diff --git a/config/src/main/java/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java b/config/src/main/java/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java index 8136bf7070..6db7ca8b73 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java +++ b/config/src/main/java/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java @@ -50,17 +50,6 @@ public abstract class SecurityConfigurerAdapter> public void configure(B builder) throws Exception { } - /** - * Return the {@link SecurityBuilder} when done using the {@link SecurityConfigurer}. - * This is useful for method chaining. - * @return the {@link SecurityBuilder} for further customizations - * @deprecated For removal in 7.0. Use the lambda based configuration instead. - */ - @Deprecated(since = "6.1", forRemoval = true) - public B and() { - return getBuilder(); - } - /** * Gets the {@link SecurityBuilder}. Cannot be null. * @return the {@link SecurityBuilder} diff --git a/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java index 0f47afa594..1a44dbcebe 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java @@ -386,6 +386,10 @@ public class LdapAuthenticationProviderConfigurer())); } + public B and() { + return getBuilder(); + } + } diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java index e441b92504..4a4c3cc42e 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java @@ -103,8 +103,6 @@ import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.filter.CorsFilter; import org.springframework.web.servlet.handler.HandlerMappingIntrospector; -import static org.springframework.security.config.Customizer.withDefaults; - /** * A {@link HttpSecurity} is similar to Spring Security's XML <http> element in the * namespace configuration. It allows configuring web based security for specific http @@ -218,114 +216,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder - * @Configuration - * @EnableWebSecurity - * public class CsrfSecurityConfig { - * - * @Bean - * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { - * http - * .headers() - * .contentTypeOptions() - * .and() - * .xssProtection() - * .and() - * .cacheControl() - * .and() - * .httpStrictTransportSecurity() - * .and() - * .frameOptions() - * .and() - * ...; - * return http.build(); - * } - * } - * - * - * You can disable the headers using the following: - * - * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class CsrfSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.headers().disable()
-	 * 			...;
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 *
- * - * You can enable only a few of the headers by first invoking - * {@link HeadersConfigurer#defaultsDisabled()} and then invoking the appropriate - * methods on the {@link #headers(withDefaults())} result. For example, the following - * will enable {@link HeadersConfigurer#cacheControl()} and - * {@link HeadersConfigurer#frameOptions()} only. - * - * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class CsrfSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.headers()
-	 * 				.defaultsDisabled()
-	 * 				.cacheControl()
-	 * 				.and()
-	 * 				.frameOptions()
-	 * 				.and()
-	 * 			...;
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 *
- * - * You can also choose to keep the defaults but explicitly disable a subset of - * headers. For example, the following will enable all the default headers except - * {@link HeadersConfigurer#frameOptions()}. - * - * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class CsrfSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.headers()
-	 * 				 .frameOptions()
-	 * 				 	.disable()
-	 * 				 .and()
-	 * 			...;
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 *
- * @return the {@link HeadersConfigurer} for further customizations - * @throws Exception - * @deprecated For removal in 7.0. Use {@link #headers(Customizer)} or - * {@code headers(Customizer.withDefaults())} to stick with defaults. See the documentation - * for more details. - * @see HeadersConfigurer - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer headers() throws Exception { - return getOrApply(new HeadersConfigurer<>()); - } - /** * Adds the Security headers to the response. This is activated by default when using * {@link EnableWebSecurity}. @@ -428,23 +318,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderdocumentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public CorsConfigurer cors() throws Exception { - return getOrApply(new CorsConfigurer<>()); - } - /** * Adds a {@link CorsFilter} to be used. If a bean by the name of corsFilter is * provided, that {@link CorsFilter} is used. Else if corsConfigurationSource is @@ -475,69 +348,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configuration - * - * The following configuration demonstrates how to enforce that only a single instance - * of a user is authenticated at a time. If a user authenticates with the username - * "user" without logging out and an attempt to authenticate with "user" is made the - * first session will be forcibly terminated and sent to the "/login?expired" URL. - * - * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class SessionManagementSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().anyRequest().hasRole("USER").and().formLogin()
-	 * 				.permitAll().and().sessionManagement().maximumSessions(1)
-	 * 				.expiredUrl("/login?expired");
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 *
- * - * When using {@link SessionManagementConfigurer#maximumSessions(int)}, do not forget - * to configure {@link HttpSessionEventPublisher} for the application to ensure that - * expired sessions are cleaned up. - * - * In a web.xml this can be configured using the following: - * - * 
-	 * <listener>
-	 *      <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
-	 * </listener>
-	 *
- * - * Alternatively, - * {@link AbstractSecurityWebApplicationInitializer#enableHttpSessionEventPublisher()} - * could return true. - * @return the {@link SessionManagementConfigurer} for further customizations - * @throws Exception - * @deprecated For removal in 7.0. Use {@link #sessionManagement(Customizer)} or - * {@code sessionManagement(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public SessionManagementConfigurer sessionManagement() throws Exception { - return getOrApply(new SessionManagementConfigurer<>()); - } - /** * Allows configuring of Session Management. * @@ -636,61 +446,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder - * @return the {@link PortMapperConfigurer} for further customizations - * @throws Exception - * @deprecated For removal in 7.0. Use {@link #portMapper(Customizer)} or - * {@code portMapper(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - * @see #requiresChannel(withDefaults()) - */ - @Deprecated(since = "6.1", forRemoval = true) - public PortMapperConfigurer portMapper() throws Exception { - return getOrApply(new PortMapperConfigurer<>()); - } - - /** - * Allows configuring a {@link PortMapper} that is available from - * {@link HttpSecurity#getSharedObject(Class)}. Other provided - * {@link SecurityConfigurer} objects use this configured {@link PortMapper} as a - * default {@link PortMapper} when redirecting from HTTP to HTTPS or from HTTPS to - * HTTP (for example when used in combination with - * {@link #requiresChannel(withDefaults())}. By default Spring Security uses a - * {@link PortMapperImpl} which maps the HTTP port 8080 to the HTTPS port 8443 and the - * HTTP port of 80 to the HTTPS port of 443. - * - *

Example Configuration

- * - * The following configuration will ensure that redirects within Spring Security from - * HTTP of a port of 9090 will redirect to HTTPS port of 9443 and the HTTP port of 80 - * to the HTTPS port of 443. - * - * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class PortMapperSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
 	 * 			.requiresChannel((requiresChannel) ->
 	 * 				requiresChannel
@@ -727,83 +482,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configuration
-	 *
-	 * The following configuration will use the principal found on the
-	 * {@link HttpServletRequest} and if the user is in the role "ROLE_USER" or
-	 * "ROLE_ADMIN" will add that to the resulting {@link Authentication}.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class JeeSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and()
-	 * 		// Example jee() configuration
-	 * 				.jee().mappableRoles("USER", "ADMIN");
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * Developers wishing to use pre authentication with the container will need to ensure
-	 * their web.xml configures the security constraints. For example, the web.xml (there
-	 * is no equivalent Java based configuration supported by the Servlet specification)
-	 * might look like:
-	 *
-	 * 
-	 * <login-config>
-	 *     <auth-method>FORM</auth-method>
-	 *     <form-login-config>
-	 *         <form-login-page>/login</form-login-page>
-	 *         <form-error-page>/login?error</form-error-page>
-	 *     </form-login-config>
-	 * </login-config>
-	 *
-	 * <security-role>
-	 *     <role-name>ROLE_USER</role-name>
-	 * </security-role>
-	 * <security-constraint>
-	 *     <web-resource-collection>
-	 *     <web-resource-name>Public</web-resource-name>
-	 *         <description>Matches unconstrained pages</description>
-	 *         <url-pattern>/login</url-pattern>
-	 *         <url-pattern>/logout</url-pattern>
-	 *         <url-pattern>/resources/*</url-pattern>
-	 *     </web-resource-collection>
-	 * </security-constraint>
-	 * <security-constraint>
-	 *     <web-resource-collection>
-	 *         <web-resource-name>Secured Areas</web-resource-name>
-	 *         <url-pattern>/*</url-pattern>
-	 *     </web-resource-collection>
-	 *     <auth-constraint>
-	 *         <role-name>ROLE_USER</role-name>
-	 *     </auth-constraint>
-	 * </security-constraint>
-	 * 

