Correct @NonNull and @Nullable package name

config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringMethodInterceptor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,10 +20,10 @@
 
 import org.aopalliance.aop.Advice;
 import org.aopalliance.intercept.MethodInvocation;
-import org.jetbrains.annotations.NotNull;
-import org.jetbrains.annotations.Nullable;
 
 import org.springframework.aop.Pointcut;
+import org.springframework.lang.NonNull;
+import org.springframework.lang.Nullable;
 import org.springframework.security.authorization.method.AuthorizationAdvisor;
 import org.springframework.util.function.SingletonSupplier;
 
@@ -40,7 +40,7 @@ final class DeferringMethodInterceptor<M extends AuthorizationAdvisor> implement
 
 	@Nullable
 	@Override
-	public Object invoke(@NotNull MethodInvocation invocation) throws Throwable {
+	public Object invoke(@NonNull MethodInvocation invocation) throws Throwable {
 		return this.delegate.get().invoke(invocation);
 	}
 

config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityAdvisorRegistrar.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,8 +19,6 @@
 import org.aopalliance.aop.Advice;
 import org.aopalliance.intercept.MethodInterceptor;
 import org.aopalliance.intercept.MethodInvocation;
-import org.jetbrains.annotations.NotNull;
-import org.jetbrains.annotations.Nullable;
 
 import org.springframework.aop.Advisor;
 import org.springframework.aop.Pointcut;
@@ -33,6 +31,8 @@
 import org.springframework.context.annotation.ImportBeanDefinitionRegistrar;
 import org.springframework.core.Ordered;
 import org.springframework.core.type.AnnotationMetadata;
+import org.springframework.lang.NonNull;
+import org.springframework.lang.Nullable;
 import org.springframework.security.authorization.method.AuthorizationAdvisor;
 
 class MethodSecurityAdvisorRegistrar implements ImportBeanDefinitionRegistrar {
@@ -100,7 +100,7 @@ public int getOrder() {
 
 		@Nullable
 		@Override
-		public Object invoke(@NotNull MethodInvocation invocation) throws Throwable {
+		public Object invoke(@NonNull MethodInvocation invocation) throws Throwable {
 			return this.advisor.invoke(invocation);
 		}
 

config/src/main/java/org/springframework/security/config/web/PathPatternRequestMatcherBuilderFactoryBean.java

@@ -16,8 +16,6 @@
 
 package org.springframework.security.config.web;
 
-import reactor.util.annotation.NonNull;
-
 import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.BeanFactory;
 import org.springframework.beans.factory.BeanFactoryAware;
@@ -27,6 +25,7 @@
 import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
+import org.springframework.lang.NonNull;
 import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.web.util.pattern.PathPatternParser;

config/src/main/java/org/springframework/security/config/web/server/OAuth2ErrorEncoder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,7 +21,6 @@
 import java.util.List;
 import java.util.Map;
 
-import org.jetbrains.annotations.NotNull;
 import org.reactivestreams.Publisher;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
@@ -34,14 +33,15 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.codec.HttpMessageEncoder;
 import org.springframework.http.converter.HttpMessageConverter;
+import org.springframework.lang.NonNull;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.util.MimeType;
 
 class OAuth2ErrorEncoder implements HttpMessageEncoder<OAuth2Error> {
 
 	private final HttpMessageConverter<Object> messageConverter = HttpMessageConverters.getJsonMessageConverter();
 
-	@NotNull
+	@NonNull
 	@Override
 	public List<MediaType> getStreamingMediaTypes() {
 		return List.of();
@@ -52,7 +52,7 @@ public boolean canEncode(ResolvableType elementType, MimeType mimeType) {
 		return getEncodableMimeTypes().contains(mimeType);
 	}
 
-	@NotNull
+	@NonNull
 	@Override
 	public Flux<DataBuffer> encode(Publisher<? extends OAuth2Error> error, DataBufferFactory bufferFactory,
 			ResolvableType elementType, MimeType mimeType, Map<String, Object> hints) {
@@ -68,7 +68,7 @@ public Flux<DataBuffer> encode(Publisher<? extends OAuth2Error> error, DataBuffe
 		}).map(bufferFactory::wrap).flux();
 	}
 
