From 1a7b1fcc7c97e5ade390b158808f33642b321d0d Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Thu, 19 Jun 2025 16:28:51 -0600 Subject: [PATCH] Remove HttpSecurity and() DSL Methods This commit removes all and() methods that have been deprecated in the HttpSecurity DSL with the exception of featurePolicy, which will be removed when that feature is removed. Note that since featurePolicy does not have a lambda equivalent, the and support needs to remain for the moment. Issue gh-13067 --- .../annotation/SecurityConfigurerAdapter.java | 11 - .../LdapAuthenticationProviderConfigurer.java | 4 + .../InMemoryUserDetailsManagerConfigurer.java | 4 + .../annotation/web/builders/HttpSecurity.java | 1551 ----------------- .../AuthorizeHttpRequestsConfigurer.java | 11 - .../ChannelSecurityConfigurer.java | 17 - .../web/configurers/CsrfConfigurer.java | 12 +- .../ExpressionUrlAuthorizationConfigurer.java | 4 +- .../web/configurers/HeadersConfigurer.java | 434 +---- .../SessionManagementConfigurer.java | 13 - .../UrlAuthorizationConfigurer.java | 2 +- .../oauth2/client/OAuth2ClientConfigurer.java | 23 - .../oauth2/client/OAuth2LoginConfigurer.java | 103 -- .../oauth2/client/OidcLogoutConfigurer.java | 5 - .../OAuth2ResourceServerConfigurer.java | 40 - .../saml2/Saml2LogoutConfigurer.java | 54 - 16 files changed, 16 insertions(+), 2272 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java b/config/src/main/java/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java index 8136bf7070..6db7ca8b73 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java +++ b/config/src/main/java/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java @@ -50,17 +50,6 @@ public abstract class SecurityConfigurerAdapter> public void configure(B builder) throws Exception { } - /** - * Return the {@link SecurityBuilder} when done using the {@link SecurityConfigurer}. - * This is useful for method chaining. - * @return the {@link SecurityBuilder} for further customizations - * @deprecated For removal in 7.0. Use the lambda based configuration instead. - */ - @Deprecated(since = "6.1", forRemoval = true) - public B and() { - return getBuilder(); - } - /** * Gets the {@link SecurityBuilder}. Cannot be null. * @return the {@link SecurityBuilder} diff --git a/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java index 0f47afa594..1a44dbcebe 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java @@ -386,6 +386,10 @@ public class LdapAuthenticationProviderConfigurer())); } + public B and() { + return getBuilder(); + } + } diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java index e441b92504..4a4c3cc42e 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java @@ -103,8 +103,6 @@ import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.filter.CorsFilter; import org.springframework.web.servlet.handler.HandlerMappingIntrospector; -import static org.springframework.security.config.Customizer.withDefaults; - /** * A {@link HttpSecurity} is similar to Spring Security's XML <http> element in the * namespace configuration. It allows configuring web based security for specific http @@ -218,114 +216,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder - * @Configuration - * @EnableWebSecurity - * public class CsrfSecurityConfig { - * - * @Bean - * public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { - * http - * .headers() - * .contentTypeOptions() - * .and() - * .xssProtection() - * .and() - * .cacheControl() - * .and() - * .httpStrictTransportSecurity() - * .and() - * .frameOptions() - * .and() - * ...; - * return http.build(); - * } - * } - * - * - * You can disable the headers using the following: - * - * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class CsrfSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.headers().disable()
-	 * 			...;
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 *
- * - * You can enable only a few of the headers by first invoking - * {@link HeadersConfigurer#defaultsDisabled()} and then invoking the appropriate - * methods on the {@link #headers(withDefaults())} result. For example, the following - * will enable {@link HeadersConfigurer#cacheControl()} and - * {@link HeadersConfigurer#frameOptions()} only. - * - * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class CsrfSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.headers()
-	 * 				.defaultsDisabled()
-	 * 				.cacheControl()
-	 * 				.and()
-	 * 				.frameOptions()
-	 * 				.and()
-	 * 			...;
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 *
- * - * You can also choose to keep the defaults but explicitly disable a subset of - * headers. For example, the following will enable all the default headers except - * {@link HeadersConfigurer#frameOptions()}. - * - * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class CsrfSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.headers()
-	 * 				 .frameOptions()
-	 * 				 	.disable()
-	 * 				 .and()
-	 * 			...;
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 *
- * @return the {@link HeadersConfigurer} for further customizations - * @throws Exception - * @deprecated For removal in 7.0. Use {@link #headers(Customizer)} or - * {@code headers(Customizer.withDefaults())} to stick with defaults. See the documentation - * for more details. - * @see HeadersConfigurer - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer headers() throws Exception { - return getOrApply(new HeadersConfigurer<>()); - } - /** * Adds the Security headers to the response. This is activated by default when using * {@link EnableWebSecurity}. @@ -428,23 +318,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderdocumentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public CorsConfigurer cors() throws Exception { - return getOrApply(new CorsConfigurer<>()); - } - /** * Adds a {@link CorsFilter} to be used. If a bean by the name of corsFilter is * provided, that {@link CorsFilter} is used. Else if corsConfigurationSource is @@ -475,69 +348,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configuration - * - * The following configuration demonstrates how to enforce that only a single instance - * of a user is authenticated at a time. If a user authenticates with the username - * "user" without logging out and an attempt to authenticate with "user" is made the - * first session will be forcibly terminated and sent to the "/login?expired" URL. - * - * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class SessionManagementSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().anyRequest().hasRole("USER").and().formLogin()
-	 * 				.permitAll().and().sessionManagement().maximumSessions(1)
-	 * 				.expiredUrl("/login?expired");
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 *
- * - * When using {@link SessionManagementConfigurer#maximumSessions(int)}, do not forget - * to configure {@link HttpSessionEventPublisher} for the application to ensure that - * expired sessions are cleaned up. - * - * In a web.xml this can be configured using the following: - * - * 
-	 * <listener>
-	 *      <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
-	 * </listener>
-	 *
- * - * Alternatively, - * {@link AbstractSecurityWebApplicationInitializer#enableHttpSessionEventPublisher()} - * could return true. - * @return the {@link SessionManagementConfigurer} for further customizations - * @throws Exception - * @deprecated For removal in 7.0. Use {@link #sessionManagement(Customizer)} or - * {@code sessionManagement(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public SessionManagementConfigurer sessionManagement() throws Exception { - return getOrApply(new SessionManagementConfigurer<>()); - } - /** * Allows configuring of Session Management. * @@ -636,61 +446,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder - * @return the {@link PortMapperConfigurer} for further customizations - * @throws Exception - * @deprecated For removal in 7.0. Use {@link #portMapper(Customizer)} or - * {@code portMapper(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - * @see #requiresChannel(withDefaults()) - */ - @Deprecated(since = "6.1", forRemoval = true) - public PortMapperConfigurer portMapper() throws Exception { - return getOrApply(new PortMapperConfigurer<>()); - } - - /** - * Allows configuring a {@link PortMapper} that is available from - * {@link HttpSecurity#getSharedObject(Class)}. Other provided - * {@link SecurityConfigurer} objects use this configured {@link PortMapper} as a - * default {@link PortMapper} when redirecting from HTTP to HTTPS or from HTTPS to - * HTTP (for example when used in combination with - * {@link #requiresChannel(withDefaults())}. By default Spring Security uses a - * {@link PortMapperImpl} which maps the HTTP port 8080 to the HTTPS port 8443 and the - * HTTP port of 80 to the HTTPS port of 443. - * - *