-	 *
-	 * Last you will need to configure your container to contain the user with the correct
-	 * roles. This configuration is specific to the Servlet Container, so consult your
-	 * Servlet Container's documentation.
-	 * @return the {@link JeeConfigurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #jee(Customizer)} or
-	 * {@code jee(Customizer.withDefaults())} to stick with defaults. See the documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public JeeConfigurer jee() throws Exception {
-		return getOrApply(new JeeConfigurer<>());
-	}
-
 	/**
 	 * Configures container based pre authentication. In this case, authentication is
 	 * managed by the Servlet Container.
@@ -885,41 +563,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configuration
-	 *
-	 * The following configuration will attempt to extract the username from the X509
-	 * certificate. Remember that the Servlet Container will need to be configured to
-	 * request client certificates in order for this to work.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class X509SecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and()
-	 * 		// Example x509() configuration
-	 * 				.x509();
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link X509Configurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #x509(Customizer)} or
-	 * {@code x509(Customizer.withDefaults())} to stick with defaults. See the documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public X509Configurer x509() throws Exception {
-		return getOrApply(new X509Configurer<>());
-	}
-
 	/**
 	 * Configures X509 based pre authentication.
 	 *
@@ -956,54 +599,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configuration
-	 *
-	 * The following configuration demonstrates how to allow token based remember me
-	 * authentication. Upon authenticating if the HTTP parameter named "remember-me"
-	 * exists, then the user will be remembered even after their
-	 * {@link jakarta.servlet.http.HttpSession} expires.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class RememberMeSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
-	 * 				.permitAll().and()
-	 * 				// Example Remember Me Configuration
-	 * 				.rememberMe();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link RememberMeConfigurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #rememberMe(Customizer)} or
-	 * {@code rememberMe(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public RememberMeConfigurer rememberMe() throws Exception {
-		return getOrApply(new RememberMeConfigurer<>());
-	}
-
 	/**
 	 * Allows configuring of Remember Me authentication.
 	 *
@@ -1053,106 +648,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configurations
-	 *
-	 * The most basic example is to configure all URLs to require the role "ROLE_USER".
-	 * The configuration below requires authentication to every URL and will grant access
-	 * to both the user "admin" and "user".
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AuthorizeUrlsSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		UserDetails admin = User.withDefaultPasswordEncoder()
-	 * 			.username("admin")
-	 * 			.password("password")
-	 * 			.roles("ADMIN", "USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user, admin);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * We can also configure multiple URLs. The configuration below requires
-	 * authentication to every URL and will grant access to URLs starting with /admin/ to
-	 * only the "admin" user. All other URLs either user can access.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AuthorizeUrlsSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/admin/**").hasRole("ADMIN")
-	 * 				.requestMatchers("/**").hasRole("USER").and().formLogin();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		UserDetails admin = User.withDefaultPasswordEncoder()
-	 * 			.username("admin")
-	 * 			.password("password")
-	 * 			.roles("ADMIN", "USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user, admin);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * Note that the matchers are considered in order. Therefore, the following is invalid
-	 * because the first matcher matches every request and will never get to the second
-	 * mapping:
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AuthorizeUrlsSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").requestMatchers("/admin/**")
-	 * 			.hasRole("ADMIN")
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link ExpressionUrlAuthorizationConfigurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #authorizeHttpRequests(Customizer)}
-	 * instead
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry authorizeRequests()
-			throws Exception {
-		ApplicationContext context = getContext();
-		return getOrApply(new ExpressionUrlAuthorizationConfigurer<>(context)).getRegistry();
-	}
-
 	/**
 	 * Allows restricting access based upon the {@link HttpServletRequest} using
 	 * {@link RequestMatcher} implementations (i.e. via URL patterns).
@@ -1272,119 +767,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configurations
-	 *
-	 * The most basic example is to configure all URLs to require the role "ROLE_USER".
-	 * The configuration below requires authentication to every URL and will grant access
-	 * to both the user "admin" and "user".
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AuthorizeUrlsSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.authorizeHttpRequests()
-	 * 				.requestMatchers("/**").hasRole("USER")
-	 * 				.and()
-	 * 			.formLogin();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		UserDetails admin = User.withDefaultPasswordEncoder()
-	 * 			.username("admin")
-	 * 			.password("password")
-	 * 			.roles("ADMIN", "USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user, admin);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * We can also configure multiple URLs. The configuration below requires
-	 * authentication to every URL and will grant access to URLs starting with /admin/ to
-	 * only the "admin" user. All other URLs either user can access.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AuthorizeUrlsSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.authorizeHttpRequests()
-	 * 				.requestMatchers("/admin").hasRole("ADMIN")
-	 * 				.requestMatchers("/**").hasRole("USER")
-	 * 				.and()
-	 * 			.formLogin();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		UserDetails admin = User.withDefaultPasswordEncoder()
-	 * 			.username("admin")
-	 * 			.password("password")
-	 * 			.roles("ADMIN", "USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user, admin);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * Note that the matchers are considered in order. Therefore, the following is invalid
-	 * because the first matcher matches every request and will never get to the second
-	 * mapping:
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AuthorizeUrlsSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.authorizeHttpRequests()
-	 * 				.requestMatchers("/**").hasRole("USER")
-	 * 				.requestMatchers("/admin/**").hasRole("ADMIN")
-	 * 				.and()
-	 * 			.formLogin();
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link HttpSecurity} for further customizations
-	 * @throws Exception
-	 * @since 5.6
-	 * @deprecated For removal in 7.0. Use {@link #authorizeHttpRequests(Customizer)}
-	 * instead
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry authorizeHttpRequests()
-			throws Exception {
-		ApplicationContext context = getContext();
-		return getOrApply(new AuthorizeHttpRequestsConfigurer<>(context)).getRegistry();
-	}
-
 	/**
 	 * Allows restricting access based upon the {@link HttpServletRequest} using
 	 * {@link RequestMatcher} implementations (i.e. via URL patterns).
@@ -1502,25 +884,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderdocumentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public RequestCacheConfigurer requestCache() throws Exception {
-		return getOrApply(new RequestCacheConfigurer<>());
-	}
-
 	/**
 	 * Allows configuring the Request Cache. For example, a protected page (/protected)
 	 * may be requested prior to authentication. The application will redirect the user to
@@ -1562,22 +925,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderdocumentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public ExceptionHandlingConfigurer exceptionHandling() throws Exception {
-		return getOrApply(new ExceptionHandlingConfigurer<>());
-	}
-
 	/**
 	 * Allows configuring exception handling. This is automatically applied when using
 	 * {@link EnableWebSecurity}.
@@ -1619,23 +966,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderdocumentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public SecurityContextConfigurer securityContext() throws Exception {
-		return getOrApply(new SecurityContextConfigurer<>());
-	}
-
 	/**
 	 * Sets up management of the {@link SecurityContext} on the
 	 * {@link SecurityContextHolder} between {@link HttpServletRequest}'s. This is
@@ -1670,23 +1000,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderdocumentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public ServletApiConfigurer servletApi() throws Exception {
-		return getOrApply(new ServletApiConfigurer<>());
-	}
-
 	/**
 	 * Integrates the {@link HttpServletRequest} methods with the values found on the
 	 * {@link SecurityContext}. This is automatically applied when using
@@ -1718,37 +1031,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class CsrfSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.csrf().disable()
-	 * 			...;
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 *
- * @return the {@link CsrfConfigurer} for further customizations - * @throws Exception - * @deprecated For removal in 7.0. Use {@link #csrf(Customizer)} or - * {@code csrf(Customizer.withDefaults())} to stick with defaults. See the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public CsrfConfigurer csrf() throws Exception { - ApplicationContext context = getContext(); - return getOrApply(new CsrfConfigurer<>(context)); - } - /** * Enables CSRF protection. This is activated by default when using * {@link EnableWebSecurity}. You can disable it using: @@ -1797,57 +1079,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder - * @return the {@link LogoutConfigurer} for further customizations - * @throws Exception - * @deprecated For removal in 7.0. Use {@link #logout(Customizer)} or - * {@code logout(Customizer.withDefaults())} to stick with defaults. See the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public LogoutConfigurer logout() throws Exception { - return getOrApply(new LogoutConfigurer<>()); - } - - /** - * Provides logout support. This is automatically applied when using - * {@link EnableWebSecurity}. The default is that accessing the URL "/logout" will log - * the user out by invalidating the HTTP Session, cleaning up any - * {@link #rememberMe(withDefaults())} authentication that was configured, clearing - * the {@link SecurityContextHolder}, and then redirect to "/login?success". - * - *