-	@NotNull
+	@NonNull
 	@Override
 	public List<MimeType> getEncodableMimeTypes() {
 		return List.of(MediaType.APPLICATION_JSON);
@@ -78,13 +78,13 @@ private static class ByteArrayHttpOutputMessage implements HttpOutputMessage {
 
 		private final ByteArrayOutputStream body = new ByteArrayOutputStream();
 
-		@NotNull
+		@NonNull
 		@Override
 		public ByteArrayOutputStream getBody() {
 			return this.body;
 		}
 
-		@NotNull
+		@NonNull
 		@Override
 		public HttpHeaders getHeaders() {
 			return new HttpHeaders();

config/src/test/java/org/springframework/security/config/annotation/web/reactive/WebFluxSecurityConfigurationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,14 +18,14 @@
 
 import java.util.Collections;
 
-import org.jetbrains.annotations.NotNull;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import reactor.core.publisher.Mono;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpStatus;
+import org.springframework.lang.NonNull;
 import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
 import org.springframework.mock.web.server.MockServerWebExchange;
 import org.springframework.security.config.test.SpringTestContext;
@@ -109,7 +109,7 @@ public void loadConfigWhenBeanProxyingEnabledAndSubclassThenWebFilterChainProxyE
 		assertThat(webFilterChainProxy).isNotNull();
 	}
 
-	private static @NotNull DefaultWebFilterChain emptyChain() {
+	private static @NonNull DefaultWebFilterChain emptyChain() {
 		return new DefaultWebFilterChain((webExchange) -> Mono.empty(), Collections.emptyList());
 	}
 

config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java

@@ -45,7 +45,6 @@
 import jakarta.servlet.http.HttpServletResponseWrapper;
 import org.apache.http.HttpStatus;
 import org.assertj.core.api.iterable.Extractor;
-import org.jetbrains.annotations.NotNull;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.stubbing.Answer;
@@ -55,6 +54,7 @@
 import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.parsing.BeanDefinitionParsingException;
+import org.springframework.lang.NonNull;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockHttpSession;
@@ -908,17 +908,17 @@ private List<Filter> getFilters(String url) {
 		return proxy.getFilters(url);
 	}
 
-	@NotNull
+	@NonNull
 	private static RequestPostProcessor userCredentials() {
 		return httpBasic("user", "password");
 	}
 
-	@NotNull
+	@NonNull
 	private static RequestPostProcessor adminCredentials() {
 		return httpBasic("admin", "password");
 	}
 
-	@NotNull
+	@NonNull
 	private static RequestPostProcessor postCredentials() {
 		return httpBasic("poster", "password");
 	}

config/src/test/java/org/springframework/security/config/method/MethodSecurityBeanDefinitionParserTests.java

@@ -24,12 +24,12 @@
 
 import org.aopalliance.intercept.MethodInterceptor;
 import org.aopalliance.intercept.MethodInvocation;
-import org.jetbrains.annotations.NotNull;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.annotation.AnnotationConfigurationException;
+import org.springframework.lang.NonNull;
 import org.springframework.lang.Nullable;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.PermissionEvaluator;
@@ -474,7 +474,7 @@ static class MyAdvice implements MethodInterceptor {
 
 		@Nullable
 		@Override
-		public Object invoke(@NotNull MethodInvocation invocation) {
+		public Object invoke(@NonNull MethodInvocation invocation) {
 			Authentication auth = SecurityContextHolder.getContext().getAuthentication();
 			if ("bob".equals(auth.getName())) {
 				return "granted";

core/src/main/java/org/springframework/security/authentication/AuthenticationObservationConvention.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,7 +21,6 @@
 import io.micrometer.common.KeyValues;
 import io.micrometer.observation.Observation;
 import io.micrometer.observation.ObservationConvention;
-import org.jetbrains.annotations.NotNull;
 
 import org.springframework.lang.NonNull;
 
