found";
 
 	/**
 	 * The InResponseTo content of the response does not match the ID of the AuthNRequest.
 	 *
 	 * @since 5.7
 	 */
-	String INVALID_IN_RESPONSE_TO = "invalid_in_response_to";
+	public static final String INVALID_IN_RESPONSE_TO = "invalid_in_response_to";
+
+	private Saml2ErrorCodes() {
+	}
 
 }

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2ParameterNames.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,17 +27,17 @@ package org.springframework.security.saml2.core;
  * "https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf">SAML 2.0
  * Bindings</a>
  */
-public interface Saml2ParameterNames {
+public final class Saml2ParameterNames {
 
 	/**
 	 * {@code SAMLRequest} - used to request authentication or request logout
 	 */
-	String SAML_REQUEST = "SAMLRequest";
+	public static final String SAML_REQUEST = "SAMLRequest";
 
 	/**
 	 * {@code SAMLResponse} - used to respond to an authentication or logout request
 	 */
-	String SAML_RESPONSE = "SAMLResponse";
+	public static final String SAML_RESPONSE = "SAMLResponse";
 
 	/**
 	 * {@code RelayState} - used to communicate shared state between the relying and
@@ -46,17 +46,20 @@ public interface Saml2ParameterNames {
 	 * "https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf#page=8">3.1.1
 	 * Use of RelayState</a>
 	 */
-	String RELAY_STATE = "RelayState";
+	public static final String RELAY_STATE = "RelayState";
 
 	/**
 	 * {@code SigAlg} - used to communicate which signature algorithm to use to verify
 	 * signature
 	 */
-	String SIG_ALG = "SigAlg";
+	public static final String SIG_ALG = "SigAlg";
 
 	/**
 	 * {@code Signature} - used to supply cryptographic signature on any SAML 2.0 payload
 	 */
-	String SIGNATURE = "Signature";
+	public static final String SIGNATURE = "Signature";
+
+	private Saml2ParameterNames() {
+	}
 
 }