Example Custom Configuration

- * - * The following customization to log out when the URL "/custom-logout" is invoked. - * Log out will remove the cookie named "remove", not invalidate the HttpSession, - * clear the SecurityContextHolder, and upon completion redirect to "/logout-success". - * - * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class LogoutSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) ->
 	 * 				authorizeRequests
@@ -1885,94 +1116,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configuration
-	 *
-	 * The following configuration demonstrates how to specify that anonymous users should
-	 * contain the role "ROLE_ANON" instead.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AnonymousSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.authorizeRequests()
-	 * 				.requestMatchers("/**").hasRole("USER")
-	 * 				.and()
-	 * 			.formLogin()
-	 * 				.and()
-	 * 			// sample anonymous customization
-	 * 			.anonymous().authorities("ROLE_ANON");
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * The following demonstrates how to represent anonymous users as null. Note that this
-	 * can cause {@link NullPointerException} in code that assumes anonymous
-	 * authentication is enabled.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AnonymousSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.authorizeRequests()
-	 * 				.requestMatchers("/**").hasRole("USER")
-	 * 				.and()
-	 * 			.formLogin()
-	 * 				.and()
-	 * 			// sample anonymous customization
-	 * 			.anonymous().disable();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link AnonymousConfigurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #anonymous(Customizer)} or
-	 * {@code anonymous(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public AnonymousConfigurer anonymous() throws Exception {
-		return getOrApply(new AnonymousConfigurer<>());
-	}
-
 	/**
 	 * Allows configuring how an anonymous user is represented. This is automatically
 	 * applied when used in conjunction with {@link EnableWebSecurity}. By default
@@ -2063,86 +1206,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configurations
-	 *
-	 * The most basic configuration defaults to automatically generating a login page at
-	 * the URL "/login", redirecting to "/login?error" for authentication failure. The
-	 * details of the login page can be found on
-	 * {@link FormLoginConfigurer#loginPage(String)}
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class FormLoginSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * The configuration below demonstrates customizing the defaults.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class FormLoginSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
-	 * 				.usernameParameter("username") // default is username
-	 * 				.passwordParameter("password") // default is password
-	 * 				.loginPage("/authentication/login") // default is /login with an HTTP get
-	 * 				.failureUrl("/authentication/login?failed") // default is /login?error
-	 * 				.loginProcessingUrl("/authentication/login/process"); // default is /login
-	 * 																		// with an HTTP
-	 * 																		// post
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link FormLoginConfigurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #formLogin(Customizer)} or
-	 * {@code formLogin(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 * @see FormLoginConfigurer#loginPage(String)
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public FormLoginConfigurer formLogin() throws Exception {
-		return getOrApply(new FormLoginConfigurer<>());
-	}
-
 	/**
 	 * Specifies to support form based authentication. If
 	 * {@link FormLoginConfigurer#loginPage(String)} is not specified a default login page
@@ -2230,100 +1293,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder
-	 * 

-	 *
-	 * The "authentication flow" is implemented using the Web Browser SSO
-	 * Profile, using POST and REDIRECT bindings, as documented in the
-	 * SAML V2.0
-	 * Core,Profiles and Bindings specifications. 

-	 * 

-	 *
-	 * As a prerequisite to using this feature, is that you have a SAML v2.0 Identity
-	 * Provider to provide an assertion. The representation of the Service Provider, the
-	 * relying party, and the remote Identity Provider, the asserting party is contained
-	 * within {@link RelyingPartyRegistration}. 

-	 * 

-	 *
-	 * {@link RelyingPartyRegistration}(s) are composed within a
-	 * {@link RelyingPartyRegistrationRepository}, which is required and must be
-	 * registered with the {@link ApplicationContext} or configured via
-	 * saml2Login().relyingPartyRegistrationRepository(..). 

-	 * 

-	 *
-	 * The default configuration provides an auto-generated login page at
-	 * "/login" and redirects to
-	 * "/login?error" when an authentication error occurs. The
-	 * login page will display each of the identity providers with a link that is capable
-	 * of initiating the "authentication flow". 

-	 * 

-	 *
-	 * 

-	 * 
Example Configuration

-	 *
-	 * The following example shows the minimal configuration required, using SimpleSamlPhp
-	 * as the Authentication Provider.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class Saml2LoginSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.authorizeRequests()
-	 * 				.anyRequest().authenticated()
-	 * 				.and()
-	 * 			.saml2Login();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 *	@Bean
-	 *	public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
-	 *		return new InMemoryRelyingPartyRegistrationRepository(this.getSaml2RelyingPartyRegistration());
-	 *	}
-	 *
-	 * 	private RelyingPartyRegistration getSaml2RelyingPartyRegistration() {
-	 * 		//remote IDP entity ID
-	 * 		String idpEntityId = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php";
-	 * 		//remote WebSSO Endpoint - Where to Send AuthNRequests to
-	 * 		String webSsoEndpoint = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SSOService.php";
-	 * 		//local registration ID
-	 * 		String registrationId = "simplesamlphp";
-	 * 		//local entity ID - autogenerated based on URL
-	 * 		String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
-	 * 		//local signing (and decryption key)
-	 * 		Saml2X509Credential signingCredential = getSigningCredential();
-	 * 		//IDP certificate for verification of incoming messages
-	 * 		Saml2X509Credential idpVerificationCertificate = getVerificationCertificate();
-	 * 		return RelyingPartyRegistration.withRegistrationId(registrationId)
-	 * 				.remoteIdpEntityId(idpEntityId)
-	 * 				.idpWebSsoUrl(webSsoEndpoint)
-	 * 				.credential(signingCredential)
-	 * 				.credential(idpVerificationCertificate)
-	 * 				.localEntityIdTemplate(localEntityIdTemplate)
-	 * 				.build();
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * 

-	 * @return the {@link Saml2LoginConfigurer} for further customizations
-	 * @throws Exception
-	 * @since 5.2
-	 * @deprecated For removal in 7.0. Use {@link #saml2Login(Customizer)} or
-	 * {@code saml2Login(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public Saml2LoginConfigurer saml2Login() throws Exception {
-		return getOrApply(new Saml2LoginConfigurer<>());
-	}
-
 	/**
 	 * Configures authentication support using an SAML 2.0 Service Provider. 

 	 * 

@@ -2486,80 +1455,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder
-	 * 

-	 *
-	 * Implements the Single Logout Profile, using POST and REDIRECT bindings, as
-	 * documented in the
-	 * SAML V2.0
-	 * Core, Profiles and Bindings specifications. 