Example Configuration

- * - * The following configuration will ensure that redirects within Spring Security from - * HTTP of a port of 9090 will redirect to HTTPS port of 9443 and the HTTP port of 80 - * to the HTTPS port of 443. - * - * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class PortMapperSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
 	 * 			.requiresChannel((requiresChannel) ->
 	 * 				requiresChannel
@@ -727,83 +482,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configuration
-	 *
-	 * The following configuration will use the principal found on the
-	 * {@link HttpServletRequest} and if the user is in the role "ROLE_USER" or
-	 * "ROLE_ADMIN" will add that to the resulting {@link Authentication}.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class JeeSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and()
-	 * 		// Example jee() configuration
-	 * 				.jee().mappableRoles("USER", "ADMIN");
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * Developers wishing to use pre authentication with the container will need to ensure
-	 * their web.xml configures the security constraints. For example, the web.xml (there
-	 * is no equivalent Java based configuration supported by the Servlet specification)
-	 * might look like:
-	 *
-	 * 
-	 * <login-config>
-	 *     <auth-method>FORM</auth-method>
-	 *     <form-login-config>
-	 *         <form-login-page>/login</form-login-page>
-	 *         <form-error-page>/login?error</form-error-page>
-	 *     </form-login-config>
-	 * </login-config>
-	 *
-	 * <security-role>
-	 *     <role-name>ROLE_USER</role-name>
-	 * </security-role>
-	 * <security-constraint>
-	 *     <web-resource-collection>
-	 *     <web-resource-name>Public</web-resource-name>
-	 *         <description>Matches unconstrained pages</description>
-	 *         <url-pattern>/login</url-pattern>
-	 *         <url-pattern>/logout</url-pattern>
-	 *         <url-pattern>/resources/*</url-pattern>
-	 *     </web-resource-collection>
-	 * </security-constraint>
-	 * <security-constraint>
-	 *     <web-resource-collection>
-	 *         <web-resource-name>Secured Areas</web-resource-name>
-	 *         <url-pattern>/*</url-pattern>
-	 *     </web-resource-collection>
-	 *     <auth-constraint>
-	 *         <role-name>ROLE_USER</role-name>
-	 *     </auth-constraint>
-	 * </security-constraint>
-	 * 

