spring-projects · 023-dev · Jan 26, 2026
diff --git a/buildSrc/src/main/groovy/compile-warnings-error.gradle b/buildSrc/src/main/groovy/compile-warnings-error.gradle
@@ -1,10 +1,6 @@
 import org.gradle.api.tasks.compile.JavaCompile
-import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
 
 tasks.withType(JavaCompile) {
     options.compilerArgs += "-Werror"
 }
 
-tasks.withType(KotlinCompile) {
-    kotlinOptions.allWarningsAsErrors = true
-}
diff --git a/config/spring-security-config.gradle b/config/spring-security-config.gradle
@@ -5,6 +5,7 @@ apply plugin: 'io.spring.convention.spring-module'
 apply plugin: 'trang'
 apply plugin: 'security-kotlin'
 apply plugin: 'test-compile-target-jdk25'
+apply plugin: 'compile-warnings-error'
 apply plugin:  'javadoc-warnings-error'
 
 configurations {

diff --git a/...fig/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java b/...fig/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
@@ -521,8 +521,10 @@ public OpaqueTokenConfigurer authenticationManager(AuthenticationManager authent
 		public OpaqueTokenConfigurer introspectionUri(String introspectionUri) {
 			Assert.notNull(introspectionUri, "introspectionUri cannot be null");
 			this.introspectionUri = introspectionUri;
-			this.introspector = () -> new SpringOpaqueTokenIntrospector(this.introspectionUri, this.clientId,
-					this.clientSecret);
+			this.introspector = () -> SpringOpaqueTokenIntrospector.withIntrospectionUri(this.introspectionUri)
+				.clientId(this.clientId)
+				.clientSecret(this.clientSecret)
+				.build();
 			return this;
 		}
 
@@ -531,8 +533,10 @@ public OpaqueTokenConfigurer introspectionClientCredentials(String clientId, Str
 			Assert.notNull(clientSecret, "clientSecret cannot be null");
 			this.clientId = clientId;
 			this.clientSecret = clientSecret;
-			this.introspector = () -> new SpringOpaqueTokenIntrospector(this.introspectionUri, this.clientId,
-					this.clientSecret);
+			this.introspector = () -> SpringOpaqueTokenIntrospector.withIntrospectionUri(this.introspectionUri)
+				.clientId(this.clientId)
+				.clientSecret(this.clientSecret)
+				.build();
 			return this;
 		}
 

diff --git a/...ain/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt b/...ain/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt
@@ -286,7 +286,7 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl {
         if (factoryOfRequestAuthorizationContext != null) {
             return factoryOfRequestAuthorizationContext
         }
-        val factoryOfObjectType = ResolvableType.forClassWithGenerics(AuthorizationManagerFactory::class.java, Object::class.java)
+        val factoryOfObjectType = ResolvableType.forClassWithGenerics(AuthorizationManagerFactory::class.java, Any::class.java)
         val factoryOfAny = context.getBeanProvider<AuthorizationManagerFactory<Any>>(factoryOfObjectType).getIfUnique()
         if (factoryOfAny != null) {
             return factoryOfAny
@@ -303,20 +303,20 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl {
         return defaultFactory
     }
 
-    private fun resolveRolePrefix(context: ApplicationContext): String {
+    private fun resolveRolePrefix(context: ApplicationContext): String? {
         val beanNames = context.getBeanNamesForType(GrantedAuthorityDefaults::class.java)
         if (beanNames.isNotEmpty()) {
             return context.getBean(GrantedAuthorityDefaults::class.java).rolePrefix
         }
-        return "ROLE_";
+        return null
     }
 
-    private fun resolveRoleHierarchy(context: ApplicationContext): RoleHierarchy {
+    private fun resolveRoleHierarchy(context: ApplicationContext): RoleHierarchy? {
         val beanNames = context.getBeanNamesForType(RoleHierarchy::class.java)
         if (beanNames.isNotEmpty()) {
             return context.getBean(RoleHierarchy::class.java)
         }
-        return NullRoleHierarchy()
+        return null
     }
 