-	 * 

-	 *
-	 * As a prerequisite to using this feature, is that you have a SAML v2.0 Asserting
-	 * Party to sent a logout request to. The representation of the relying party and the
-	 * asserting party is contained within {@link RelyingPartyRegistration}. 

-	 * 

-	 *
-	 * {@link RelyingPartyRegistration}(s) are composed within a
-	 * {@link RelyingPartyRegistrationRepository}, which is required and must be
-	 * registered with the {@link ApplicationContext} or configured via
-	 * {@link #saml2Login(withDefaults())}.

-	 * 

-	 *
-	 * The default configuration provides an auto-generated logout endpoint at
-	 * "/logout" and redirects to /login?logout when
-	 * logout completes. 

-	 * 

-	 *
-	 * 

-	 * 
Example Configuration

-	 *
-	 * The following example shows the minimal configuration required, using a
-	 * hypothetical asserting party.
-	 *
-	 * 
-	 *	@EnableWebSecurity
-	 *	@Configuration
-	 *	public class Saml2LogoutSecurityConfig {
-	 *		@Bean
-	 *		public SecurityFilterChain web(HttpSecurity http) throws Exception {
-	 *			http
-	 *				.authorizeRequests()
-	 *					.anyRequest().authenticated()
-	 *					.and()
-	 *				.saml2Login()
-	 *					.and()
-	 *				.saml2Logout();
-	 *			return http.build();
-	 *		}
-	 *
-	 *		@Bean
-	 *		public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
-	 *			RelyingPartyRegistration registration = RelyingPartyRegistrations
-	 *					.withMetadataLocation("https://ap.example.org/metadata")
-	 *					.registrationId("simple")
-	 *					.build();
-	 *			return new InMemoryRelyingPartyRegistrationRepository(registration);
-	 *		}
-	 *	}
-	 * 

-	 *
-	 * 

-	 * @return the {@link Saml2LoginConfigurer} for further customizations
-	 * @throws Exception
-	 * @since 5.6
-	 * @deprecated For removal in 7.0. Use {@link #saml2Logout(Customizer)} or
-	 * {@code saml2Logout(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public Saml2LogoutConfigurer saml2Logout() throws Exception {
-		return getOrApply(new Saml2LogoutConfigurer<>(getContext()));
-	}
-
 	/**
 	 * Configures a SAML 2.0 metadata endpoint that presents relying party configurations
 	 * in an {@code } payload.
@@ -2610,163 +1505,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder} payload.
-	 *
-	 * 

-	 * By default, the endpoints are {@code /saml2/metadata} and
-	 * {@code /saml2/metadata/{registrationId}} though note that also
-	 * {@code /saml2/service-provider-metadata/{registrationId}} is recognized for
-	 * backward compatibility purposes.
-	 *
-	 * 

-	 * 
Example Configuration

-	 *
-	 * The following example shows the minimal configuration required, using a
-	 * hypothetical asserting party.
-	 *
-	 * 
-	 *	@EnableWebSecurity
-	 *	@Configuration
-	 *	public class Saml2LogoutSecurityConfig {
-	 *		@Bean
-	 *		public SecurityFilterChain web(HttpSecurity http) throws Exception {
-	 *			http
-	 *				.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
-	 *				.saml2Metadata(Customizer.withDefaults());
-	 *			return http.build();
-	 *		}
-	 *
-	 *		@Bean
-	 *		public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
-	 *			RelyingPartyRegistration registration = RelyingPartyRegistrations
-	 *					.withMetadataLocation("https://ap.example.org/metadata")
-	 *					.registrationId("simple")
-	 *					.build();
-	 *			return new InMemoryRelyingPartyRegistrationRepository(registration);
-	 *		}
-	 *	}
-	 * 

-	 * @return the {@link Saml2MetadataConfigurer} for further customizations
-	 * @throws Exception
-	 * @since 6.1
-	 * @deprecated For removal in 7.0. Use {@link #saml2Metadata(Customizer)} or
-	 * {@code saml2Metadata(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public Saml2MetadataConfigurer saml2Metadata() throws Exception {
-		return getOrApply(new Saml2MetadataConfigurer<>(getContext()));
-	}
-
-	/**
-	 * Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0
-	 * Provider. 

-	 * 

-	 *
-	 * The "authentication flow" is implemented using the Authorization Code
-	 * Grant, as specified in the
-	 * OAuth 2.0
-	 * Authorization Framework and OpenID Connect
-	 * Core 1.0 specification. 

-	 * 

-	 *
-	 * As a prerequisite to using this feature, you must register a client with a
-	 * provider. The client registration information may than be used for configuring a
-	 * {@link org.springframework.security.oauth2.client.registration.ClientRegistration}
-	 * using a
-	 * {@link org.springframework.security.oauth2.client.registration.ClientRegistration.Builder}.
-	 * 

-	 * 

-	 *
-	 * {@link org.springframework.security.oauth2.client.registration.ClientRegistration}(s)
-	 * are composed within a
-	 * {@link org.springframework.security.oauth2.client.registration.ClientRegistrationRepository},
-	 * which is required and must be registered with the {@link ApplicationContext}
-	 * or configured via oauth2Login().clientRegistrationRepository(..). 

-	 * 

-	 *
-	 * The default configuration provides an auto-generated login page at
-	 * "/login" and redirects to
-	 * "/login?error" when an authentication error occurs. The
-	 * login page will display each of the clients with a link that is capable of
-	 * initiating the "authentication flow". 

-	 * 

-	 *
-	 * 

-	 * 
Example Configuration

-	 *
-	 * The following example shows the minimal configuration required, using Google as the
-	 * Authentication Provider.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class OAuth2LoginSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.authorizeRequests()
-	 * 				.anyRequest().authenticated()
-	 * 				.and()
-	 * 			.oauth2Login();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 *	@Bean
-	 *	public ClientRegistrationRepository clientRegistrationRepository() {
-	 *		return new InMemoryClientRegistrationRepository(this.googleClientRegistration());
-	 *	}
-	 *
-	 * 	private ClientRegistration googleClientRegistration() {
-	 * 		return ClientRegistration.withRegistrationId("google")
-	 * 			.clientId("google-client-id")
-	 * 			.clientSecret("google-client-secret")
-	 * 			.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
-	 * 			.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
-	 * 			.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
-	 * 			.scope("openid", "profile", "email", "address", "phone")
-	 * 			.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
-	 * 			.tokenUri("https://www.googleapis.com/oauth2/v4/token")
-	 * 			.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
-	 * 			.userNameAttributeName(IdTokenClaimNames.SUB)
-	 * 			.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
-	 * 			.clientName("Google")
-	 * 			.build();
-	 *	}
-	 * }
-	 * 

-	 *
-	 * 

-	 * For more advanced configuration, see {@link OAuth2LoginConfigurer} for available
-	 * options to customize the defaults.
-	 * @return the {@link OAuth2LoginConfigurer} for further customizations
-	 * @throws Exception
-	 * @since 5.0
-	 * @deprecated For removal in 7.0. Use {@link #oauth2Login(Customizer)} or
-	 * {@code oauth2Login(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 * @see Section 4.1 Authorization Code
-	 * Grant
-	 * @see Section 3.1
-	 * Authorization Code Flow
-	 * @see org.springframework.security.oauth2.client.registration.ClientRegistration
-	 * @see org.springframework.security.oauth2.client.registration.ClientRegistrationRepository
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public OAuth2LoginConfigurer oauth2Login() throws Exception {
-		return getOrApply(new OAuth2LoginConfigurer<>());
-	}
-
 	/**
 	 * Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0
 	 * Provider. 

