1 week ago · f13d8d5c75
--- a/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
+++ b/web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java
@@ -50,13 +50,13 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator
 
				 	}
			
 
				 
			
 
				 	@Override
			
 
				-	public boolean isAllowed(String uri, Authentication authentication) {
			
 
				+	public boolean isAllowed(String uri, @Nullable Authentication authentication) {
			
 
				 		return isAllowed(null, uri, null, authentication);
			
 
				 	}
			
 
				 
			
 
				 	@Override
			
 
				 	public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method,
			
 
				-			Authentication authentication) {
			
 
				+			@Nullable Authentication authentication) {
			
 
				 		FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
			
 
				 		HttpServletRequest httpRequest = this.requestTransformer.transform(filterInvocation.getHttpRequest());
			
 
				 		AuthorizationResult result = this.authorizationManager.authorize(() -> authentication, httpRequest);
			
--- a/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
+++ b/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
@@ -65,7 +65,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
 
				 	 * be used)
			
 
				 	 */
			
 
				 	@Override
			
 
				-	public boolean isAllowed(String uri, Authentication authentication) {
			
 
				+	public boolean isAllowed(String uri, @Nullable Authentication authentication) {
			
 
				 		return isAllowed(null, uri, null, authentication);
			
 
				 	}
			
 
				 
			
@@ -88,7 +88,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
 
				 	 */
			
 
				 	@Override
			
 
				 	public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method,
			
 
				-			Authentication authentication) {
			
 
				+			@Nullable Authentication authentication) {
			
 
				 		Assert.notNull(uri, "uri parameter is required");
			
 
				 		FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
			
 
				 		Collection<ConfigAttribute> attributes = this.securityInterceptor.obtainSecurityMetadataSource()
			
--- a/web/src/main/java/org/springframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java
+++ b/web/src/main/java/org/springframework/security/web/access/RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java
@@ -73,7 +73,7 @@ public final class RequestMatcherDelegatingWebInvocationPrivilegeEvaluator
 
				 	 * @return true if access is allowed, false if denied
			
 
				 	 */
			
 
				 	@Override
			
 
				-	public boolean isAllowed(String uri, Authentication authentication) {
			
 
				+	public boolean isAllowed(String uri, @Nullable Authentication authentication) {
			
 
				 		List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(null, uri, null);
			
 
				 		if (privilegeEvaluators.isEmpty()) {
			
 
				 			return true;
			
@@ -106,7 +106,8 @@ public final class RequestMatcherDelegatingWebInvocationPrivilegeEvaluator
 
				 	 * @return true if access is allowed, false if denied
			
 
				 	 */
			
 
				 	@Override
			
 
				-	public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
			
 
				+	public boolean isAllowed(String contextPath, String uri, @Nullable String method,
			
 
				+			@Nullable Authentication authentication) {
			
 
				 		List<WebInvocationPrivilegeEvaluator> privilegeEvaluators = getDelegate(contextPath, uri, method);
			
 
				 		if (privilegeEvaluators.isEmpty()) {
			
 
				 			return true;
			
--- a/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java
+++ b/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java
@@ -16,6 +16,8 @@
 
				 
			
 
				 package org.springframework.security.web.access;
			
 
				 
			
 
				+import org.jspecify.annotations.Nullable;
			
 
				+
			
 
				 import org.springframework.security.core.Authentication;
			
 
				 
			
 
				 /**
			
@@ -35,7 +37,7 @@ public interface WebInvocationPrivilegeEvaluator {
 
				 	 * @param uri the URI excluding the context path (a default context path setting will
			
 
				 	 * be used)
			
 
				 	 */
			
 
				-	boolean isAllowed(String uri, Authentication authentication);
			
 
				+	boolean isAllowed(String uri, @Nullable Authentication authentication);
			
 
				 
			
 
				 	/**
			
 
				 	 * Determines whether the user represented by the supplied <tt>Authentication</tt>
			
@@ -58,6 +60,6 @@ public interface WebInvocationPrivilegeEvaluator {
 
				 	 * be used in evaluation whether access should be granted.
			
 
				 	 * @return true if access is allowed, false if denied
			
 
				 	 */
			
 
				-	boolean isAllowed(String contextPath, String uri, String method, Authentication authentication);
			
 
				+	boolean isAllowed(String contextPath, String uri, @Nullable String method, @Nullable Authentication authentication);
			
 
				 
			
 
				 }