Skip to content

Remove BeanResolver Null Checks#19209

Open
snowykte0426 wants to merge 1 commit into
spring-projects:7.0.xfrom
snowykte0426:gh-17816
Open

Remove BeanResolver Null Checks#19209
snowykte0426 wants to merge 1 commit into
spring-projects:7.0.xfrom
snowykte0426:gh-17816

Conversation

@snowykte0426
Copy link
Copy Markdown
Contributor

@snowykte0426 snowykte0426 commented May 24, 2026

Resolves gh-17816.

Spring Framework updated StandardEvaluationContext.setBeanResolver
to accept a @Nullable BeanResolver
(spring-projects/spring-framework#35371, included in 6.2.11 and 7.0.x).

Since Spring Security now depends on Spring Framework 7.0.7,
the temporary NullAway workarounds around setBeanResolver
can be removed.

Changes

Removed temporary workarounds from the following locations.

Removed @SuppressWarnings("NullAway")

  • DefaultHttpSecurityExpressionHandler
  • reactive CurrentSecurityContextArgumentResolver
  • reactive AuthenticationPrincipalArgumentResolver

Removed unnecessary null guards

  • servlet AuthenticationPrincipalArgumentResolver
  • servlet CurrentSecurityContextArgumentResolver
  • messaging reactive CurrentSecurityContextArgumentResolver
  • DefaultMessageSecurityExpressionHandler

Also removed obsolete comments referencing
spring-projects/spring-framework#35371 and cleaned up
unused imports/local variables where applicable.

Behavior

No behavior change.

StandardEvaluationContext.beanResolver defaults to null,
so calling setBeanResolver(null) is equivalent to not invoking
the setter.

Verification

  • ./gradlew :spring-security-web:compileJava :spring-security-messaging:compileJava
  • ./gradlew :spring-security-web:test --tests "*AuthenticationPrincipalArgumentResolver*" --tests "*CurrentSecurityContextArgumentResolver*" --tests "*DefaultHttpSecurityExpressionHandler*"
  • ./gradlew :spring-security-messaging:test --tests "*CurrentSecurityContextArgumentResolver*" --tests "*DefaultMessageSecurityExpressionHandler*"
  • grep -rn "35371" --include="*.java"

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 24, 2026
@snowykte0426
Remove BeanResolver Null Checks
06afe3a 
StandardEvaluationContext.setBeanResolver now accepts a nullable
BeanResolver, so the workarounds added for the original limitation
are no longer needed. This removes the explicit null guards (and
equivalent Optional.ofNullable idiom) as well as the
@SuppressWarnings("NullAway") annotations introduced to silence
the false positives.

In addition to the seven sites that explicitly referenced
spring-projects/spring-framework#35371, two sites in
spring-security-core followed the same workaround pattern without
the comment marker (AbstractSecurityExpressionHandler and
DefaultMethodSecurityExpressionHandler) and have also been
simplified.

Closes spring-projectsgh-17816

Signed-off-by: Kim Tae Eun <snowykte0426@naver.com>
@snowykte0426 snowykte0426 changed the base branch from main to 7.0.x May 24, 2026 09:58
@snowykte0426 snowykte0426 mentioned this pull request May 24, 2026
Open
@snowykte0426
Copy link
Copy Markdown
Contributor Author

snowykte0426 commented May 24, 2026
edited
Loading

A few choices I made that I'd like to confirm before this is merged:

  1. Scope creep into spring-security-core. The issue body refers to "comments linking to StandardEvaluationContext.setBeanResolver should allow @Nullable BeanResolver spring-framework#35371", which strictly matches seven sites in web/ and messaging/. While verifying I noticed two more sites that implement the same workaround without the marker comment:

    • AbstractSecurityExpressionHandler#createEvaluationContext (line ~81) — same if (this.beanResolver != null) pattern.
    • DefaultMethodSecurityExpressionHandler#createEvaluationContext (line ~98) — Optional.ofNullable(getBeanResolver()).ifPresent(ctx::setBeanResolver); (same workaround, different idiom).

    I folded them into this PR since the issue title says "Remove null checks to work around setBeanResolver(BeanResolver)" and these are clearly the same workaround. Happy to split them out if you'd prefer to keep this PR strictly to the seven commented sites.

  2. @SuppressWarnings("NullAway") on DefaultMethodSecurityExpressionHandler#createEvaluationContext. The suppression there is annotated // FIXME: Dataflow analysis limitation, which reads like a separate concern from #35371, so I left it in place even though the Optional workaround it covered is now gone. Let me know if you'd like it removed too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

status: waiting-for-triage An issue we've not yet triaged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remove null checks to work around setBeanResolver(BeanResolver)

2 participants

@snowykte0426 @spring-projects-issues