Checkstyle Fixes

- Javadoc tag ordering
- Private constructors before inner classes

Issue gh-10394

Author: rwinch

cas/src/main/java/org/springframework/security/cas/jackson2/AssertionImplMixin.java

@@ -40,9 +40,9 @@
  * </pre>
  *
  * @author Jitendra Singh
+ * @since 4.2
  * @see CasJackson2Module
  * @see org.springframework.security.jackson2.SecurityJackson2Modules
- * @since 4.2
  */
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,

cas/src/main/java/org/springframework/security/cas/jackson2/AttributePrincipalImplMixin.java

@@ -37,9 +37,9 @@
  * </pre>
  *
  * @author Jitendra Singh
+ * @since 4.2
  * @see CasJackson2Module
  * @see org.springframework.security.jackson2.SecurityJackson2Modules
- * @since 4.2
  */
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,

cas/src/main/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixin.java

@@ -47,9 +47,9 @@
  * </pre>
  *
  * @author Jitendra Singh
+ * @since 4.2
  * @see CasJackson2Module
  * @see org.springframework.security.jackson2.SecurityJackson2Modules
- * @since 4.2
  */
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,

config/src/main/java/org/springframework/security/config/Customizer.java

@@ -19,8 +19,8 @@
 /**
  * Callback interface that accepts a single input argument and returns no result.
  *
- * @author Eleftheria Stein
  * @param <T> the type of the input to the operation
+ * @author Eleftheria Stein
  * @since 5.2
  */
 @FunctionalInterface

config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/GlobalAuthenticationConfigurerAdapter.java

@@ -27,8 +27,8 @@
  * {@link AuthenticationConfiguration} to configure the global
  * {@link AuthenticationManagerBuilder}.
  *
- * @since 5.0
  * @author Rob Winch
+ * @since 5.0
  */
 @Order(100)
 public abstract class GlobalAuthenticationConfigurerAdapter

config/src/main/java/org/springframework/security/config/annotation/configuration/ObjectPostProcessorConfiguration.java

@@ -30,10 +30,10 @@
  * class is not intended to be imported manually rather it is imported automatically when
  * using {@link EnableWebSecurity} or {@link EnableGlobalMethodSecurity}.
  *
- * @see EnableWebSecurity
- * @see EnableGlobalMethodSecurity
  * @author Rob Winch
  * @since 3.2
+ * @see EnableWebSecurity
+ * @see EnableGlobalMethodSecurity
  */
 @Configuration(proxyBeanMethods = false)
 @Role(BeanDefinition.ROLE_INFRASTRUCTURE)

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.java

@@ -60,11 +60,11 @@
  * {@link WebSecurityConfigurer} and exposing it as a {@link Configuration}. This
  * configuration is imported when using {@link EnableWebSecurity}.
  *
- * @see EnableWebSecurity
- * @see WebSecurity
  * @author Rob Winch
  * @author Keesun Baik
  * @since 3.2
+ * @see EnableWebSecurity
+ * @see WebSecurity
  */
 @Configuration(proxyBeanMethods = false)
 public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java

@@ -87,8 +87,8 @@
  * org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer = sample.MyClassThatExtendsAbstractHttpConfigurer, sample.OtherThatExtendsAbstractHttpConfigurer
  * </pre>
  *
- * @see EnableWebSecurity
  * @author Rob Winch
+ * @see EnableWebSecurity
  */
 @Order(100)
 public abstract class WebSecurityConfigurerAdapter implements WebSecurityConfigurer<WebSecurity> {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java

@@ -490,8 +490,8 @@ public HeadersConfigurer<H> referrerPolicy(Customizer<ReferrerPolicyConfig> refe
 	 * @return the {@link FeaturePolicyConfig} for additional configuration
 	 * @throws IllegalArgumentException if policyDirectives is {@code null} or empty
 	 * @since 5.1
-	 * @see FeaturePolicyHeaderWriter
 	 * @deprecated Use {@link #permissionsPolicy(Customizer)} instead.
+	 * @seeObjectPostProcessorConfiguration FeaturePolicyHeaderWriter
 	 */
 	@Deprecated
 	public FeaturePolicyConfig featurePolicy(String policyDirectives) {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/ImplicitGrantConfigurer.java