@@ -63,7 +62,7 @@ public String getContextualName(AuthenticationObservationContext context) {
 	/**
 	 * {@inheritDoc}
 	 */
-	@NotNull
+	@NonNull
 	@Override
 	public KeyValues getLowCardinalityKeyValues(@NonNull AuthenticationObservationContext context) {
 		return KeyValues.of("authentication.request.type", getAuthenticationType(context))
@@ -104,7 +103,7 @@ private String getAuthenticationFailureType(AuthenticationObservationContext con
 	 * {@inheritDoc}
 	 */
 	@Override
-	public boolean supportsContext(@NotNull Observation.Context context) {
+	public boolean supportsContext(@NonNull Observation.Context context) {
 		return context instanceof AuthenticationObservationContext;
 	}
 

core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeExpressionAttributeRegistry.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,10 +20,9 @@
 import java.util.Arrays;
 import java.util.function.Function;
 
-import reactor.util.annotation.NonNull;
-
 import org.springframework.context.ApplicationContext;
 import org.springframework.expression.Expression;
+import org.springframework.lang.NonNull;
 import org.springframework.security.access.prepost.PostAuthorize;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
 import org.springframework.security.core.annotation.SecurityAnnotationScanner;

core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java

@@ -36,11 +36,11 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import org.jetbrains.annotations.NotNull;
 import org.junit.jupiter.api.Test;
 
 import org.springframework.aop.Pointcut;
 import org.springframework.core.annotation.AnnotationAwareOrderComparator;
+import org.springframework.lang.NonNull;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.authentication.TestAuthentication;
@@ -443,7 +443,7 @@ public String getLastName() {
 		}
 
 		@Override
-		public int compareTo(@NotNull User that) {
+		public int compareTo(@NonNull User that) {
 			return this.id.compareTo(that.getId());
 		}
 
@@ -453,7 +453,7 @@ static class UserRepository implements Iterable<User> {
 
 		List<User> users = List.of(new User("1", "first", "last"));
 
-		@NotNull
+		@NonNull
 		@Override
 		public Iterator<User> iterator() {
 			return this.users.iterator();

core/src/test/java/org/springframework/security/authorization/ReactiveAuthorizationAdvisorProxyFactoryTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,13 +19,13 @@
 import java.util.Iterator;
 import java.util.List;
 
-import org.jetbrains.annotations.NotNull;
 import org.junit.jupiter.api.Test;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
 import reactor.test.StepVerifier;
 
 import org.springframework.aop.Pointcut;
+import org.springframework.lang.NonNull;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.authentication.TestAuthentication;
@@ -193,7 +193,7 @@ public Mono<String> getLastName() {
 		}
 
 		@Override
-		public int compareTo(@NotNull User that) {
+		public int compareTo(@NonNull User that) {
 			return this.id.compareTo(that.getId());
 		}
 
@@ -207,7 +207,7 @@ Flux<User> findAll() {
 			return Flux.fromIterable(this.users);
 		}
 
-		@NotNull
+		@NonNull
 		@Override
 		public Iterator<User> iterator() {
 			return this.users.iterator();

etc/checkstyle/checkstyle.xml

@@ -47,5 +47,10 @@
 					  value="String.toUpperCase() should be String.toUpperCase(Locale.ROOT) or String.toUpperCase(Locale.ENGLISH)"/>
 			<property name="ignoreComments" value="true"/>
 		</module>
+		<module name="com.puppycrawl.tools.checkstyle.checks.imports.IllegalImportCheck">
+			<property name="id" value="bannedImports"/>
+			<property name="regexp" value="true"/>
+			<property name="illegalPkgs" value="org.jetbrains.annotations, reactor.util.annotation, javax.annotation"/>
+		</module>
 	</module>
 </module>

saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/TestCustomOpenSaml4Objects.java

@@ -19,7 +19,6 @@
 import java.util.Collections;
 import java.util.List;
 
-import javax.annotation.Nullable;
 import javax.xml.namespace.QName;
 
 import net.shibboleth.utilities.java.support.xml.ElementSupport;
@@ -40,6 +39,7 @@
 import org.w3c.dom.Element;
 
 import org.springframework.lang.NonNull;
+import org.springframework.lang.Nullable;
 import org.springframework.security.saml2.core.OpenSamlInitializationService;
 
 public final class TestCustomOpenSaml4Objects {