Fix nullability for JDK 25

Closes gh-18511

core/src/main/java/org/springframework/security/authorization/method/PreFilterAuthorizationMethodInterceptor.java

@@ -147,7 +147,7 @@ public final class PreFilterAuthorizationMethodInterceptor implements Authorizat
 					+ "' found in method.");
 		}
 		else {
-			Object[] arguments = methodInvocation.getArguments();
+			@Nullable Object[] arguments = methodInvocation.getArguments();
 			Assert.state(arguments.length == 1,
 					"Unable to determine the method argument for filtering. Specify the filter target.");
 			filterTarget = arguments[0];

core/src/main/java/org/springframework/security/authorization/method/PreFilterAuthorizationReactiveMethodInterceptor.java

@@ -136,9 +136,9 @@ public final class PreFilterAuthorizationReactiveMethodInterceptor implements Au
 			Object target = mi.getThis();
 			Class<?> targetClass = (target != null) ? AopUtils.getTargetClass(target) : null;
 			Method specificMethod = AopUtils.getMostSpecificMethod(mi.getMethod(), targetClass);
-			String[] parameterNames = this.parameterNameDiscoverer.getParameterNames(specificMethod);
+			@Nullable String @Nullable [] parameterNames = this.parameterNameDiscoverer.getParameterNames(specificMethod);
 			if (parameterNames != null && parameterNames.length > 0) {
-				Object[] arguments = mi.getArguments();
+				@Nullable Object[] arguments = mi.getArguments();
 				for (index = 0; index < parameterNames.length; index++) {
 					if (name.equals(parameterNames[index])) {
 						value = arguments[index];
@@ -150,7 +150,7 @@ public final class PreFilterAuthorizationReactiveMethodInterceptor implements Au
 			}
 		}
 		else {
-			Object[] arguments = mi.getArguments();
+			@Nullable Object[] arguments = mi.getArguments();
 			Assert.state(arguments.length == 1,
 					"Unable to determine the method argument for filtering. Specify the filter target.");
 			value = arguments[0];

core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java

@@ -20,6 +20,8 @@ import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.util.Collection;
 import java.util.List;
+import java.util.Objects;
+import java.util.stream.Collectors;
 
 import javax.sql.DataSource;
 
@@ -356,13 +358,23 @@ public class JdbcUserDetailsManager extends JdbcDaoImpl
 
 	@Override
 	public List<String> findAllGroups() {
-		return requireJdbcTemplate().queryForList(this.findAllGroupsSql, String.class);
+		// @formatter:off
+		return requireJdbcTemplate().queryForList(this.findAllGroupsSql, String.class)
+			.stream()
+			.filter(Objects::nonNull)
+			.collect(Collectors.toList());
+		// @formatter:on
 	}
 
 	@Override
 	public List<String> findUsersInGroup(String groupName) {
 		Assert.hasText(groupName, "groupName should have text");
-		return requireJdbcTemplate().queryForList(this.findUsersInGroupSql, String.class, groupName);
+		// @formatter:off
+		return requireJdbcTemplate().queryForList(this.findUsersInGroupSql, String.class, groupName)
+			.stream()
+			.filter(Objects::nonNull)
+			.collect(Collectors.toList());
+		// @formatter:on
 	}
 
 	@Override

data/src/main/java/org/springframework/security/data/aot/hint/AuthorizeReturnObjectDataHintsRegistrar.java

@@ -22,6 +22,8 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.aot.hint.RuntimeHints;
 import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
 import org.springframework.core.ResolvableType;
@@ -33,6 +35,7 @@ import org.springframework.security.authorization.AuthorizationProxyFactory;
 import org.springframework.security.authorization.method.AuthorizeReturnObject;
 import org.springframework.security.core.annotation.SecurityAnnotationScanner;
 import org.springframework.security.core.annotation.SecurityAnnotationScanners;
+import org.springframework.util.Assert;
 
 /**
  * A {@link SecurityHintsRegistrar} that scans all beans for implementations of
@@ -82,14 +85,15 @@ public final class AuthorizeReturnObjectDataHintsRegistrar implements SecurityHi
 			if (!RepositoryFactoryBeanSupport.class.isAssignableFrom(type.toClass())) {
 				continue;
 			}
-			Class<?>[] generics = type.resolveGenerics();
-			Class<?> entity = generics[1];
+			@Nullable Class<?>[] generics = type.resolveGenerics();
+			@Nullable Class<?> entity = generics[1];
 			AuthorizeReturnObject authorize = beanFactory.findAnnotationOnBean(name, AuthorizeReturnObject.class);
 			if (authorize != null) {
 				toProxy.add(entity);
 				continue;
 			}
-			Class<?> repository = generics[0];
+			@Nullable Class<?> repository = generics[0];
+			Assert.state(repository != null, "Repository resolved from " + type + " cannot be null");
 			for (Method method : repository.getDeclaredMethods()) {
 				AuthorizeReturnObject returnObject = this.scanner.scan(method, repository);
 				if (returnObject == null) {