-	 *
-	 * Last you will need to configure your container to contain the user with the correct
-	 * roles. This configuration is specific to the Servlet Container, so consult your
-	 * Servlet Container's documentation.
-	 * @return the {@link JeeConfigurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #jee(Customizer)} or
-	 * {@code jee(Customizer.withDefaults())} to stick with defaults. See the documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public JeeConfigurer jee() throws Exception {
-		return getOrApply(new JeeConfigurer<>());
-	}
-
 	/**
 	 * Configures container based pre authentication. In this case, authentication is
 	 * managed by the Servlet Container.
@@ -885,41 +563,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configuration
-	 *
-	 * The following configuration will attempt to extract the username from the X509
-	 * certificate. Remember that the Servlet Container will need to be configured to
-	 * request client certificates in order for this to work.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class X509SecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and()
-	 * 		// Example x509() configuration
-	 * 				.x509();
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link X509Configurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #x509(Customizer)} or
-	 * {@code x509(Customizer.withDefaults())} to stick with defaults. See the documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public X509Configurer x509() throws Exception {
-		return getOrApply(new X509Configurer<>());
-	}
-
 	/**
 	 * Configures X509 based pre authentication.
 	 *
@@ -956,54 +599,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configuration
-	 *
-	 * The following configuration demonstrates how to allow token based remember me
-	 * authentication. Upon authenticating if the HTTP parameter named "remember-me"
-	 * exists, then the user will be remembered even after their
-	 * {@link jakarta.servlet.http.HttpSession} expires.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class RememberMeSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
-	 * 				.permitAll().and()
-	 * 				// Example Remember Me Configuration
-	 * 				.rememberMe();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link RememberMeConfigurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #rememberMe(Customizer)} or
-	 * {@code rememberMe(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public RememberMeConfigurer rememberMe() throws Exception {
-		return getOrApply(new RememberMeConfigurer<>());
-	}
-
 	/**
 	 * Allows configuring of Remember Me authentication.
 	 *
@@ -1053,106 +648,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configurations
-	 *
-	 * The most basic example is to configure all URLs to require the role "ROLE_USER".
-	 * The configuration below requires authentication to every URL and will grant access
-	 * to both the user "admin" and "user".
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AuthorizeUrlsSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		UserDetails admin = User.withDefaultPasswordEncoder()
-	 * 			.username("admin")
-	 * 			.password("password")
-	 * 			.roles("ADMIN", "USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user, admin);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * We can also configure multiple URLs. The configuration below requires
-	 * authentication to every URL and will grant access to URLs starting with /admin/ to
-	 * only the "admin" user. All other URLs either user can access.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AuthorizeUrlsSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/admin/**").hasRole("ADMIN")
-	 * 				.requestMatchers("/**").hasRole("USER").and().formLogin();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		UserDetails admin = User.withDefaultPasswordEncoder()
-	 * 			.username("admin")
-	 * 			.password("password")
-	 * 			.roles("ADMIN", "USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user, admin);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * Note that the matchers are considered in order. Therefore, the following is invalid
-	 * because the first matcher matches every request and will never get to the second
-	 * mapping:
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AuthorizeUrlsSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").requestMatchers("/admin/**")
-	 * 			.hasRole("ADMIN")
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link ExpressionUrlAuthorizationConfigurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #authorizeHttpRequests(Customizer)}
-	 * instead
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry authorizeRequests()
-			throws Exception {
-		ApplicationContext context = getContext();
-		return getOrApply(new ExpressionUrlAuthorizationConfigurer<>(context)).getRegistry();
-	}
-
 	/**
 	 * Allows restricting access based upon the {@link HttpServletRequest} using
 	 * {@link RequestMatcher} implementations (i.e. via URL patterns).
@@ -1272,119 +767,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configurations
-	 *
-	 * The most basic example is to configure all URLs to require the role "ROLE_USER".
-	 * The configuration below requires authentication to every URL and will grant access
-	 * to both the user "admin" and "user".
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AuthorizeUrlsSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.authorizeHttpRequests()
-	 * 				.requestMatchers("/**").hasRole("USER")
-	 * 				.and()
-	 * 			.formLogin();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		UserDetails admin = User.withDefaultPasswordEncoder()
-	 * 			.username("admin")
-	 * 			.password("password")
-	 * 			.roles("ADMIN", "USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user, admin);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * We can also configure multiple URLs. The configuration below requires
-	 * authentication to every URL and will grant access to URLs starting with /admin/ to
-	 * only the "admin" user. All other URLs either user can access.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AuthorizeUrlsSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.authorizeHttpRequests()
-	 * 				.requestMatchers("/admin").hasRole("ADMIN")
-	 * 				.requestMatchers("/**").hasRole("USER")
-	 * 				.and()
-	 * 			.formLogin();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		UserDetails admin = User.withDefaultPasswordEncoder()
-	 * 			.username("admin")
-	 * 			.password("password")
-	 * 			.roles("ADMIN", "USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user, admin);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * Note that the matchers are considered in order. Therefore, the following is invalid
-	 * because the first matcher matches every request and will never get to the second
-	 * mapping:
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AuthorizeUrlsSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.authorizeHttpRequests()
-	 * 				.requestMatchers("/**").hasRole("USER")
-	 * 				.requestMatchers("/admin/**").hasRole("ADMIN")
-	 * 				.and()
-	 * 			.formLogin();
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link HttpSecurity} for further customizations
-	 * @throws Exception
-	 * @since 5.6
-	 * @deprecated For removal in 7.0. Use {@link #authorizeHttpRequests(Customizer)}
-	 * instead
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry authorizeHttpRequests()
-			throws Exception {
-		ApplicationContext context = getContext();
-		return getOrApply(new AuthorizeHttpRequestsConfigurer<>(context)).getRegistry();
-	}
-
 	/**
 	 * Allows restricting access based upon the {@link HttpServletRequest} using
 	 * {@link RequestMatcher} implementations (i.e. via URL patterns).
@@ -1502,25 +884,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderdocumentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public RequestCacheConfigurer requestCache() throws Exception {
-		return getOrApply(new RequestCacheConfigurer<>());
-	}
-
 	/**
 	 * Allows configuring the Request Cache. For example, a protected page (/protected)
 	 * may be requested prior to authentication. The application will redirect the user to
@@ -1562,22 +925,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderdocumentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public ExceptionHandlingConfigurer exceptionHandling() throws Exception {
-		return getOrApply(new ExceptionHandlingConfigurer<>());
-	}
-
 	/**
 	 * Allows configuring exception handling. This is automatically applied when using
 	 * {@link EnableWebSecurity}.
@@ -1619,23 +966,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderdocumentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public SecurityContextConfigurer securityContext() throws Exception {
-		return getOrApply(new SecurityContextConfigurer<>());
-	}
-
 	/**
 	 * Sets up management of the {@link SecurityContext} on the
 	 * {@link SecurityContextHolder} between {@link HttpServletRequest}'s. This is
@@ -1670,23 +1000,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderdocumentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public ServletApiConfigurer servletApi() throws Exception {
-		return getOrApply(new ServletApiConfigurer<>());
-	}
-
 	/**
 	 * Integrates the {@link HttpServletRequest} methods with the values found on the
 	 * {@link SecurityContext}. This is automatically applied when using
@@ -1718,37 +1031,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class CsrfSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.csrf().disable()
-	 * 			...;
-	 * 		return http.build();
-	 * 	}
-	 * }
-	 *
- * @return the {@link CsrfConfigurer} for further customizations - * @throws Exception - * @deprecated For removal in 7.0. Use {@link #csrf(Customizer)} or - * {@code csrf(Customizer.withDefaults())} to stick with defaults. See the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public CsrfConfigurer csrf() throws Exception { - ApplicationContext context = getContext(); - return getOrApply(new CsrfConfigurer<>(context)); - } - /** * Enables CSRF protection. This is activated by default when using * {@link EnableWebSecurity}. You can disable it using: @@ -1797,57 +1079,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder - * @return the {@link LogoutConfigurer} for further customizations - * @throws Exception - * @deprecated For removal in 7.0. Use {@link #logout(Customizer)} or - * {@code logout(Customizer.withDefaults())} to stick with defaults. See the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public LogoutConfigurer logout() throws Exception { - return getOrApply(new LogoutConfigurer<>()); - } - - /** - * Provides logout support. This is automatically applied when using - * {@link EnableWebSecurity}. The default is that accessing the URL "/logout" will log - * the user out by invalidating the HTTP Session, cleaning up any - * {@link #rememberMe(withDefaults())} authentication that was configured, clearing - * the {@link SecurityContextHolder}, and then redirect to "/login?success". - * - *

