add @Nullable annotation to 2nd parameter of SecurityContextLogoutHandler.logout(...) #18357
Description
I'm not sure if I should add this an enhancement or a bug. I'm going for enhancement because it is a compile time issue.
Expected Behavior
The logout method in class SecurityContextLogoutHandler has three parameters:
HttpServletRequest requestHttpServletResponse responseAuthentication authentication
Regarding the JavaDoc, only the first parameter HttpServletRequest is used and the other two parameters HttpServletResponse and Authentication are ignored an can be null:
/**
* Requires the request to be passed in.
* @param request from which to obtain a HTTP session (cannot be null)
* @param response not used (can be <code>null</code>)
* @param authentication not used (can be <code>null</code>)
*/
So I would expect to be able to pass null as 2nd and 3rd parameter without any complaints.
Current Behavior
With JSpecify added and used by our CI system, we now get warnings that we are passing a null argument to a parameter annotated as @NotNull. The second parameter HttpServletResponse response has no explicit @Nullable annotation (like the 3rd parameter), so with JSpecify it now has an implicit @NotNull annotation and our build complains.
Context
Our CI build checks @Nullable and @NotNull violations and breaks the build. The workaround is to add a data flow suppression to our code. For a fix I would highly suggest to add a @Nullable annotation to the HttpServletResponse response parameter.