Spring Security should adopt JSpecify for Null safety as is done in Spring Framework
Related spring-projects/spring-framework#28797
Notes on Changes
Prior to this work, passwords were sometimes treated as never null, but the reality is that they could be null (when clearCredentials was invoked). This inconsistency was also present in APIs (e.g. PasswordEncoder) that produced and consumed passwords. The semantic meaning of a null password is now clearly defined as no password for the user.
NOTE: This is done in the parent issue vs each module because things like nullability of passwords impacts more than just the core project where the API is defined.
Spring Security should adopt JSpecify for Null safety as is done in Spring Framework
Related spring-projects/spring-framework#28797
Notes on Changes
Prior to this work, passwords were sometimes treated as never null, but the reality is that they could be null (when clearCredentials was invoked). This inconsistency was also present in APIs (e.g. PasswordEncoder) that produced and consumed passwords. The semantic meaning of a null password is now clearly defined as no password for the user.
NOTE: This is done in the parent issue vs each module because things like nullability of passwords impacts more than just the core project where the API is defined.