Example Custom Configuration

- * - * The following customization to log out when the URL "/custom-logout" is invoked. - * Log out will remove the cookie named "remove", not invalidate the HttpSession, - * clear the SecurityContextHolder, and upon completion redirect to "/logout-success". - * - * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class LogoutSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	 * 		http
 	 * 			.authorizeRequests((authorizeRequests) ->
 	 * 				authorizeRequests
@@ -1885,94 +1116,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configuration
-	 *
-	 * The following configuration demonstrates how to specify that anonymous users should
-	 * contain the role "ROLE_ANON" instead.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AnonymousSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.authorizeRequests()
-	 * 				.requestMatchers("/**").hasRole("USER")
-	 * 				.and()
-	 * 			.formLogin()
-	 * 				.and()
-	 * 			// sample anonymous customization
-	 * 			.anonymous().authorities("ROLE_ANON");
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * The following demonstrates how to represent anonymous users as null. Note that this
-	 * can cause {@link NullPointerException} in code that assumes anonymous
-	 * authentication is enabled.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class AnonymousSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.authorizeRequests()
-	 * 				.requestMatchers("/**").hasRole("USER")
-	 * 				.and()
-	 * 			.formLogin()
-	 * 				.and()
-	 * 			// sample anonymous customization
-	 * 			.anonymous().disable();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link AnonymousConfigurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #anonymous(Customizer)} or
-	 * {@code anonymous(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public AnonymousConfigurer anonymous() throws Exception {
-		return getOrApply(new AnonymousConfigurer<>());
-	}
-
 	/**
 	 * Allows configuring how an anonymous user is represented. This is automatically
 	 * applied when used in conjunction with {@link EnableWebSecurity}. By default
@@ -2063,86 +1206,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configurations
-	 *
-	 * The most basic configuration defaults to automatically generating a login page at
-	 * the URL "/login", redirecting to "/login?error" for authentication failure. The
-	 * details of the login page can be found on
-	 * {@link FormLoginConfigurer#loginPage(String)}
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class FormLoginSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * The configuration below demonstrates customizing the defaults.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class FormLoginSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
-	 * 				.usernameParameter("username") // default is username
-	 * 				.passwordParameter("password") // default is password
-	 * 				.loginPage("/authentication/login") // default is /login with an HTTP get
-	 * 				.failureUrl("/authentication/login?failed") // default is /login?error
-	 * 				.loginProcessingUrl("/authentication/login/process"); // default is /login
-	 * 																		// with an HTTP
-	 * 																		// post
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link FormLoginConfigurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #formLogin(Customizer)} or
-	 * {@code formLogin(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 * @see FormLoginConfigurer#loginPage(String)
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public FormLoginConfigurer formLogin() throws Exception {
-		return getOrApply(new FormLoginConfigurer<>());
-	}
-
 	/**
 	 * Specifies to support form based authentication. If
 	 * {@link FormLoginConfigurer#loginPage(String)} is not specified a default login page
@@ -2230,100 +1293,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder
-	 * 

-	 *
-	 * The "authentication flow" is implemented using the Web Browser SSO
-	 * Profile, using POST and REDIRECT bindings, as documented in the
-	 * SAML V2.0
-	 * Core,Profiles and Bindings specifications. 

-	 * 

-	 *
-	 * As a prerequisite to using this feature, is that you have a SAML v2.0 Identity
-	 * Provider to provide an assertion. The representation of the Service Provider, the
-	 * relying party, and the remote Identity Provider, the asserting party is contained
-	 * within {@link RelyingPartyRegistration}. 

-	 * 

-	 *
-	 * {@link RelyingPartyRegistration}(s) are composed within a
-	 * {@link RelyingPartyRegistrationRepository}, which is required and must be
-	 * registered with the {@link ApplicationContext} or configured via
-	 * saml2Login().relyingPartyRegistrationRepository(..). 

-	 * 

-	 *
-	 * The default configuration provides an auto-generated login page at
-	 * "/login" and redirects to
-	 * "/login?error" when an authentication error occurs. The
-	 * login page will display each of the identity providers with a link that is capable
-	 * of initiating the "authentication flow". 