@@ -2880,27 +1618,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderdocumentation
-	 * for more details.
-	 * @see OAuth 2.0 Authorization
-	 * Framework
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public OAuth2ClientConfigurer oauth2Client() throws Exception {
-		OAuth2ClientConfigurer configurer = getOrApply(new OAuth2ClientConfigurer<>());
-		this.postProcess(configurer);
-		return configurer;
-	}
-
 	/**
 	 * Configures OAuth 2.0 Client support.
 	 *
@@ -2940,25 +1657,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderOAuth 2.0 Authorization
-	 * Framework
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public OAuth2ResourceServerConfigurer oauth2ResourceServer() throws Exception {
-		OAuth2ResourceServerConfigurer configurer = getOrApply(
-				new OAuth2ResourceServerConfigurer<>(getContext()));
-		this.postProcess(configurer);
-		return configurer;
-	}
-
 	/**
 	 * Configures OAuth 2.0 Resource Server support.
 	 *
@@ -3051,55 +1749,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configuration
-	 *
-	 * The example below demonstrates how to require HTTPs for every request. Only
-	 * requiring HTTPS for some requests is supported, but not recommended since an
-	 * application that allows for HTTP introduces many security vulnerabilities. For one
-	 * such example, read about
-	 * Firesheep.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class ChannelSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
-	 * 				.and().requiresChannel().anyRequest().requiresSecure();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link ChannelSecurityConfigurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #requiresChannel(Customizer)} or
-	 * {@code requiresChannel(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public ChannelSecurityConfigurer.ChannelRequestMatcherRegistry requiresChannel() throws Exception {
-		ApplicationContext context = getContext();
-		return getOrApply(new ChannelSecurityConfigurer<>(context)).getRegistry();
-	}
-
 	/**
 	 * Configures channel security. In order for this configuration to be useful at least
 	 * one mapping to a required channel must be provided.
@@ -3205,50 +1854,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configuration
-	 *
-	 * The example below demonstrates how to configure HTTP Basic authentication for an
-	 * application. The default realm is "Realm", but can be customized using
-	 * {@link HttpBasicConfigurer#realmName(String)}.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class HttpBasicSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().httpBasic();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link HttpBasicConfigurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #httpBasic(Customizer)} or
-	 * {@code httpBasic(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public HttpBasicConfigurer httpBasic() throws Exception {
-		return getOrApply(new HttpBasicConfigurer<>());
-	}
-
 	/**
 	 * Configures HTTP Basic authentication.
 	 *
@@ -3454,133 +2059,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder
-	 * Invoking {@link #securityMatchers()} will not override previous invocations of
-	 * {@link #securityMatchers()}}, {@link #securityMatchers(Customizer)}
-	 * {@link #securityMatcher(String...)} and {@link #securityMatcher(RequestMatcher)}
-	 * 

-	 *
-	 * 
Example Configurations

-	 *
-	 * The following configuration enables the {@link HttpSecurity} for URLs that begin
-	 * with "/api/" or "/oauth/".
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class RequestMatchersSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.securityMatchers((matchers) -> matchers
-	 * 				.requestMatchers("/api/**", "/oauth/**")
-	 * 			)
-	 * 			.authorizeHttpRequests((authorize) -> authorize
-	 * 				anyRequest().hasRole("USER")
-	 * 			)
-	 * 			.httpBasic(withDefaults());
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * The configuration below is the same as the previous configuration.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class RequestMatchersSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.securityMatchers((matchers) -> matchers
-	 * 				.requestMatchers("/api/**")
-	 * 				.requestMatchers("/oauth/**")
-	 * 			)
-	 * 			.authorizeHttpRequests((authorize) -> authorize
-	 * 				anyRequest().hasRole("USER")
-	 * 			)
-	 * 			.httpBasic(withDefaults());
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * The configuration below is also the same as the above configuration.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class RequestMatchersSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.securityMatchers((matchers) -> matchers
-	 * 				.requestMatchers("/api/**")
-	 * 			)
-	 *			.securityMatchers((matchers) -> matchers
-	 *				.requestMatchers("/oauth/**")
-	 * 			)
-	 * 			.authorizeHttpRequests((authorize) -> authorize
-	 * 				anyRequest().hasRole("USER")
-	 * 			)
-	 * 			.httpBasic(withDefaults());
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link RequestMatcherConfigurer} for further customizations
-	 * @deprecated For removal in 7.0. Use {@link #securityMatchers(Customizer)} or
-	 * {@code securityMatchers(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public RequestMatcherConfigurer securityMatchers() {
-		return this.requestMatcherConfigurer;
-	}
-
 	/**
 	 * Allows specifying which {@link HttpServletRequest} instances this
 	 * {@link HttpSecurity} will be invoked on. This method allows for easily invoking the
@@ -3855,35 +2333,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder
-		 * @Configuration
-		 * @EnableWebSecurity
-		 * public class SecurityConfig {
-		 *
-		 *     @Bean
-		 *     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-		 *         http
-		 *             .securityMatchers((matchers) -> matchers
-		 *                 .requestMatchers("/api/**")
-		 *             )
-		 *             .authorizeHttpRequests((authorize) -> authorize
-		 *                 .anyRequest().hasRole("USER")
-		 *             )
-		 *             .httpBasic(Customizer.withDefaults());
-		 *         return http.build();
-		 *     }
-		 *
-		 * }
-		 *
- */ - @Deprecated(since = "6.1", forRemoval = true) - public HttpSecurity and() { - return HttpSecurity.this; - } - } /** diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java index 725ee45802..879451012a 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java @@ -231,17 +231,6 @@ public final class AuthorizeHttpRequestsConfigurer> return this; } - /** - * Return the {@link SecurityBuilder} when done using the - * {@link SecurityConfigurer}. This is useful for method chaining. - * @return the type of {@link HttpSecurityBuilder} that is being configured - * @deprecated For removal in 7.0. Use - * {@link HttpSecurity#requiresChannel(Customizer)} instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public H and() { - return ChannelSecurityConfigurer.this.and(); - } - } /** diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java index c16f150d48..1fe1faf6cd 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java @@ -57,8 +57,6 @@ import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; import org.springframework.util.StringUtils; -import static org.springframework.security.config.Customizer.withDefaults; - /** * Adds * CSRF @@ -174,7 +172,8 @@ public final class CsrfConfigurer> * @since 5.1 */ public CsrfConfigurer ignoringRequestMatchers(RequestMatcher... requestMatchers) { - return new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(requestMatchers).and(); + new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(requestMatchers); + return this; } /** @@ -202,7 +201,8 @@ public final class CsrfConfigurer> * @see AbstractRequestMatcherRegistry#requestMatchers(String...) */ public CsrfConfigurer ignoringRequestMatchers(String... patterns) { - return new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(patterns).and(); + new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(patterns); + return this; } /** @@ -386,10 +386,6 @@ public final class CsrfConfigurer> setApplicationContext(context); } - CsrfConfigurer and() { - return CsrfConfigurer.this; - } - @Override protected IgnoreCsrfProtectionRegistry chainRequestMatchers(List requestMatchers) { CsrfConfigurer.this.ignoredCsrfProtectionMatchers.addAll(requestMatchers); diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java index f622c4936e..bddafb1d2e 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java @@ -42,8 +42,6 @@ import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; import org.springframework.util.StringUtils; -import static org.springframework.security.config.Customizer.withDefaults; - /** * Adds URL based authorization based upon SpEL expressions to an application. At least * one {@link org.springframework.web.bind.annotation.RequestMapping} needs to be mapped @@ -253,7 +251,7 @@ public final class ExpressionUrlAuthorizationConfigurer * Adds the Security HTTP headers to the response. Security HTTP headers is activated by @@ -129,26 +127,6 @@ public class HeadersConfigurer> return this; } - /** - * Configures the {@link XContentTypeOptionsHeaderWriter} which inserts the - * X-Content-Type-Options: - * - * 
-	 * X-Content-Type-Options: nosniff
-	 *
- * @return the {@link ContentTypeOptionsConfig} for additional customizations - * @deprecated For removal in 7.0. Use {@link #contentTypeOptions(Customizer)} or - * {@code contentTypeOptions(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public ContentTypeOptionsConfig contentTypeOptions() { - return this.contentTypeOptions.enable(); - } - /** * Configures the {@link XContentTypeOptionsHeaderWriter} which inserts the * > return HeadersConfigurer.this; } - /** - * Note this is not comprehensive XSS protection! - * - *

