Add marker to make Kotlin DSL type safe

Fixes: gh-7971

config/src/main/kotlin/org/springframework/security/config/web/servlet/AbstractRequestMatcherDsl.kt

@@ -25,6 +25,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher
  * @author Eleftheria Stein
  * @since 5.3
  */
+@SecurityMarker
 abstract class AbstractRequestMatcherDsl {
     /**
      * Matches any request.

config/src/main/kotlin/org/springframework/security/config/web/servlet/AnonymousDsl.kt

@@ -37,6 +37,7 @@ import org.springframework.security.web.authentication.AnonymousAuthenticationFi
  * @property authenticationFilter the [AnonymousAuthenticationFilter] used to populate
  * an anonymous user.
  */
+@SecurityMarker
 class AnonymousDsl {
     var key: String? = null
     var principal: Any? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/CorsDsl.kt

@@ -25,6 +25,7 @@ import org.springframework.security.config.annotation.web.configurers.CorsConfig
  * @author Eleftheria Stein
  * @since 5.3
  */
+@SecurityMarker
 class CorsDsl {
     private var disabled = false
 

config/src/main/kotlin/org/springframework/security/config/web/servlet/CsrfDsl.kt

@@ -34,6 +34,7 @@ import javax.servlet.http.HttpServletRequest
  * determining when CSRF should be applied.
  * @property sessionAuthenticationStrategy the [SessionAuthenticationStrategy] to use.
  */
+@SecurityMarker
 class CsrfDsl {
     var csrfTokenRepository: CsrfTokenRepository? = null
     var requireCsrfProtectionMatcher: RequestMatcher? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/ExceptionHandlingDsl.kt

@@ -33,6 +33,7 @@ import java.util.*
  * @property accessDeniedHandler the [AccessDeniedHandler] to use
  * @property authenticationEntryPoint the [AuthenticationEntryPoint] to use
  */
+@SecurityMarker
 class ExceptionHandlingDsl {
     var accessDeniedPage: String? = null
     var accessDeniedHandler: AccessDeniedHandler? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/FormLoginDsl.kt

@@ -38,6 +38,7 @@ import org.springframework.security.web.authentication.AuthenticationSuccessHand
  * @property permitAll whether to grant access to the urls for [failureUrl] as well as
  * for the [HttpSecurityBuilder], the [loginPage] and [loginProcessingUrl] for every user
  */
+@SecurityMarker
 class FormLoginDsl {
     var loginPage: String? = null
     var authenticationSuccessHandler: AuthenticationSuccessHandler? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/HeadersDsl.kt

@@ -29,6 +29,7 @@ import org.springframework.security.web.header.writers.frameoptions.XFrameOption
  * @since 5.3
  * @property defaultsDisabled whether all of the default headers should be included in the response
  */
+@SecurityMarker
 class HeadersDsl {
     private var contentTypeOptions: ((HeadersConfigurer<HttpSecurity>.ContentTypeOptionsConfig) -> Unit)? = null
     private var xssProtection: ((HeadersConfigurer<HttpSecurity>.XXssConfig) -> Unit)? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/HttpBasicDsl.kt

@@ -35,6 +35,7 @@ import javax.servlet.http.HttpServletRequest
  * @property authenticationDetailsSource the custom [AuthenticationDetailsSource] to use for
  * basic authentication.
  */
+@SecurityMarker
 class HttpBasicDsl {
     var realmName: String? = null
     var authenticationEntryPoint: AuthenticationEntryPoint? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/HttpSecurityDsl.kt

@@ -64,6 +64,7 @@ operator fun HttpSecurity.invoke(httpConfiguration: HttpSecurityDsl.() -> Unit)
  * @param http the [HttpSecurity] which all configurations will be applied to
  * @param init the configurations to apply to the provided [HttpSecurity]
  */
+@SecurityMarker
 class HttpSecurityDsl(private val http: HttpSecurity, private val init: HttpSecurityDsl.() -> Unit) {
     private val HANDLER_MAPPING_INTROSPECTOR = "org.springframework.web.servlet.handler.HandlerMappingIntrospector"
 

config/src/main/kotlin/org/springframework/security/config/web/servlet/LogoutDsl.kt

@@ -42,6 +42,7 @@ import javax.servlet.http.HttpSession
  * @property logoutSuccessHandler the [LogoutSuccessHandler] to use after logout has occurred.
  * If this is specified, [logoutSuccessUrl] is ignored.
  */
+@SecurityMarker
 class LogoutDsl {
     var clearAuthentication: Boolean? = null
     var invalidateHttpSession: Boolean? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/OAuth2ClientDsl.kt

