spring-projects · therepanic · Dec 5, 2025
diff --git a/core/src/main/java/org/springframework/security/provisioning/InMemoryUserDetailsManager.java b/core/src/main/java/org/springframework/security/provisioning/InMemoryUserDetailsManager.java
@@ -51,6 +51,7 @@
  * system isn't required.
  *
  * @author Luke Taylor
+ * @author Andrey Litvitski
  * @since 3.1
  */
 public class InMemoryUserDetailsManager implements UserDetailsManager, UserDetailsPasswordService {
@@ -130,7 +131,7 @@ public boolean userExists(String username) {
 	}
 
 	@Override
-	public void changePassword(String oldPassword, String newPassword) {
+	public void changePassword(@Nullable String oldPassword, @Nullable String newPassword) {
 		Authentication currentUser = this.securityContextHolderStrategy.getContext().getAuthentication();
 		if (currentUser == null) {
 			// This would indicate bad coding somewhere

diff --git a/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java b/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java
@@ -67,6 +67,7 @@
  *
  * @author Luke Taylor
  * @author Junhyeok Lee
+ * @author Andrey Litvitski
  * @since 2.0
  */
 public class JdbcUserDetailsManager extends JdbcDaoImpl
@@ -308,7 +309,8 @@ private void deleteUserAuthorities(String username) {
 	}
 
 	@Override
-	public void changePassword(String oldPassword, String newPassword) throws AuthenticationException {
+	public void changePassword(@Nullable String oldPassword, @Nullable String newPassword)
+			throws AuthenticationException {
 		Authentication currentUser = this.securityContextHolderStrategy.getContext().getAuthentication();
 		if (currentUser == null) {
 			// This would indicate bad coding somewhere
@@ -335,7 +337,7 @@ public void changePassword(String oldPassword, String newPassword) throws Authen
 		this.userCache.removeUserFromCache(username);
 	}
 
-	protected Authentication createNewAuthentication(Authentication currentAuth, String newPassword) {
+	protected Authentication createNewAuthentication(Authentication currentAuth, @Nullable String newPassword) {
 		UserDetails user = loadUserByUsername(currentAuth.getName());
 		UsernamePasswordAuthenticationToken newAuthentication = UsernamePasswordAuthenticationToken.authenticated(user,
 				null, user.getAuthorities());

diff --git a/core/src/main/java/org/springframework/security/provisioning/UserDetailsManager.java b/core/src/main/java/org/springframework/security/provisioning/UserDetailsManager.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.provisioning;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 
@@ -49,7 +51,7 @@ public interface UserDetailsManager extends UserDetailsService {
 	 * @param oldPassword current password (for re-authentication if required)
 	 * @param newPassword the password to change to
 	 */
-	void changePassword(String oldPassword, String newPassword);
+	void changePassword(@Nullable String oldPassword, @Nullable String newPassword);
 
 	/**
 	 * Check if a user with the supplied login name exists in the system.