 }
diff --git a/config/src/main/kotlin/org/springframework/security/config/annotation/web/HeadersDsl.kt b/config/src/main/kotlin/org/springframework/security/config/annotation/web/HeadersDsl.kt
@@ -31,6 +31,7 @@ import org.springframework.security.web.header.writers.frameoptions.XFrameOption
  * @property defaultsDisabled whether all of the default headers should be included in the response
  */
 @SecurityMarker
+@Suppress("DEPRECATION")
 class HeadersDsl {
     private var contentTypeOptions: ((HeadersConfigurer<HttpSecurity>.ContentTypeOptionsConfig) -> Unit)? = null
     private var xssProtection: ((HeadersConfigurer<HttpSecurity>.XXssConfig) -> Unit)? = null

diff --git a/config/src/main/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDsl.kt b/config/src/main/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDsl.kt
@@ -614,6 +614,7 @@ class HttpSecurityDsl(private val http: HttpSecurity, private val init: HttpSecu
      * @see [RequiresChannelDsl]
      * @deprecated please use [redirectToHttps] instead
      */
+    @Suppress("DEPRECATION")
     @Deprecated(message="since 6.5 use redirectToHttps instead")
     fun requiresChannel(requiresChannelConfiguration: RequiresChannelDsl.() -> Unit) {
         val requiresChannelCustomizer = RequiresChannelDsl().apply(requiresChannelConfiguration).get()

diff --git a/.../src/main/kotlin/org/springframework/security/config/annotation/web/RequiresChannelDsl.kt b/.../src/main/kotlin/org/springframework/security/config/annotation/web/RequiresChannelDsl.kt
@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+@file:Suppress("DEPRECATION")
+
 package org.springframework.security.config.annotation.web
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity

diff --git a/config/src/main/kotlin/org/springframework/security/config/annotation/web/X509Dsl.kt b/config/src/main/kotlin/org/springframework/security/config/annotation/web/X509Dsl.kt
@@ -62,6 +62,7 @@ class X509Dsl {
             authenticationDetailsSource?.also { x509.authenticationDetailsSource(authenticationDetailsSource) }
             userDetailsService?.also { x509.userDetailsService(userDetailsService) }
             authenticationUserDetailsService?.also { x509.authenticationUserDetailsService(authenticationUserDetailsService) }
+            @Suppress("DEPRECATION")
             subjectPrincipalRegex?.also { x509.subjectPrincipalRegex(subjectPrincipalRegex) }
         }
     }

diff --git a/...lin/org/springframework/security/config/annotation/web/headers/HttpPublicKeyPinningDsl.kt b/...lin/org/springframework/security/config/annotation/web/headers/HttpPublicKeyPinningDsl.kt
@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+@file:Suppress("DEPRECATION")
+
 package org.springframework.security.config.annotation.web.headers
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity

diff --git a/...n/kotlin/org/springframework/security/config/annotation/web/session/SessionFixationDsl.kt b/...n/kotlin/org/springframework/security/config/annotation/web/session/SessionFixationDsl.kt
@@ -68,12 +68,11 @@ class SessionFixationDsl {
     internal fun get(): (SessionManagementConfigurer<HttpSecurity>.SessionFixationConfigurer) -> Unit {
         return { sessionFixation ->
             strategy?.also {
-                when (strategy) {
+                when (it) {
                     SessionFixationStrategy.NEW -> sessionFixation.newSession()
                     SessionFixationStrategy.MIGRATE -> sessionFixation.migrateSession()
                     SessionFixationStrategy.CHANGE_ID -> sessionFixation.changeSessionId()
                     SessionFixationStrategy.NONE -> sessionFixation.none()
-                    null -> null
                 }
             }
         }