@@ -50,6 +50,7 @@ import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepo
  * @property authorizedClientRepository the repository for authorized client(s).
  * @property authorizedClientService the service for authorized client(s).
  */
+@SecurityMarker
 class OAuth2ClientDsl {
     var clientRegistrationRepository: ClientRegistrationRepository? = null
     var authorizedClientRepository: OAuth2AuthorizedClientRepository? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/OAuth2LoginDsl.kt

@@ -48,6 +48,7 @@ import org.springframework.security.web.authentication.AuthenticationSuccessHand
  * @property permitAll whether to grant access to the urls for [failureUrl] as well as
  * for the [HttpSecurityBuilder], the [loginPage] and [loginProcessingUrl] for every user
  */
+@SecurityMarker
 class OAuth2LoginDsl {
     var clientRegistrationRepository: ClientRegistrationRepository? = null
     var authorizedClientRepository: OAuth2AuthorizedClientRepository? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/OAuth2ResourceServerDsl.kt

@@ -37,6 +37,7 @@ import org.springframework.security.web.access.AccessDeniedHandler
  * @property bearerTokenResolver the [BearerTokenResolver] to use for requests authenticating
  * with <a href="https://tools.ietf.org/html/rfc6750#section-1.2" target="_blank">Bearer Token</a>s.
  */
+@SecurityMarker
 class OAuth2ResourceServerDsl {
     var accessDeniedHandler: AccessDeniedHandler? = null
     var authenticationEntryPoint: AuthenticationEntryPoint? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/PortMapperDsl.kt

@@ -28,6 +28,7 @@ import org.springframework.security.web.PortMapper
  * @since 5.3
  * @property portMapper allows specifying the [PortMapper] instance.
  */
+@SecurityMarker
 class PortMapperDsl {
     private val mappings = mutableListOf<Pair<Int, Int>>()
 

config/src/main/kotlin/org/springframework/security/config/web/servlet/RequestCacheDsl.kt

@@ -28,6 +28,7 @@ import org.springframework.security.web.savedrequest.RequestCache
  * @since 5.3
  * @property requestCache allows explicit configuration of the [RequestCache] to be used
  */
+@SecurityMarker
 class RequestCacheDsl {
     var requestCache: RequestCache? = null
 

config/src/main/kotlin/org/springframework/security/config/web/servlet/Saml2Dsl.kt

@@ -42,6 +42,7 @@ import org.springframework.security.web.authentication.AuthenticationSuccessHand
  * @property permitAll whether to grant access to the urls for [failureUrl] as well as
  * for the [HttpSecurityBuilder], the [loginPage] and [loginProcessingUrl] for every user
  */
+@SecurityMarker
 class Saml2Dsl {
     var relyingPartyRegistrationRepository: RelyingPartyRegistrationRepository? = null
     var loginPage: String? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/SecurityMarker.kt

@@ -0,0 +1,26 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.web.servlet
+
+/**
+ * Marker annotation indicating that the annotated class is part of the security DSL.
+ *
+ * @author Eleftheria Stein
+ * @since 5.3
+ */
+@DslMarker
+annotation class SecurityMarker

config/src/main/kotlin/org/springframework/security/config/web/servlet/SessionManagementDsl.kt

@@ -32,6 +32,7 @@ import org.springframework.security.web.session.InvalidSessionStrategy
  * @author Eleftheria Stein
  * @since 5.3
  */
+@SecurityMarker
 class SessionManagementDsl {
     var invalidSessionUrl: String? = null
     var invalidSessionStrategy: InvalidSessionStrategy? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/X509Dsl.kt

@@ -44,6 +44,7 @@ import javax.servlet.http.HttpServletRequest
  * @property authenticationUserDetailsService the [AuthenticationUserDetailsService] to use
  * @property subjectPrincipalRegex the regex to extract the principal from the certificate
  */
+@SecurityMarker
 class X509Dsl {
     var x509AuthenticationFilter: X509AuthenticationFilter? = null
     var x509PrincipalExtractor: X509PrincipalExtractor? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/headers/CacheControlDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.headers
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 
 /**
  * A Kotlin DSL to configure the [HttpSecurity] cache control headers using idiomatic
@@ -26,6 +27,7 @@ import org.springframework.security.config.annotation.web.configurers.HeadersCon
  * @author Eleftheria Stein
  * @since 5.3
  */
+@SecurityMarker
 class CacheControlDsl {
     private var disabled = false
 