- * Allows customizing the {@link XXssProtectionHeaderWriter} which adds the X-XSS-Protection header - *

- * @return the {@link XXssConfig} for additional customizations - * @deprecated For removal in 7.0. Use {@link #xssProtection(Customizer)} or - * {@code xssProtection(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public XXssConfig xssProtection() { - return this.xssProtection.enable(); - } - /** * Note this is not comprehensive XSS protection! * @@ -203,26 +161,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows customizing the {@link CacheControlHeadersWriter}. Specifically it adds the - * following headers: - *
    - *
  • Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    • - *
  • Pragma: no-cache
    • - *
  • Expires: 0
    • - *
- * @return the {@link CacheControlConfig} for additional customizations - * @deprecated For removal in 7.0. Use {@link #cacheControl(Customizer)} or - * {@code cacheControl(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public CacheControlConfig cacheControl() { - return this.cacheControl.enable(); - } - /** * Allows customizing the {@link CacheControlHeadersWriter}. Specifically it adds the * following headers: @@ -240,19 +178,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows customizing the {@link HstsHeaderWriter} which provides support for - * HTTP Strict Transport Security - * (HSTS). - * @return the {@link HstsConfig} for additional customizations - * @deprecated For removal in 7.0. Use - * {@link #httpStrictTransportSecurity(Customizer)} instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HstsConfig httpStrictTransportSecurity() { - return this.hsts.enable(); - } - /** * Allows customizing the {@link HstsHeaderWriter} which provides support for * HTTP Strict Transport Security @@ -266,20 +191,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows customizing the {@link XFrameOptionsHeaderWriter}. - * @return the {@link FrameOptionsConfig} for additional customizations - * @deprecated For removal in 7.0. Use {@link #frameOptions(Customizer)} or - * {@code frameOptions(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public FrameOptionsConfig frameOptions() { - return this.frameOptions.enable(); - } - /** * Allows customizing the {@link XFrameOptionsHeaderWriter}. * @param frameOptionsCustomizer the {@link Customizer} to provide more options for @@ -291,21 +202,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows customizing the {@link HpkpHeaderWriter} which provides support for - * HTTP Public Key Pinning (HPKP). - * @return the {@link HpkpConfig} for additional customizations - * - * @since 4.1 - * @deprecated see Certificate - * and Public Key Pinning for more context - */ - @Deprecated - public HpkpConfig httpPublicKeyPinning() { - return this.hpkp.enable(); - } - /** * Allows customizing the {@link HpkpHeaderWriter} which provides support for * HTTP Public Key Pinning (HPKP). @@ -322,39 +218,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - *

- * Allows configuration for Content Security - * Policy (CSP) Level 2. - *

- * - *

- * Calling this method automatically enables (includes) the Content-Security-Policy - * header in the response using the supplied security policy directive(s). - *

- * - *

- * Configuration is provided to the {@link ContentSecurityPolicyHeaderWriter} which - * supports the writing of the two headers as detailed in the W3C Candidate - * Recommendation: - *

- *
    - *
  • Content-Security-Policy
    • - *
  • Content-Security-Policy-Report-Only
    • - *
- * @return the {@link ContentSecurityPolicyConfig} for additional configuration - * @throws IllegalArgumentException if policyDirectives is null or empty - * @since 4.1 - * @deprecated For removal in 7.0. Use {@link #contentSecurityPolicy(Customizer)} - * instead - * @see ContentSecurityPolicyHeaderWriter - */ - @Deprecated(since = "6.1", forRemoval = true) - public ContentSecurityPolicyConfig contentSecurityPolicy(String policyDirectives) { - this.contentSecurityPolicy.writer = new ContentSecurityPolicyHeaderWriter(policyDirectives); - return this.contentSecurityPolicy; - } - /** *

* Allows configuration for Content Security @@ -456,71 +319,6 @@ public class HeadersConfigurer> } } - /** - *

- * Allows configuration for Referrer - * Policy. - *

- * - *

- * Configuration is provided to the {@link ReferrerPolicyHeaderWriter} which support - * the writing of the header as detailed in the W3C Technical Report: - *

- *
    - *
  • Referrer-Policy
    • - *
- * - *

- * Default value is: - *

- * - * 
-	 * Referrer-Policy: no-referrer
-	 *
- * @return the {@link ReferrerPolicyConfig} for additional configuration - * @since 4.2 - * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)} or - * {@code referrerPolicy(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - * @see ReferrerPolicyHeaderWriter - */ - @Deprecated(since = "6.1", forRemoval = true) - public ReferrerPolicyConfig referrerPolicy() { - this.referrerPolicy.writer = new ReferrerPolicyHeaderWriter(); - return this.referrerPolicy; - } - - /** - *

- * Allows configuration for Referrer - * Policy. - *

- * - *

- * Configuration is provided to the {@link ReferrerPolicyHeaderWriter} which support - * the writing of the header as detailed in the W3C Technical Report: - *

- *
    - *
  • Referrer-Policy
    • - *
- * @return the {@link ReferrerPolicyConfig} for additional configuration - * @throws IllegalArgumentException if policy is null or empty - * @since 4.2 - * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)} or - * {@code referrerPolicy(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - * @see ReferrerPolicyHeaderWriter - */ - @Deprecated(since = "6.1", forRemoval = true) - public ReferrerPolicyConfig referrerPolicy(ReferrerPolicy policy) { - this.referrerPolicy.writer = new ReferrerPolicyHeaderWriter(policy); - return this.referrerPolicy; - } - /** *

* Allows configuration for Referrer @@ -570,35 +368,6 @@ public class HeadersConfigurer> return this.featurePolicy; } - /** - *

- * Allows configuration for - * Permissions - * Policy. - *

- * - *

- * Configuration is provided to the {@link PermissionsPolicyHeaderWriter} which - * support the writing of the header as detailed in the W3C Technical Report: - *

- *
    - *
  • Permissions-Policy
    • - *
- * @return the {@link PermissionsPolicyConfig} for additional configuration - * @since 5.5 - * @deprecated For removal in 7.0. Use {@link #permissionsPolicyHeader(Customizer)} or - * {@code permissionsPolicy(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - * @see PermissionsPolicyHeaderWriter - */ - @Deprecated(since = "6.1", forRemoval = true) - public PermissionsPolicyConfig permissionsPolicy() { - this.permissionsPolicy.writer = new PermissionsPolicyHeaderWriter(); - return this.permissionsPolicy; - } - /** * Allows configuration for * Permissions @@ -645,26 +414,6 @@ public class HeadersConfigurer> return this; } - /** - * Allows configuration for - * Cross-Origin-Opener-Policy header. - *

- * Configuration is provided to the {@link CrossOriginOpenerPolicyHeaderWriter} which - * responsible for writing the header. - *

- * @return the {@link CrossOriginOpenerPolicyConfig} for additional confniguration - * @since 5.7 - * @deprecated For removal in 7.0. Use {@link #crossOriginOpenerPolicy(Customizer)} - * instead - * @see CrossOriginOpenerPolicyHeaderWriter - */ - @Deprecated(since = "6.1", forRemoval = true) - public CrossOriginOpenerPolicyConfig crossOriginOpenerPolicy() { - this.crossOriginOpenerPolicy.writer = new CrossOriginOpenerPolicyHeaderWriter(); - return this.crossOriginOpenerPolicy; - } - /** * Allows configuration for @@ -689,26 +438,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows configuration for - * Cross-Origin-Embedder-Policy header. - *