-	 * 

-	 *
-	 * 

-	 * 
Example Configuration

-	 *
-	 * The following example shows the minimal configuration required, using SimpleSamlPhp
-	 * as the Authentication Provider.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class Saml2LoginSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.authorizeRequests()
-	 * 				.anyRequest().authenticated()
-	 * 				.and()
-	 * 			.saml2Login();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 *	@Bean
-	 *	public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
-	 *		return new InMemoryRelyingPartyRegistrationRepository(this.getSaml2RelyingPartyRegistration());
-	 *	}
-	 *
-	 * 	private RelyingPartyRegistration getSaml2RelyingPartyRegistration() {
-	 * 		//remote IDP entity ID
-	 * 		String idpEntityId = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php";
-	 * 		//remote WebSSO Endpoint - Where to Send AuthNRequests to
-	 * 		String webSsoEndpoint = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SSOService.php";
-	 * 		//local registration ID
-	 * 		String registrationId = "simplesamlphp";
-	 * 		//local entity ID - autogenerated based on URL
-	 * 		String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
-	 * 		//local signing (and decryption key)
-	 * 		Saml2X509Credential signingCredential = getSigningCredential();
-	 * 		//IDP certificate for verification of incoming messages
-	 * 		Saml2X509Credential idpVerificationCertificate = getVerificationCertificate();
-	 * 		return RelyingPartyRegistration.withRegistrationId(registrationId)
-	 * 				.remoteIdpEntityId(idpEntityId)
-	 * 				.idpWebSsoUrl(webSsoEndpoint)
-	 * 				.credential(signingCredential)
-	 * 				.credential(idpVerificationCertificate)
-	 * 				.localEntityIdTemplate(localEntityIdTemplate)
-	 * 				.build();
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * 

-	 * @return the {@link Saml2LoginConfigurer} for further customizations
-	 * @throws Exception
-	 * @since 5.2
-	 * @deprecated For removal in 7.0. Use {@link #saml2Login(Customizer)} or
-	 * {@code saml2Login(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public Saml2LoginConfigurer saml2Login() throws Exception {
-		return getOrApply(new Saml2LoginConfigurer<>());
-	}
-
 	/**
 	 * Configures authentication support using an SAML 2.0 Service Provider. 

 	 * 

@@ -2486,80 +1455,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder
-	 * 

-	 *
-	 * Implements the Single Logout Profile, using POST and REDIRECT bindings, as
-	 * documented in the
-	 * SAML V2.0
-	 * Core, Profiles and Bindings specifications. 

-	 * 

-	 *
-	 * As a prerequisite to using this feature, is that you have a SAML v2.0 Asserting
-	 * Party to sent a logout request to. The representation of the relying party and the
-	 * asserting party is contained within {@link RelyingPartyRegistration}. 

-	 * 

-	 *
-	 * {@link RelyingPartyRegistration}(s) are composed within a
-	 * {@link RelyingPartyRegistrationRepository}, which is required and must be
-	 * registered with the {@link ApplicationContext} or configured via
-	 * {@link #saml2Login(withDefaults())}.

-	 * 

-	 *
-	 * The default configuration provides an auto-generated logout endpoint at
-	 * "/logout" and redirects to /login?logout when
-	 * logout completes. 

-	 * 

-	 *
-	 * 

-	 * 
Example Configuration

-	 *
-	 * The following example shows the minimal configuration required, using a
-	 * hypothetical asserting party.
-	 *
-	 * 
-	 *	@EnableWebSecurity
-	 *	@Configuration
-	 *	public class Saml2LogoutSecurityConfig {
-	 *		@Bean
-	 *		public SecurityFilterChain web(HttpSecurity http) throws Exception {
-	 *			http
-	 *				.authorizeRequests()
-	 *					.anyRequest().authenticated()
-	 *					.and()
-	 *				.saml2Login()
-	 *					.and()
-	 *				.saml2Logout();
-	 *			return http.build();
-	 *		}
-	 *
-	 *		@Bean
-	 *		public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
-	 *			RelyingPartyRegistration registration = RelyingPartyRegistrations
-	 *					.withMetadataLocation("https://ap.example.org/metadata")
-	 *					.registrationId("simple")
-	 *					.build();
-	 *			return new InMemoryRelyingPartyRegistrationRepository(registration);
-	 *		}
-	 *	}
-	 * 

-	 *
-	 * 

-	 * @return the {@link Saml2LoginConfigurer} for further customizations
-	 * @throws Exception
-	 * @since 5.6
-	 * @deprecated For removal in 7.0. Use {@link #saml2Logout(Customizer)} or
-	 * {@code saml2Logout(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public Saml2LogoutConfigurer saml2Logout() throws Exception {
-		return getOrApply(new Saml2LogoutConfigurer<>(getContext()));
-	}
-
 	/**
 	 * Configures a SAML 2.0 metadata endpoint that presents relying party configurations
 	 * in an {@code } payload.
@@ -2610,163 +1505,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder} payload.
-	 *
-	 * 

-	 * By default, the endpoints are {@code /saml2/metadata} and
-	 * {@code /saml2/metadata/{registrationId}} though note that also
-	 * {@code /saml2/service-provider-metadata/{registrationId}} is recognized for
-	 * backward compatibility purposes.
-	 *
-	 * 

-	 * 
Example Configuration

-	 *
-	 * The following example shows the minimal configuration required, using a
-	 * hypothetical asserting party.
-	 *
-	 * 
-	 *	@EnableWebSecurity
-	 *	@Configuration
-	 *	public class Saml2LogoutSecurityConfig {
-	 *		@Bean
-	 *		public SecurityFilterChain web(HttpSecurity http) throws Exception {
-	 *			http
-	 *				.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
-	 *				.saml2Metadata(Customizer.withDefaults());
-	 *			return http.build();
-	 *		}
-	 *
-	 *		@Bean
-	 *		public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
-	 *			RelyingPartyRegistration registration = RelyingPartyRegistrations
-	 *					.withMetadataLocation("https://ap.example.org/metadata")
-	 *					.registrationId("simple")
-	 *					.build();
-	 *			return new InMemoryRelyingPartyRegistrationRepository(registration);
-	 *		}
-	 *	}
-	 * 

-	 * @return the {@link Saml2MetadataConfigurer} for further customizations
-	 * @throws Exception
-	 * @since 6.1
-	 * @deprecated For removal in 7.0. Use {@link #saml2Metadata(Customizer)} or
-	 * {@code saml2Metadata(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public Saml2MetadataConfigurer saml2Metadata() throws Exception {
-		return getOrApply(new Saml2MetadataConfigurer<>(getContext()));
-	}
-
-	/**
-	 * Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0
-	 * Provider. 