config/src/main/kotlin/org/springframework/security/config/web/servlet/headers/ContentSecurityPolicyDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.headers
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 
 /**
  * A Kotlin DSL to configure the [HttpSecurity] Content-Security-Policy header using
@@ -28,6 +29,7 @@ import org.springframework.security.config.annotation.web.configurers.HeadersCon
  * @property policyDirectives the security policy directive(s) to be used in the response header.
  * @property reportOnly includes the Content-Security-Policy-Report-Only header in the response.
  */
+@SecurityMarker
 class ContentSecurityPolicyDsl {
     var policyDirectives: String? = null
     var reportOnly: Boolean? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/headers/ContentTypeOptionsDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.headers
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 
 /**
  * A Kotlin DSL to configure [HttpSecurity] X-Content-Type-Options header using idiomatic
@@ -26,6 +27,7 @@ import org.springframework.security.config.annotation.web.configurers.HeadersCon
  * @author Eleftheria Stein
  * @since 5.3
  */
+@SecurityMarker
 class ContentTypeOptionsDsl {
     private var disabled = false
 

config/src/main/kotlin/org/springframework/security/config/web/servlet/headers/FrameOptionsDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.headers
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 
 /**
  * A Kotlin DSL to configure the [HttpSecurity] X-Frame-Options header using
@@ -29,6 +30,7 @@ import org.springframework.security.config.annotation.web.configurers.HeadersCon
  * application.
  * @property deny deny framing any content from this application.
  */
+@SecurityMarker
 class FrameOptionsDsl {
     var sameOrigin: Boolean? = null
     var deny: Boolean? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/headers/HttpPublicKeyPinningDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.headers
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 
 /**
  * A Kotlin DSL to configure the [HttpSecurity] HTTP Public Key Pinning header using
@@ -34,6 +35,7 @@ import org.springframework.security.config.annotation.web.configurers.HeadersCon
  * the server.
  * @property reportUri the URI to which the browser should report pin validation failures.
  */
+@SecurityMarker
 class HttpPublicKeyPinningDsl {
     var pins: Map<String, String>? = null
     var maxAgeInSeconds: Long? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/headers/HttpStrictTransportSecurityDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.headers
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 import org.springframework.security.web.util.matcher.RequestMatcher
 
 /**
@@ -34,6 +35,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher
  * @property includeSubDomains if true, subdomains should be considered HSTS Hosts too.
  * @property preload if true, preload will be included in HSTS Header.
  */
+@SecurityMarker
 class HttpStrictTransportSecurityDsl {
     var maxAgeInSeconds: Long? = null
     var requestMatcher: RequestMatcher? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/headers/ReferrerPolicyDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.headers
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter
 
 /**
@@ -28,6 +29,7 @@ import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWrite
  * @since 5.3
  * @property policy the policy to be used in the response header.
  */
+@SecurityMarker
 class ReferrerPolicyDsl {
     var policy: ReferrerPolicyHeaderWriter.ReferrerPolicy? = null
 

config/src/main/kotlin/org/springframework/security/config/web/servlet/headers/XssProtectionConfigDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.headers
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 
 /**
  * A Kotlin DSL to configure the [HttpSecurity] XSS protection header using
@@ -29,6 +30,7 @@ import org.springframework.security.config.annotation.web.configurers.HeadersCon
  * @property xssProtectionEnabled if true, the header value will contain a value of 1.
  * If false, will explicitly disable specify that X-XSS-Protection is disabled.
  */
+@SecurityMarker
 class XssProtectionConfigDsl {
     var block: Boolean? = null
     var xssProtectionEnabled: Boolean? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/oauth2/client/AuthorizationCodeGrantDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.oauth2.client
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2ClientConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient
 import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest
 import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository
@@ -34,6 +35,7 @@ import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequ
  * @property accessTokenResponseClient the client used for requesting the access token credential
  * from the Token Endpoint.
  */
+@SecurityMarker
 class AuthorizationCodeGrantDsl {
     var authorizationRequestResolver: OAuth2AuthorizationRequestResolver? = null
     var authorizationRequestRepository: AuthorizationRequestRepository<OAuth2AuthorizationRequest>? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/oauth2/login/AuthorizationEndpointDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.oauth2.login
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest
@@ -32,6 +33,7 @@ import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequ
  * @property authorizationRequestResolver the resolver used for resolving [OAuth2AuthorizationRequest]'s.
  * @property authorizationRequestRepository the repository used for storing [OAuth2AuthorizationRequest]'s.
  */
+@SecurityMarker
 class AuthorizationEndpointDsl {
     var baseUri: String? = null
     var authorizationRequestResolver: OAuth2AuthorizationRequestResolver? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/oauth2/login/RedirectionEndpointDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.oauth2.login
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 
 /**
  * A Kotlin DSL to configure the Authorization Server's Redirection Endpoint using
@@ -27,6 +28,7 @@ import org.springframework.security.config.annotation.web.configurers.oauth2.cli
  * @since 5.3
  * @property baseUri the URI where the authorization response will be processed.
  */
+@SecurityMarker
 class RedirectionEndpointDsl {
     var baseUri: String? = null
 