- * Configuration is provided to the {@link CrossOriginEmbedderPolicyHeaderWriter} - * which is responsible for writing the header. - *

- * @return the {@link CrossOriginEmbedderPolicyConfig} for additional customizations - * @since 5.7 - * @deprecated For removal in 7.0. Use {@link #crossOriginEmbedderPolicy(Customizer)} - * instead - * @see CrossOriginEmbedderPolicyHeaderWriter - */ - @Deprecated(since = "6.1", forRemoval = true) - public CrossOriginEmbedderPolicyConfig crossOriginEmbedderPolicy() { - this.crossOriginEmbedderPolicy.writer = new CrossOriginEmbedderPolicyHeaderWriter(); - return this.crossOriginEmbedderPolicy; - } - /** * Allows configuration for @@ -733,26 +462,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows configuration for - * Cross-Origin-Resource-Policy header. - *

- * Configuration is provided to the {@link CrossOriginResourcePolicyHeaderWriter} - * which is responsible for writing the header: - *

- * @return the {@link HeadersConfigurer} for additional customizations - * @since 5.7 - * @deprecated For removal in 7.0. Use {@link #crossOriginResourcePolicy(Customizer)} - * instead - * @see CrossOriginResourcePolicyHeaderWriter - */ - @Deprecated(since = "6.1", forRemoval = true) - public CrossOriginResourcePolicyConfig crossOriginResourcePolicy() { - this.crossOriginResourcePolicy.writer = new CrossOriginResourcePolicyHeaderWriter(); - return this.crossOriginResourcePolicy; - } - /** * Allows configuration for @@ -791,17 +500,6 @@ public class HeadersConfigurer> */ public HeadersConfigurer disable() { this.writer = null; - return and(); - } - - /** - * Allows customizing the {@link HeadersConfigurer} - * @return the {@link HeadersConfigurer} for additional customization - * @deprecated For removal in 7.0. Use {@link #contentTypeOptions(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { return HeadersConfigurer.this; } @@ -866,21 +564,6 @@ public class HeadersConfigurer> */ public HeadersConfigurer disable() { this.writer = null; - return and(); - } - - /** - * Allows completing configuration of X-XSS-Protection and continuing - * configuration of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use {@link #xssProtection(Customizer)} or - * {@code xssProtection(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { return HeadersConfigurer.this; } @@ -914,21 +597,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows completing configuration of Cache Control and continuing configuration - * of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use {@link #cacheControl(Customizer)} or - * {@code cacheControl(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - /** * Ensures the Cache Control headers are enabled if they are not already. * @return the {@link CacheControlConfig} for additional customization @@ -1026,18 +694,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows completing configuration of Strict Transport Security and continuing - * configuration of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use - * {@link #httpStrictTransportSecurity(Customizer)} instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - /** * Ensures that Strict-Transport-Security is enabled if it is not already * @return the {@link HstsConfig} for additional customization @@ -1065,7 +721,7 @@ public class HeadersConfigurer> */ public HeadersConfigurer deny() { this.writer = new XFrameOptionsHeaderWriter(XFrameOptionsMode.DENY); - return and(); + return HeadersConfigurer.this; } /** @@ -1079,7 +735,7 @@ public class HeadersConfigurer> */ public HeadersConfigurer sameOrigin() { this.writer = new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN); - return and(); + return HeadersConfigurer.this; } /** @@ -1088,20 +744,6 @@ public class HeadersConfigurer> */ public HeadersConfigurer disable() { this.writer = null; - return and(); - } - - /** - * Allows continuing customizing the headers configuration. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use {@link #frameOptions(Customizer)} or - * {@code frameOptions(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { return HeadersConfigurer.this; } @@ -1319,18 +961,6 @@ public class HeadersConfigurer> return this; } - /** - * Allows completing configuration of Content Security Policy and continuing - * configuration of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use {@link #contentSecurityPolicy(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - } public final class ReferrerPolicyConfig { @@ -1351,18 +981,6 @@ public class HeadersConfigurer> return this; } - /** - * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)} or - * {@code referrerPolicy(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - } public final class FeaturePolicyConfig { @@ -1401,18 +1019,6 @@ public class HeadersConfigurer> return this; } - /** - * Allows completing configuration of Permissions Policy and continuing - * configuration of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use {@link #permissionsPolicy(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - } public final class CrossOriginOpenerPolicyConfig { @@ -1434,18 +1040,6 @@ public class HeadersConfigurer> return this; } - /** - * Allows completing configuration of Cross Origin Opener Policy and continuing - * configuration of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use - * {@link #crossOriginOpenerPolicy(Customizer)} instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - } public final class CrossOriginEmbedderPolicyConfig { @@ -1468,18 +1062,6 @@ public class HeadersConfigurer> return this; } - /** - * Allows completing configuration of Cross-Origin-Embedder-Policy and continuing - * configuration of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use - * {@link #crossOriginEmbedderPolicy(Customizer)} instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - } public final class CrossOriginResourcePolicyConfig { @@ -1502,18 +1084,6 @@ public class HeadersConfigurer> return this; } - /** - * Allows completing configuration of Cross-Origin-Resource-Policy and continuing - * configuration of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use - * {@link #crossOriginResourcePolicy(Customizer)} instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - } } diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java index 0ac0480e03..82c760a79d 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java @@ -66,8 +66,6 @@ import org.springframework.security.web.session.SimpleRedirectSessionInformation import org.springframework.util.Assert; import org.springframework.util.CollectionUtils; -import static org.springframework.security.config.Customizer.withDefaults; - /** * Allows configuring session management. * @@ -777,17 +775,6 @@ public final class SessionManagementConfigurer> return this; } - /** - * Used to chain back to the {@link SessionManagementConfigurer} - * @return the {@link SessionManagementConfigurer} for further customizations - * @deprecated For removal in 7.0. Use {@link #sessionConcurrency(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public SessionManagementConfigurer and() { - return SessionManagementConfigurer.this; - } - } } diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java index 5345ed5dd2..9386fee77e 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java @@ -248,7 +248,7 @@ public final class UrlAuthorizationConfigurer> } public H and() { - return UrlAuthorizationConfigurer.this.and(); + return UrlAuthorizationConfigurer.this.getBuilder(); } } diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java index 2aae05bbb9..9ed4da02fe 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java @@ -141,18 +141,6 @@ public final class OAuth2ClientConfigurer> return this; } - /** - * Returns the {@link AuthorizationCodeGrantConfigurer} for configuring the OAuth 2.0 - * Authorization Code Grant. - * @return the {@link AuthorizationCodeGrantConfigurer} - * @deprecated For removal in 7.0. Use {@link #authorizationCodeGrant(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public AuthorizationCodeGrantConfigurer authorizationCodeGrant() { - return this.authorizationCodeGrantConfigurer; - } - /** * Configures the OAuth 2.0 Authorization Code Grant. * @param authorizationCodeGrantCustomizer the {@link Customizer} to provide more @@ -242,17 +230,6 @@ public final class OAuth2ClientConfigurer> return this; } - /** - * Returns the {@link OAuth2ClientConfigurer} for further configuration. - * @return the {@link OAuth2ClientConfigurer} - * @deprecated For removal in 7.0. Use {@link #authorizationCodeGrant(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public OAuth2ClientConfigurer and() { - return OAuth2ClientConfigurer.this; - } - private void init(B builder) { OAuth2AuthorizationCodeAuthenticationProvider authorizationCodeAuthenticationProvider = new OAuth2AuthorizationCodeAuthenticationProvider( getAccessTokenResponseClient()); diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java