Start building against Spring Security 7.1.0-RC1 snapshots

Author: wilkinsona

module/spring-boot-security-oauth2-client/src/test/java/org/springframework/boot/security/oauth2/client/autoconfigure/OAuth2ClientPropertiesMapperTests.java

@@ -315,7 +315,7 @@ private void testIssuerConfiguration(OAuth2ClientProperties.Registration registr
 		assertThat(adapted.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(adapted.getRegistrationId()).isEqualTo("okta");
 		assertThat(adapted.getClientName()).isEqualTo(issuer);
-		assertThat(adapted.getScopes()).isNull();
+		assertThat(adapted.getScopes()).isEmpty();
 		assertThat(providerDetails.getAuthorizationUri()).isEqualTo("https://example.com/o/oauth2/v2/auth");
 		assertThat(providerDetails.getTokenUri()).isEqualTo("https://example.com/oauth2/v4/token");
 		assertThat(providerDetails.getJwkSetUri()).isEqualTo("https://example.com/oauth2/v3/certs");

module/spring-boot-security-oauth2-client/src/test/java/org/springframework/boot/security/oauth2/client/autoconfigure/servlet/OAuth2ClientWebSecurityAutoConfigurationTests.java

@@ -20,6 +20,7 @@
 import java.util.List;
 
 import jakarta.servlet.Filter;
+import org.jspecify.annotations.Nullable;
 import org.junit.jupiter.api.Test;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
@@ -165,7 +166,9 @@ private FilterChainProxy getFilterChainProxy(Filter filter) {
 		throw new IllegalStateException("No FilterChainProxy found");
 	}
 
-	private boolean isEqual(ClientRegistration reg1, ClientRegistration reg2) {
+	private boolean isEqual(@Nullable ClientRegistration reg1, @Nullable ClientRegistration reg2) {
+		assertThat(reg1).isNotNull();
+		assertThat(reg2).isNotNull();
 		boolean result = ObjectUtils.nullSafeEquals(reg1.getClientId(), reg2.getClientId());
 		result = result && ObjectUtils.nullSafeEquals(reg1.getClientName(), reg2.getClientName());
 		result = result && ObjectUtils.nullSafeEquals(reg1.getClientSecret(), reg2.getClientSecret());

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/OpaqueTokenIntrospectionConfiguration.java

@@ -45,11 +45,16 @@ SpringOpaqueTokenIntrospector opaqueTokenIntrospector(OAuth2ResourceServerProper
 		Assert.state(token.getClientSecret() != null,
 				"No 'spring.security.oauth2.resourceserver.opaquetoken.client-secret' property specified");
 		SpringOpaqueTokenIntrospector.Builder builder = SpringOpaqueTokenIntrospector
-			.withIntrospectionUri(token.getIntrospectionUri())
+			.withIntrospectionUri(introspectionUri(token))
 			.clientId(token.getClientId())
 			.clientSecret(token.getClientSecret());
 		customizers.orderedStream().forEach((customizer) -> customizer.customize(builder));
 		return builder.build();
 	}
 
+	@SuppressWarnings("NullAway") // never null due to @ConditionalOnProperty
+	private String introspectionUri(OAuth2ResourceServerProperties.Opaquetoken token) {
+		return token.getIntrospectionUri();
+	}
+
 }

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/reactive/ReactiveOpaqueTokenIntrospectionClientConfiguration.java

@@ -46,11 +46,16 @@ SpringReactiveOpaqueTokenIntrospector reactiveOpaqueTokenIntrospector(OAuth2Reso
 		Assert.state(token.getClientSecret() != null,
 				"No 'spring.security.oauth2.resourceserver.opaquetoken.client-secret' property specified");
 		SpringReactiveOpaqueTokenIntrospector.Builder builder = SpringReactiveOpaqueTokenIntrospector
-			.withIntrospectionUri(token.getIntrospectionUri())
+			.withIntrospectionUri(introspectionUri(token))
 			.clientId(token.getClientId())
 			.clientSecret(token.getClientSecret());
 		customizers.orderedStream().forEach((customizer) -> customizer.customize(builder));
 		return builder.build();
 	}
 