@@ -49,15 +49,15 @@
  * <li>{@link ClientRegistrationRepository}</li>
  * </ul>
  *
+ * @author Joe Grandja
+ * @since 5.0
+ * @see OAuth2AuthorizationRequestRedirectFilter
+ * @see ClientRegistrationRepository
  * @deprecated It is not recommended to use the implicit flow due to the inherent risks of
  * returning access tokens in an HTTP redirect without any confirmation that it has been
  * received by the client. See reference
  * <a target="_blank" href="https://oauth.net/2/grant-types/implicit/">OAuth 2.0 Implicit
  * Grant</a>.
- * @author Joe Grandja
- * @since 5.0
- * @see OAuth2AuthorizationRequestRedirectFilter
- * @see ClientRegistrationRepository
  */
 @Deprecated
 public final class ImplicitGrantConfigurer<B extends HttpSecurityBuilder<B>>

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java

@@ -683,10 +683,10 @@ public UserInfoEndpointConfig oidcUserService(OAuth2UserService<OidcUserRequest,
 		/**
 		 * Sets a custom {@link OAuth2User} type and associates it to the provided client
 		 * {@link ClientRegistration#getRegistrationId() registration identifier}.
-		 * @deprecated See {@link CustomUserTypesOAuth2UserService} for alternative usage.
 		 * @param customUserType a custom {@link OAuth2User} type
 		 * @param clientRegistrationId the client registration identifier
 		 * @return the {@link UserInfoEndpointConfig} for further configuration
+		 * @deprecated See {@link CustomUserTypesOAuth2UserService} for alternative usage.
 		 */
 		@Deprecated
 		public UserInfoEndpointConfig customUserType(Class<? extends OAuth2User> customUserType,

config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/WebMvcSecurityConfiguration.java

@@ -37,9 +37,9 @@
  * {@link AuthenticationPrincipalArgumentResolver} as a
  * {@link HandlerMethodArgumentResolver}.
  *
- * @deprecated This is applied internally using SpringWebMvcImportSelector
  * @author Rob Winch
  * @since 3.2
+ * @deprecated This is applied internally using SpringWebMvcImportSelector
  */
 @Deprecated
 @Configuration(proxyBeanMethods = false)

config/src/main/java/org/springframework/security/config/annotation/web/socket/AbstractSecurityWebSocketMessageBrokerConfigurer.java

@@ -79,8 +79,8 @@
  * }
  * </pre>
  *
- * @since 4.0
  * @author Rob Winch
+ * @since 4.0
  */
 @Order(Ordered.HIGHEST_PRECEDENCE + 100)
 @Import(ObjectPostProcessorConfiguration.class)

core/src/main/java/org/springframework/security/jackson2/AnonymousAuthenticationTokenMixin.java

@@ -40,9 +40,9 @@
  * <i>Note: This class will save full class name into a property called @class</i>
  *
  * @author Jitendra Singh
+ * @since 4.2
  * @see CoreJackson2Module
  * @see SecurityJackson2Modules
- * @since 4.2
  */
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,

core/src/main/java/org/springframework/security/jackson2/BadCredentialsExceptionMixin.java

@@ -36,8 +36,8 @@
  * called @class</i> <i>The cause and stackTrace are ignored in the serialization.</i>
  *
  * @author Yannick Lombardi
- * @see CoreJackson2Module
  * @since 5.0
+ * @see CoreJackson2Module
  */
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonIgnoreProperties(ignoreUnknown = true, value = { "cause", "stackTrace" })

core/src/main/java/org/springframework/security/jackson2/CoreJackson2Module.java

@@ -44,8 +44,8 @@
  * of all security modules.</b>
  *
  * @author Jitendra Singh.
- * @see SecurityJackson2Modules
  * @since 4.2
+ * @see SecurityJackson2Modules
  */
 @SuppressWarnings("serial")
 public class CoreJackson2Module extends SimpleModule {

core/src/main/java/org/springframework/security/jackson2/RememberMeAuthenticationTokenMixin.java

@@ -47,9 +47,9 @@
  * called @class</i>
  *
  * @author Jitendra Singh
+ * @since 4.2
  * @see CoreJackson2Module
  * @see SecurityJackson2Modules
- * @since 4.2
  */
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,

core/src/main/java/org/springframework/security/jackson2/SimpleGrantedAuthorityMixin.java

@@ -32,9 +32,9 @@
  * </pre>
  *
  * @author Jitendra Singh
+ * @since 4.2
  * @see CoreJackson2Module
  * @see SecurityJackson2Modules
- * @since 4.2
  */
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.NONE,

core/src/main/java/org/springframework/security/jackson2/UnmodifiableListMixin.java