index d270f55731..c27cb4f2a7 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java @@ -104,8 +104,6 @@ import org.springframework.util.Assert; import org.springframework.util.ClassUtils; import org.springframework.util.ReflectionUtils; -import static org.springframework.security.config.Customizer.withDefaults; - /** * An {@link AbstractHttpConfigurer} for OAuth 2.0 Login, which leverages the OAuth 2.0 * Authorization Code Grant Flow. @@ -248,18 +246,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link AuthorizationEndpointConfig} for configuring the Authorization - * Server's Authorization Endpoint. - * @return the {@link AuthorizationEndpointConfig} - * @deprecated For removal in 7.0. Use {@link #authorizationEndpoint(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public AuthorizationEndpointConfig authorizationEndpoint() { - return this.authorizationEndpointConfig; - } - /** * Configures the Authorization Server's Authorization Endpoint. * @param authorizationEndpointCustomizer the {@link Customizer} to provide more @@ -272,21 +258,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link TokenEndpointConfig} for configuring the Authorization Server's - * Token Endpoint. - * @return the {@link TokenEndpointConfig} - * @deprecated For removal in 7.0. Use {@link #tokenEndpoint(Customizer)} or - * {@code tokenEndpoint(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public TokenEndpointConfig tokenEndpoint() { - return this.tokenEndpointConfig; - } - /** * Configures the Authorization Server's Token Endpoint. * @param tokenEndpointCustomizer the {@link Customizer} to provide more options for @@ -299,18 +270,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link RedirectionEndpointConfig} for configuring the Client's - * Redirection Endpoint. - * @return the {@link RedirectionEndpointConfig} - * @deprecated For removal in 7.0. Use {@link #redirectionEndpoint(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public RedirectionEndpointConfig redirectionEndpoint() { - return this.redirectionEndpointConfig; - } - /** * Configures the Client's Redirection Endpoint. * @param redirectionEndpointCustomizer the {@link Customizer} to provide more options @@ -323,21 +282,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link UserInfoEndpointConfig} for configuring the Authorization - * Server's UserInfo Endpoint. - * @return the {@link UserInfoEndpointConfig} - * @deprecated For removal in 7.0. Use {@link #userInfoEndpoint(Customizer)} or - * {@code userInfoEndpoint(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public UserInfoEndpointConfig userInfoEndpoint() { - return this.userInfoEndpointConfig; - } - /** * Configures the Authorization Server's UserInfo Endpoint. * @param userInfoEndpointCustomizer the {@link Customizer} to provide more options @@ -726,17 +670,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link OAuth2LoginConfigurer} for further configuration. - * @return the {@link OAuth2LoginConfigurer} - * @deprecated For removal in 7.0. Use {@link #authorizationEndpoint(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public OAuth2LoginConfigurer and() { - return OAuth2LoginConfigurer.this; - } - } /** @@ -763,20 +696,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link OAuth2LoginConfigurer} for further configuration. - * @return the {@link OAuth2LoginConfigurer} - * @deprecated For removal in 7.0. Use {@link #tokenEndpoint(Customizer)} or - * {@code tokenEndpoint(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public OAuth2LoginConfigurer and() { - return OAuth2LoginConfigurer.this; - } - } /** @@ -801,17 +720,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link OAuth2LoginConfigurer} for further configuration. - * @return the {@link OAuth2LoginConfigurer} - * @deprecated For removal in 7.0. Use {@link #redirectionEndpoint(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public OAuth2LoginConfigurer and() { - return OAuth2LoginConfigurer.this; - } - } /** @@ -866,17 +774,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link OAuth2LoginConfigurer} for further configuration. - * @return the {@link OAuth2LoginConfigurer} - * @deprecated For removal in 7.0. Use {@link #userInfoEndpoint(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public OAuth2LoginConfigurer and() { - return OAuth2LoginConfigurer.this; - } - } private static class OidcAuthenticationRequestChecker implements AuthenticationProvider { diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java index 1095350dc5..36361600d5 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java @@ -111,11 +111,6 @@ public final class OidcLogoutConfigurer> return this; } - @Deprecated(forRemoval = true, since = "6.2") - public B and() { - return getBuilder(); - } - @Override public void configure(B builder) throws Exception { if (this.backChannel != null) { diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java index 5bb6fdcbc4..209ba03007 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java @@ -214,20 +214,6 @@ public final class OAuth2ResourceServerConfigurerdocumentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public JwtConfigurer jwt() { - if (this.jwtConfigurer == null) { - this.jwtConfigurer = new JwtConfigurer(this.context); - } - return this.jwtConfigurer; - } - /** * Enables Jwt-encoded bearer token support. * @param jwtCustomizer the {@link Customizer} to provide more options for the @@ -242,21 +228,6 @@ public final class OAuth2ResourceServerConfigurerdocumentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public OpaqueTokenConfigurer opaqueToken() { - if (this.opaqueTokenConfigurer == null) { - this.opaqueTokenConfigurer = new OpaqueTokenConfigurer(this.context); - } - return this.opaqueTokenConfigurer; - } - /** * Enables opaque bearer token support. * @param opaqueTokenCustomizer the {@link Customizer} to provide more options for the @@ -441,17 +412,6 @@ public final class OAuth2ResourceServerConfigurerdocumentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public OAuth2ResourceServerConfigurer and() { - return OAuth2ResourceServerConfigurer.this; - } - Converter getJwtAuthenticationConverter() { if (this.jwtAuthenticationConverter == null) { if (this.context.getBeanNamesForType(JwtAuthenticationConverter.class).length > 0) { diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java index 22358ea3a2..7ae92aafca 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java @@ -71,8 +71,6 @@ import org.springframework.security.web.util.matcher.AndRequestMatcher; import org.springframework.security.web.util.matcher.ParameterRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; -import static org.springframework.security.config.Customizer.withDefaults; - /** * Adds SAML 2.0 logout support. * @@ -179,20 +177,6 @@ public final class Saml2LogoutConfigurer> return this; } - /** - * Get configurer for SAML 2.0 Logout Request components - * @return the {@link LogoutRequestConfigurer} for further customizations - * @deprecated For removal in 7.0. Use {@link #logoutRequest(Customizer)} or - * {@code logoutRequest(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public LogoutRequestConfigurer logoutRequest() { - return this.logoutRequestConfigurer; - } - /** * Configures SAML 2.0 Logout Request components * @param logoutRequestConfigurerCustomizer the {@link Customizer} to provide more @@ -205,20 +189,6 @@ public final class Saml2LogoutConfigurer> return this; } - /** - * Get configurer for SAML 2.0 Logout Response components - * @return the {@link LogoutResponseConfigurer} for further customizations - * @deprecated For removal in 7.0. Use {@link #logoutResponse(Customizer)} or - * {@code logoutResponse(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public LogoutResponseConfigurer logoutResponse() { - return this.logoutResponseConfigurer; - } - /** * Configures SAML 2.0 Logout Response components * @param logoutResponseConfigurerCustomizer the {@link Customizer} to provide more @@ -408,18 +378,6 @@ public final class Saml2LogoutConfigurer> return this; } - /** - * @deprecated For removal in 7.0. Use {@link #logoutRequest(Customizer)} or - * {@code logoutRequest(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public Saml2LogoutConfigurer and() { - return Saml2LogoutConfigurer.this; - } - private Saml2LogoutRequestValidator logoutRequestValidator() { if (this.logoutRequestValidator != null) { return this.logoutRequestValidator; @@ -490,18 +448,6 @@ public final class Saml2LogoutConfigurer> return this; } - /** - * @deprecated For removal in 7.0. Use {@link #logoutResponse(Customizer)} or - * {@code logoutResponse(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public Saml2LogoutConfigurer and() { - return Saml2LogoutConfigurer.this; - } - private Saml2LogoutResponseValidator logoutResponseValidator() { if (this.logoutResponseValidator != null) { return this.logoutResponseValidator;