-	 * 

-	 *
-	 * The "authentication flow" is implemented using the Authorization Code
-	 * Grant, as specified in the
-	 * OAuth 2.0
-	 * Authorization Framework and OpenID Connect
-	 * Core 1.0 specification. 

-	 * 

-	 *
-	 * As a prerequisite to using this feature, you must register a client with a
-	 * provider. The client registration information may than be used for configuring a
-	 * {@link org.springframework.security.oauth2.client.registration.ClientRegistration}
-	 * using a
-	 * {@link org.springframework.security.oauth2.client.registration.ClientRegistration.Builder}.
-	 * 

-	 * 

-	 *
-	 * {@link org.springframework.security.oauth2.client.registration.ClientRegistration}(s)
-	 * are composed within a
-	 * {@link org.springframework.security.oauth2.client.registration.ClientRegistrationRepository},
-	 * which is required and must be registered with the {@link ApplicationContext}
-	 * or configured via oauth2Login().clientRegistrationRepository(..). 

-	 * 

-	 *
-	 * The default configuration provides an auto-generated login page at
-	 * "/login" and redirects to
-	 * "/login?error" when an authentication error occurs. The
-	 * login page will display each of the clients with a link that is capable of
-	 * initiating the "authentication flow". 

-	 * 

-	 *
-	 * 

-	 * 
Example Configuration

-	 *
-	 * The following example shows the minimal configuration required, using Google as the
-	 * Authentication Provider.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class OAuth2LoginSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.authorizeRequests()
-	 * 				.anyRequest().authenticated()
-	 * 				.and()
-	 * 			.oauth2Login();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 *	@Bean
-	 *	public ClientRegistrationRepository clientRegistrationRepository() {
-	 *		return new InMemoryClientRegistrationRepository(this.googleClientRegistration());
-	 *	}
-	 *
-	 * 	private ClientRegistration googleClientRegistration() {
-	 * 		return ClientRegistration.withRegistrationId("google")
-	 * 			.clientId("google-client-id")
-	 * 			.clientSecret("google-client-secret")
-	 * 			.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
-	 * 			.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
-	 * 			.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
-	 * 			.scope("openid", "profile", "email", "address", "phone")
-	 * 			.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
-	 * 			.tokenUri("https://www.googleapis.com/oauth2/v4/token")
-	 * 			.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
-	 * 			.userNameAttributeName(IdTokenClaimNames.SUB)
-	 * 			.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
-	 * 			.clientName("Google")
-	 * 			.build();
-	 *	}
-	 * }
-	 * 

-	 *
-	 * 

-	 * For more advanced configuration, see {@link OAuth2LoginConfigurer} for available
-	 * options to customize the defaults.
-	 * @return the {@link OAuth2LoginConfigurer} for further customizations
-	 * @throws Exception
-	 * @since 5.0
-	 * @deprecated For removal in 7.0. Use {@link #oauth2Login(Customizer)} or
-	 * {@code oauth2Login(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 * @see Section 4.1 Authorization Code
-	 * Grant
-	 * @see Section 3.1
-	 * Authorization Code Flow
-	 * @see org.springframework.security.oauth2.client.registration.ClientRegistration
-	 * @see org.springframework.security.oauth2.client.registration.ClientRegistrationRepository
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public OAuth2LoginConfigurer oauth2Login() throws Exception {
-		return getOrApply(new OAuth2LoginConfigurer<>());
-	}
-
 	/**
 	 * Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0
 	 * Provider. 

@@ -2880,27 +1618,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderdocumentation
-	 * for more details.
-	 * @see OAuth 2.0 Authorization
-	 * Framework
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public OAuth2ClientConfigurer oauth2Client() throws Exception {
-		OAuth2ClientConfigurer configurer = getOrApply(new OAuth2ClientConfigurer<>());
-		this.postProcess(configurer);
-		return configurer;
-	}
-
 	/**
 	 * Configures OAuth 2.0 Client support.
 	 *
@@ -2940,25 +1657,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderOAuth 2.0 Authorization
-	 * Framework
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public OAuth2ResourceServerConfigurer oauth2ResourceServer() throws Exception {
-		OAuth2ResourceServerConfigurer configurer = getOrApply(
-				new OAuth2ResourceServerConfigurer<>(getContext()));
-		this.postProcess(configurer);
-		return configurer;
-	}
-
 	/**
 	 * Configures OAuth 2.0 Resource Server support.
 	 *
@@ -3051,55 +1749,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configuration
-	 *
-	 * The example below demonstrates how to require HTTPs for every request. Only
-	 * requiring HTTPS for some requests is supported, but not recommended since an
-	 * application that allows for HTTP introduces many security vulnerabilities. For one
-	 * such example, read about
-	 * Firesheep.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class ChannelSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().formLogin()
-	 * 				.and().requiresChannel().anyRequest().requiresSecure();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link ChannelSecurityConfigurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #requiresChannel(Customizer)} or
-	 * {@code requiresChannel(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public ChannelSecurityConfigurer.ChannelRequestMatcherRegistry requiresChannel() throws Exception {
-		ApplicationContext context = getContext();
-		return getOrApply(new ChannelSecurityConfigurer<>(context)).getRegistry();
-	}
-
 	/**
 	 * Configures channel security. In order for this configuration to be useful at least
 	 * one mapping to a required channel must be provided.
@@ -3205,50 +1854,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderExample Configuration
-	 *
-	 * The example below demonstrates how to configure HTTP Basic authentication for an
-	 * application. The default realm is "Realm", but can be customized using
-	 * {@link HttpBasicConfigurer#realmName(String)}.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class HttpBasicSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http.authorizeRequests().requestMatchers("/**").hasRole("USER").and().httpBasic();
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link HttpBasicConfigurer} for further customizations
-	 * @throws Exception
-	 * @deprecated For removal in 7.0. Use {@link #httpBasic(Customizer)} or
-	 * {@code httpBasic(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public HttpBasicConfigurer httpBasic() throws Exception {
-		return getOrApply(new HttpBasicConfigurer<>());
-	}
-
 	/**
 	 * Configures HTTP Basic authentication.
 	 *
@@ -3454,133 +2059,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder
-	 * Invoking {@link #securityMatchers()} will not override previous invocations of
-	 * {@link #securityMatchers()}}, {@link #securityMatchers(Customizer)}
-	 * {@link #securityMatcher(String...)} and {@link #securityMatcher(RequestMatcher)}
-	 * 