+	@SuppressWarnings("NullAway") // never null due to @ConditionalOnProperty
+	private String introspectionUri(OAuth2ResourceServerProperties.Opaquetoken token) {
+		return token.getIntrospectionUri();
+	}
+
 }

platform/spring-boot-dependencies/build.gradle

@@ -2701,7 +2701,7 @@ bom {
 			releaseNotes("https://github.com/spring-projects/spring-restdocs/releases/tag/v{version}")
 		}
 	}
-	library("Spring Security", "7.1.0-M3") {
+	library("Spring Security", "7.1.0-SNAPSHOT") {
 		considerSnapshots()
 		group("org.springframework.security") {
 			bom("spring-security-bom")

smoke-test/spring-boot-smoke-test-grpc-server-oauth/src/test/java/smoketest/grpcserveroauth/SampleGrpcServerOAuthApplicationTests.java

@@ -58,6 +58,7 @@
 import org.springframework.security.oauth2.jwt.NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder;
 import org.springframework.security.oauth2.jwt.SupplierJwtDecoder;
 import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.util.Assert;
 import org.springframework.util.function.SingletonSupplier;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -146,6 +147,7 @@ <B extends ManagedChannelBuilder<B>> GrpcChannelBuilderCustomizer<B> channelSecu
 		private String token(ClientRegistrationRepository clientRegistrationRepository) {
 			RestClientClientCredentialsTokenResponseClient client = new RestClientClientCredentialsTokenResponseClient();
 			ClientRegistration registration = clientRegistrationRepository.findByRegistrationId("spring");
+			Assert.notNull(registration, "Registration 'spring' not found");
 			OAuth2ClientCredentialsGrantRequest request = new OAuth2ClientCredentialsGrantRequest(registration);
 			return client.getTokenResponse(request).getAccessToken().getTokenValue();
 		}

smoke-test/spring-boot-smoke-test-oauth2-authorization-server/src/test/java/smoketest/oauth2/server/SampleOAuth2AuthorizationServerApplicationTests.java

@@ -64,7 +64,9 @@ void openidConfigurationShouldAllowAccess() {
 		ResponseEntity<Map<String, Object>> entity = this.restTemplate.exchange("/.well-known/openid-configuration",
 				HttpMethod.GET, null, MAP_TYPE_REFERENCE);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
-		OidcProviderConfiguration config = OidcProviderConfiguration.withClaims(entity.getBody()).build();
+		Map<String, Object> body = entity.getBody();
+		assertThat(body).isNotNull();
+		OidcProviderConfiguration config = OidcProviderConfiguration.withClaims(body).build();
 		assertThat(config.getIssuer()).hasToString("https://provider.com");
 		assertThat(config.getAuthorizationEndpoint()).hasToString("https://provider.com/authorize");
 		assertThat(config.getTokenEndpoint()).hasToString("https://provider.com/token");
@@ -83,8 +85,9 @@ void authServerMetadataShouldAllowAccess() {
 		ResponseEntity<Map<String, Object>> entity = this.restTemplate
 			.exchange("/.well-known/oauth-authorization-server", HttpMethod.GET, null, MAP_TYPE_REFERENCE);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
-		OAuth2AuthorizationServerMetadata config = OAuth2AuthorizationServerMetadata.withClaims(entity.getBody())
-			.build();
+		Map<String, Object> body = entity.getBody();
+		assertThat(body).isNotNull();
+		OAuth2AuthorizationServerMetadata config = OAuth2AuthorizationServerMetadata.withClaims(body).build();
 		assertThat(config.getIssuer()).hasToString("https://provider.com");
 		assertThat(config.getAuthorizationEndpoint()).hasToString("https://provider.com/authorize");
 		assertThat(config.getTokenEndpoint()).hasToString("https://provider.com/token");