@@ -32,10 +32,10 @@
  * </pre>
  *
  * @author Rob Winch
+ * @since 5.0.2
  * @see UnmodifiableListDeserializer
  * @see CoreJackson2Module
  * @see SecurityJackson2Modules
- * @since 5.0.2
  */
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonDeserialize(using = UnmodifiableListDeserializer.class)

core/src/main/java/org/springframework/security/jackson2/UnmodifiableSetMixin.java

@@ -32,10 +32,10 @@
  * </pre>
  *
  * @author Jitendra Singh
+ * @since 4.2
  * @see UnmodifiableSetDeserializer
  * @see CoreJackson2Module
  * @see SecurityJackson2Modules
- * @since 4.2
  */
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonDeserialize(using = UnmodifiableSetDeserializer.class)

core/src/main/java/org/springframework/security/jackson2/UserMixin.java

@@ -37,10 +37,10 @@
  * </pre>
  *
  * @author Jitendra Singh
+ * @since 4.2
  * @see UserDeserializer
  * @see CoreJackson2Module
  * @see SecurityJackson2Modules
- * @since 4.2
  */
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonDeserialize(using = UserDeserializer.class)

core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenMixin.java

@@ -39,9 +39,9 @@
  * </pre>
  *
  * @author Jitendra Singh
+ * @since 4.2
  * @see CoreJackson2Module
  * @see SecurityJackson2Modules
- * @since 4.2
  */
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY, property = "@class")
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,

messaging/src/main/java/org/springframework/security/messaging/access/expression/MessageExpressionConfigAttribute.java

@@ -29,9 +29,9 @@
 /**
  * Simple expression configuration attribute for use in {@link Message} authorizations.
  *
- * @since 4.0
  * @author Rob Winch
  * @author Daniel Bustamante Ospina
+ * @since 4.0
  */
 @SuppressWarnings("serial")
 class MessageExpressionConfigAttribute implements ConfigAttribute, EvaluationContextPostProcessor<Message<?>> {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/NimbusAuthorizationCodeTokenResponseClient.java

@@ -58,7 +58,6 @@
  *
  * @author Joe Grandja
  * @since 5.0
- * @deprecated Use {@link DefaultAuthorizationCodeTokenResponseClient}
  * @see OAuth2AccessTokenResponseClient
  * @see OAuth2AuthorizationCodeGrantRequest
  * @see OAuth2AccessTokenResponse
@@ -71,6 +70,7 @@
  * @see <a target="_blank" href=
  * "https://tools.ietf.org/html/rfc6749#section-4.1.4">Section 4.1.4 Access Token Response
  * (Authorization Code Grant)</a>
+ * @deprecated Use {@link DefaultAuthorizationCodeTokenResponseClient}
  */
 @Deprecated
 public class NimbusAuthorizationCodeTokenResponseClient

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java

@@ -112,8 +112,8 @@ public AuthorizationGrantType getAuthorizationGrantType() {
 
 	/**
 	 * Returns the uri (or uri template) for the redirection endpoint.
-	 * @deprecated Use {@link #getRedirectUri()} instead
 	 * @return the uri (or uri template) for the redirection endpoint
+	 * @deprecated Use {@link #getRedirectUri()} instead
 	 */
 	@Deprecated
 	public String getRedirectUriTemplate() {
@@ -445,10 +445,10 @@ public Builder authorizationGrantType(AuthorizationGrantType authorizationGrantT
 
 		/**
 		 * Sets the uri (or uri template) for the redirection endpoint.
-		 * @deprecated Use {@link #redirectUri(String)} instead
 		 * @param redirectUriTemplate the uri (or uri template) for the redirection
 		 * endpoint
 		 * @return the {@link Builder}
+		 * @deprecated Use {@link #redirectUri(String)} instead
 		 */
 		@Deprecated
 		public Builder redirectUriTemplate(String redirectUriTemplate) {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/userinfo/CustomUserTypesOAuth2UserService.java