-	 *
-	 * 
Example Configurations

-	 *
-	 * The following configuration enables the {@link HttpSecurity} for URLs that begin
-	 * with "/api/" or "/oauth/".
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class RequestMatchersSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.securityMatchers((matchers) -> matchers
-	 * 				.requestMatchers("/api/**", "/oauth/**")
-	 * 			)
-	 * 			.authorizeHttpRequests((authorize) -> authorize
-	 * 				anyRequest().hasRole("USER")
-	 * 			)
-	 * 			.httpBasic(withDefaults());
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * The configuration below is the same as the previous configuration.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class RequestMatchersSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.securityMatchers((matchers) -> matchers
-	 * 				.requestMatchers("/api/**")
-	 * 				.requestMatchers("/oauth/**")
-	 * 			)
-	 * 			.authorizeHttpRequests((authorize) -> authorize
-	 * 				anyRequest().hasRole("USER")
-	 * 			)
-	 * 			.httpBasic(withDefaults());
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 *
-	 * The configuration below is also the same as the above configuration.
-	 *
-	 * 
-	 * @Configuration
-	 * @EnableWebSecurity
-	 * public class RequestMatchersSecurityConfig {
-	 *
-	 * 	@Bean
-	 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	 * 		http
-	 * 			.securityMatchers((matchers) -> matchers
-	 * 				.requestMatchers("/api/**")
-	 * 			)
-	 *			.securityMatchers((matchers) -> matchers
-	 *				.requestMatchers("/oauth/**")
-	 * 			)
-	 * 			.authorizeHttpRequests((authorize) -> authorize
-	 * 				anyRequest().hasRole("USER")
-	 * 			)
-	 * 			.httpBasic(withDefaults());
-	 * 		return http.build();
-	 * 	}
-	 *
-	 * 	@Bean
-	 * 	public UserDetailsService userDetailsService() {
-	 * 		UserDetails user = User.withDefaultPasswordEncoder()
-	 * 			.username("user")
-	 * 			.password("password")
-	 * 			.roles("USER")
-	 * 			.build();
-	 * 		return new InMemoryUserDetailsManager(user);
-	 * 	}
-	 * }
-	 * 

