From 8247d1812222f76ca9ec4ed8290341169a93896d Mon Sep 17 00:00:00 2001
From: Robert Winch <362503+rwinch@users.noreply.github.com>
Date: Wed, 21 Jan 2026 17:39:38 -0600
Subject: [PATCH] Null safety via JSpecify spring-security-kerberos-web

Closes gh-18550
---
 .../spring-security-kerberos-web.gradle       |  1 +
 .../SpnegoAuthenticationProcessingFilter.java | 10 +++++++---
 .../web/authentication/SpnegoEntryPoint.java  | 14 +++++++------
 .../web/authentication/package-info.java      | 20 +++++++++++++++++++
 4 files changed, 36 insertions(+), 9 deletions(-)
 create mode 100644 kerberos/kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/package-info.java

diff --git a/kerberos/kerberos-web/spring-security-kerberos-web.gradle b/kerberos/kerberos-web/spring-security-kerberos-web.gradle
index ecd6abf2ab..2bd605253b 100644
--- a/kerberos/kerberos-web/spring-security-kerberos-web.gradle
+++ b/kerberos/kerberos-web/spring-security-kerberos-web.gradle
@@ -1,4 +1,5 @@
 plugins {
+	id 'security-nullability'
 	id 'io.spring.convention.spring-module'
 	id 'javadoc-warnings-error'
 }
diff --git a/kerberos/kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/SpnegoAuthenticationProcessingFilter.java b/kerberos/kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/SpnegoAuthenticationProcessingFilter.java
index 0af6098fe3..d9328f06c6 100644
--- a/kerberos/kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/SpnegoAuthenticationProcessingFilter.java
+++ b/kerberos/kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/SpnegoAuthenticationProcessingFilter.java
@@ -23,6 +23,7 @@ import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
@@ -124,11 +125,11 @@ public class SpnegoAuthenticationProcessingFilter extends OncePerRequestFilter {
 
 	private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
 
-	private AuthenticationManager authenticationManager;
+	private @Nullable AuthenticationManager authenticationManager;
 
-	private AuthenticationSuccessHandler successHandler;
+	private @Nullable AuthenticationSuccessHandler successHandler;
 
-	private AuthenticationFailureHandler failureHandler;
+	private @Nullable AuthenticationFailureHandler failureHandler;
 
 	private SessionAuthenticationStrategy sessionStrategy = new NullAuthenticatedSessionStrategy();
 
@@ -172,6 +173,9 @@ public class SpnegoAuthenticationProcessingFilter extends OncePerRequestFilter {
 			authenticationRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
 			Authentication authentication;
 			try {
+				if (this.authenticationManager == null) {
+					throw new IllegalStateException("authenticationManager must be set");
+				}
 				authentication = this.authenticationManager.authenticate(authenticationRequest);
 			}
 			catch (AuthenticationException ex) {
diff --git a/kerberos/kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/SpnegoEntryPoint.java b/kerberos/kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/SpnegoEntryPoint.java
index 526a561199..700ba7462e 100644
--- a/kerberos/kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/SpnegoEntryPoint.java
+++ b/kerberos/kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/SpnegoEntryPoint.java
@@ -25,6 +25,7 @@ import jakarta.servlet.http.HttpServletRequestWrapper;
 import jakarta.servlet.http.HttpServletResponse;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.http.HttpMethod;
 import org.springframework.security.core.AuthenticationException;
@@ -64,9 +65,9 @@ public class SpnegoEntryPoint implements AuthenticationEntryPoint {
 
 	private static final Log LOG = LogFactory.getLog(SpnegoEntryPoint.class);
 
-	private final String forwardUrl;
+	private final @Nullable String forwardUrl;
 
-	private final HttpMethod forwardMethod;
+	private final @Nullable HttpMethod forwardMethod;
 
 	private final boolean forward;
 
@@ -87,7 +88,7 @@ public class SpnegoEntryPoint implements AuthenticationEntryPoint {
 	 * @param forwardUrl URL where the login page can be found. Should be relative to the
 	 * web-app context path (include a leading {@code /}) and can't be absolute URL.
 	 */
-	public SpnegoEntryPoint(String forwardUrl) {
+	public SpnegoEntryPoint(@Nullable String forwardUrl) {
 		this(forwardUrl, null);
 	}
 
@@ -99,7 +100,7 @@ public class SpnegoEntryPoint implements AuthenticationEntryPoint {
 	 * web-app context path (include a leading {@code /}) and can't be absolute URL.
 	 * @param forwardMethod HTTP method to use when accessing the forward URL
 	 */
-	public SpnegoEntryPoint(String forwardUrl, HttpMethod forwardMethod) {
+	public SpnegoEntryPoint(@Nullable String forwardUrl, @Nullable HttpMethod forwardMethod) {
 		if (StringUtils.hasText(forwardUrl)) {
 			Assert.isTrue(UrlUtils.isValidRedirectUrl(forwardUrl), "Forward url specified must be a valid forward URL");
 			Assert.isTrue(!UrlUtils.isAbsoluteUrl(forwardUrl), "Forward url specified must not be absolute");
@@ -126,10 +127,11 @@ public class SpnegoEntryPoint implements AuthenticationEntryPoint {
 
 		if (this.forward) {
 			RequestDispatcher dispatcher = request.getRequestDispatcher(this.forwardUrl);
-			HttpServletRequest fwdRequest = (this.forwardMethod != null) ? new HttpServletRequestWrapper(request) {
+			HttpMethod method = this.forwardMethod;
+			HttpServletRequest fwdRequest = (method != null) ? new HttpServletRequestWrapper(request) {
 				@Override
 				public String getMethod() {
-					return SpnegoEntryPoint.this.forwardMethod.name();
+					return method.name();
 				}
 			} : request;
 			dispatcher.forward(fwdRequest, response);
diff --git a/kerberos/kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/package-info.java b/kerberos/kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/package-info.java
new file mode 100644
index 0000000000..4801b2fd89
--- /dev/null
+++ b/kerberos/kerberos-web/src/main/java/org/springframework/security/kerberos/web/authentication/package-info.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+@NullMarked
+package org.springframework.security.kerberos.web.authentication;
+
+import org.jspecify.annotations.NullMarked;