@@ -42,18 +42,18 @@
  * {@link OAuth2User} type(s) keyed by {@code String}, which represents the
  * {@link ClientRegistration#getRegistrationId() Registration Id} of the Client.
  *
- * @deprecated It is recommended to use a delegation-based strategy of an
- * {@link OAuth2UserService} to support custom {@link OAuth2User} types, as it provides
- * much greater flexibility compared to this implementation. See the
- * <a target="_blank" href=
- * "https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2login-advanced-map-authorities-oauth2userservice">reference
- * manual</a> for details on how to implement.
  * @author Joe Grandja
  * @since 5.0
  * @see OAuth2UserService
  * @see OAuth2UserRequest
  * @see OAuth2User
  * @see ClientRegistration
+ * @deprecated It is recommended to use a delegation-based strategy of an
+ * {@link OAuth2UserService} to support custom {@link OAuth2User} types, as it provides
+ * much greater flexibility compared to this implementation. See the
+ * <a target="_blank" href=
+ * "https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2login-advanced-map-authorities-oauth2userservice">reference
+ * manual</a> for details on how to implement.
  */
 @Deprecated
 public class CustomUserTypesOAuth2UserService implements OAuth2UserService<OAuth2UserRequest, OAuth2User> {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/userinfo/OAuth2UserService.java

@@ -27,13 +27,13 @@
  * {@link OAuth2UserRequest#getClientRegistration() Client} and returning an
  * {@link AuthenticatedPrincipal} in the form of an {@link OAuth2User}.
  *
+ * @param <R> The type of OAuth 2.0 User Request
+ * @param <U> The type of OAuth 2.0 User
  * @author Joe Grandja
  * @since 5.0
  * @see OAuth2UserRequest
  * @see OAuth2User
  * @see AuthenticatedPrincipal
- * @param <R> The type of OAuth 2.0 User Request
- * @param <U> The type of OAuth 2.0 User
  */
 @FunctionalInterface
 public interface OAuth2UserService<R extends OAuth2UserRequest, U extends OAuth2User> {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/userinfo/ReactiveOAuth2UserService.java

@@ -29,13 +29,13 @@
  * {@link OAuth2UserRequest#getClientRegistration() Client} and returning an
  * {@link AuthenticatedPrincipal} in the form of an {@link OAuth2User}.
  *
+ * @param <R> The type of OAuth 2.0 User Request
+ * @param <U> The type of OAuth 2.0 User
  * @author Rob Winch
  * @since 5.1
  * @see OAuth2UserRequest
  * @see OAuth2User
  * @see AuthenticatedPrincipal
- * @param <R> The type of OAuth 2.0 User Request
- * @param <U> The type of OAuth 2.0 User
  */
 @FunctionalInterface
 public interface ReactiveOAuth2UserService<R extends OAuth2UserRequest, U extends OAuth2User> {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationRequestRepository.java

@@ -59,12 +59,12 @@ public interface AuthorizationRequestRepository<T extends OAuth2AuthorizationReq
 	/**
 	 * Removes and returns the {@link OAuth2AuthorizationRequest} associated to the
 	 * provided {@code HttpServletRequest} or if not available returns {@code null}.
-	 * @deprecated Use
-	 * {@link #removeAuthorizationRequest(HttpServletRequest, HttpServletResponse)}
-	 * instead
 	 * @param request the {@code HttpServletRequest}
 	 * @return the removed {@link OAuth2AuthorizationRequest} or {@code null} if not
 	 * available
+	 * @deprecated Use
+	 * {@link #removeAuthorizationRequest(HttpServletRequest, HttpServletResponse)}
+	 * instead
 	 */
 	@Deprecated
 	T removeAuthorizationRequest(HttpServletRequest request);

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/method/annotation/OAuth2AuthorizedClientArgumentResolver.java

@@ -156,6 +156,9 @@ private String resolveClientRegistrationId(MethodParameter parameter) {
 	/**
 	 * Sets the client used when requesting an access token credential at the Token
 	 * Endpoint for the {@code client_credentials} grant.
+	 * @param clientCredentialsTokenResponseClient the client used when requesting an
+	 * access token credential at the Token Endpoint for the {@code client_credentials}
+	 * grant
 	 * @deprecated Use
 	 * {@link #OAuth2AuthorizedClientArgumentResolver(OAuth2AuthorizedClientManager)}
 	 * instead. Create an instance of
@@ -165,9 +168,6 @@ private String resolveClientRegistrationId(MethodParameter parameter) {
 	 * to
 	 * {@link DefaultOAuth2AuthorizedClientManager#setAuthorizedClientProvider(OAuth2AuthorizedClientProvider)
 	 * DefaultOAuth2AuthorizedClientManager}.
-	 * @param clientCredentialsTokenResponseClient the client used when requesting an
-	 * access token credential at the Token Endpoint for the {@code client_credentials}
-	 * grant
 	 */
 	@Deprecated
 	public void setClientCredentialsTokenResponseClient(