config/src/main/kotlin/org/springframework/security/config/web/servlet/oauth2/login/TokenEndpointDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.oauth2.login
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient
 import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest
 
@@ -30,6 +31,7 @@ import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCo
  * @property accessTokenResponseClient the client used for requesting the access token credential
  * from the Token Endpoint.
  */
+@SecurityMarker
 class TokenEndpointDsl {
     var accessTokenResponseClient: OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest>? = null
 

config/src/main/kotlin/org/springframework/security/config/web/servlet/oauth2/login/UserInfoEndpointDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.oauth2.login
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest
 import org.springframework.security.oauth2.client.registration.ClientRegistration
@@ -38,6 +39,7 @@ import org.springframework.security.oauth2.core.user.OAuth2User
  * End-User from the UserInfo Endpoint.
  * @property userAuthoritiesMapper the [GrantedAuthoritiesMapper] used for mapping [OAuth2User.getAuthorities]
  */
+@SecurityMarker
 class UserInfoEndpointDsl {
     var userService: OAuth2UserService<OAuth2UserRequest, OAuth2User>? = null
     var oidcUserService: OAuth2UserService<OidcUserRequest, OidcUser>? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/oauth2/resourceserver/JwtDsl.kt

@@ -20,6 +20,7 @@ import org.springframework.core.convert.converter.Converter
 import org.springframework.security.authentication.AbstractAuthenticationToken
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 import org.springframework.security.oauth2.jwt.Jwt
 import org.springframework.security.oauth2.jwt.JwtDecoder
 
@@ -34,6 +35,7 @@ import org.springframework.security.oauth2.jwt.JwtDecoder
  * @property jwkSetUri configures a [JwtDecoder] using a
  * <a target="_blank" href="https://tools.ietf.org/html/rfc7517">JSON Web Key (JWK)</a> URL
  */
+@SecurityMarker
 class JwtDsl {
     private var _jwtDecoder: JwtDecoder? = null
     private var _jwkSetUri: String? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/oauth2/resourceserver/OpaqueTokenDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.oauth2.resourceserver
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector
 
 /**
@@ -28,6 +29,7 @@ import org.springframework.security.oauth2.server.resource.introspection.OpaqueT
  * @property introspectionUri the URI of the Introspection endpoint.
  * @property introspector the [OpaqueTokenIntrospector] to use.
  */
+@SecurityMarker
 class OpaqueTokenDsl {
     private var _introspectionUri: String? = null
     private var _introspector: OpaqueTokenIntrospector? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/session/SessionConcurrencyDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.session
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 import org.springframework.security.core.session.SessionRegistry
 import org.springframework.security.web.session.SessionInformationExpiredStrategy
 
@@ -36,8 +37,8 @@ import org.springframework.security.web.session.SessionInformationExpiredStrateg
  * [maximumSessions] has been reached. Otherwise (default), the user who authenticates
  * is allowed access and an existing user's session is expired.
  * @property sessionRegistry the [SessionRegistry] implementation used.
- *
  */
+@SecurityMarker
 class SessionConcurrencyDsl {
     var maximumSessions: Int? = null
     var expiredUrl: String? = null

config/src/main/kotlin/org/springframework/security/config/web/servlet/session/SessionFixationDsl.kt

@@ -18,6 +18,7 @@ package org.springframework.security.config.web.servlet.session
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer
+import org.springframework.security.config.web.servlet.SecurityMarker
 import javax.servlet.http.HttpServletRequest
 import javax.servlet.http.HttpSession
 
@@ -28,6 +29,7 @@ import javax.servlet.http.HttpSession
  * @author Eleftheria Stein
  * @since 5.3
  */
+@SecurityMarker
 class SessionFixationDsl {
     private var strategy: SessionFixationStrategy? = null