-	 * @return the {@link RequestMatcherConfigurer} for further customizations
-	 * @deprecated For removal in 7.0. Use {@link #securityMatchers(Customizer)} or
-	 * {@code securityMatchers(Customizer.withDefaults())} to stick with defaults. See the
-	 * documentation
-	 * for more details.
-	 */
-	@Deprecated(since = "6.1", forRemoval = true)
-	public RequestMatcherConfigurer securityMatchers() {
-		return this.requestMatcherConfigurer;
-	}
-
 	/**
 	 * Allows specifying which {@link HttpServletRequest} instances this
 	 * {@link HttpSecurity} will be invoked on. This method allows for easily invoking the
@@ -3855,35 +2333,6 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder
-		 * @Configuration
-		 * @EnableWebSecurity
-		 * public class SecurityConfig {
-		 *
-		 *     @Bean
-		 *     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-		 *         http
-		 *             .securityMatchers((matchers) -> matchers
-		 *                 .requestMatchers("/api/**")
-		 *             )
-		 *             .authorizeHttpRequests((authorize) -> authorize
-		 *                 .anyRequest().hasRole("USER")
-		 *             )
-		 *             .httpBasic(Customizer.withDefaults());
-		 *         return http.build();
-		 *     }
-		 *
-		 * }
-		 *
- */ - @Deprecated(since = "6.1", forRemoval = true) - public HttpSecurity and() { - return HttpSecurity.this; - } - } /** diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java index 725ee45802..879451012a 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java @@ -231,17 +231,6 @@ public final class AuthorizeHttpRequestsConfigurer> return this; } - /** - * Return the {@link SecurityBuilder} when done using the - * {@link SecurityConfigurer}. This is useful for method chaining. - * @return the type of {@link HttpSecurityBuilder} that is being configured - * @deprecated For removal in 7.0. Use - * {@link HttpSecurity#requiresChannel(Customizer)} instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public H and() { - return ChannelSecurityConfigurer.this.and(); - } - } /** diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java index c16f150d48..1fe1faf6cd 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java @@ -57,8 +57,6 @@ import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; import org.springframework.util.StringUtils; -import static org.springframework.security.config.Customizer.withDefaults; - /** * Adds * CSRF @@ -174,7 +172,8 @@ public final class CsrfConfigurer> * @since 5.1 */ public CsrfConfigurer ignoringRequestMatchers(RequestMatcher... requestMatchers) { - return new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(requestMatchers).and(); + new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(requestMatchers); + return this; } /** @@ -202,7 +201,8 @@ public final class CsrfConfigurer> * @see AbstractRequestMatcherRegistry#requestMatchers(String...) */ public CsrfConfigurer ignoringRequestMatchers(String... patterns) { - return new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(patterns).and(); + new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(patterns); + return this; } /** @@ -386,10 +386,6 @@ public final class CsrfConfigurer> setApplicationContext(context); } - CsrfConfigurer and() { - return CsrfConfigurer.this; - } - @Override protected IgnoreCsrfProtectionRegistry chainRequestMatchers(List requestMatchers) { CsrfConfigurer.this.ignoredCsrfProtectionMatchers.addAll(requestMatchers); diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java index f622c4936e..bddafb1d2e 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java @@ -42,8 +42,6 @@ import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; import org.springframework.util.StringUtils; -import static org.springframework.security.config.Customizer.withDefaults; - /** * Adds URL based authorization based upon SpEL expressions to an application. At least * one {@link org.springframework.web.bind.annotation.RequestMapping} needs to be mapped @@ -253,7 +251,7 @@ public final class ExpressionUrlAuthorizationConfigurer * Adds the Security HTTP headers to the response. Security HTTP headers is activated by @@ -129,26 +127,6 @@ public class HeadersConfigurer> return this; } - /** - * Configures the {@link XContentTypeOptionsHeaderWriter} which inserts the - * X-Content-Type-Options: - * - * 
-	 * X-Content-Type-Options: nosniff
-	 *
- * @return the {@link ContentTypeOptionsConfig} for additional customizations - * @deprecated For removal in 7.0. Use {@link #contentTypeOptions(Customizer)} or - * {@code contentTypeOptions(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public ContentTypeOptionsConfig contentTypeOptions() { - return this.contentTypeOptions.enable(); - } - /** * Configures the {@link XContentTypeOptionsHeaderWriter} which inserts the * > return HeadersConfigurer.this; } - /** - * Note this is not comprehensive XSS protection! - * - *

- * Allows customizing the {@link XXssProtectionHeaderWriter} which adds the X-XSS-Protection header - *

- * @return the {@link XXssConfig} for additional customizations - * @deprecated For removal in 7.0. Use {@link #xssProtection(Customizer)} or - * {@code xssProtection(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public XXssConfig xssProtection() { - return this.xssProtection.enable(); - } - /** * Note this is not comprehensive XSS protection! * @@ -203,26 +161,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows customizing the {@link CacheControlHeadersWriter}. Specifically it adds the - * following headers: - *
    - *
  • Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    • - *
  • Pragma: no-cache
    • - *
  • Expires: 0
    • - *
- * @return the {@link CacheControlConfig} for additional customizations - * @deprecated For removal in 7.0. Use {@link #cacheControl(Customizer)} or - * {@code cacheControl(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public CacheControlConfig cacheControl() { - return this.cacheControl.enable(); - } - /** * Allows customizing the {@link CacheControlHeadersWriter}. Specifically it adds the * following headers: @@ -240,19 +178,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows customizing the {@link HstsHeaderWriter} which provides support for - * HTTP Strict Transport Security - * (HSTS). - * @return the {@link HstsConfig} for additional customizations - * @deprecated For removal in 7.0. Use - * {@link #httpStrictTransportSecurity(Customizer)} instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HstsConfig httpStrictTransportSecurity() { - return this.hsts.enable(); - } - /** * Allows customizing the {@link HstsHeaderWriter} which provides support for * HTTP Strict Transport Security @@ -266,20 +191,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows customizing the {@link XFrameOptionsHeaderWriter}. - * @return the {@link FrameOptionsConfig} for additional customizations - * @deprecated For removal in 7.0. Use {@link #frameOptions(Customizer)} or - * {@code frameOptions(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public FrameOptionsConfig frameOptions() { - return this.frameOptions.enable(); - } - /** * Allows customizing the {@link XFrameOptionsHeaderWriter}. * @param frameOptionsCustomizer the {@link Customizer} to provide more options for @@ -291,21 +202,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows customizing the {@link HpkpHeaderWriter} which provides support for - * HTTP Public Key Pinning (HPKP). - * @return the {@link HpkpConfig} for additional customizations - * - * @since 4.1 - * @deprecated see Certificate - * and Public Key Pinning for more context - */ - @Deprecated - public HpkpConfig httpPublicKeyPinning() { - return this.hpkp.enable(); - } - /** * Allows customizing the {@link HpkpHeaderWriter} which provides support for * HTTP Public Key Pinning (HPKP). @@ -322,39 +218,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - *

- * Allows configuration for Content Security - * Policy (CSP) Level 2. - *

- * - *

- * Calling this method automatically enables (includes) the Content-Security-Policy - * header in the response using the supplied security policy directive(s). - *

- * - *

- * Configuration is provided to the {@link ContentSecurityPolicyHeaderWriter} which - * supports the writing of the two headers as detailed in the W3C Candidate - * Recommendation: - *

- *
    - *
  • Content-Security-Policy
    • - *
  • Content-Security-Policy-Report-Only
    • - *
- * @return the {@link ContentSecurityPolicyConfig} for additional configuration - * @throws IllegalArgumentException if policyDirectives is null or empty - * @since 4.1 - * @deprecated For removal in 7.0. Use {@link #contentSecurityPolicy(Customizer)} - * instead - * @see ContentSecurityPolicyHeaderWriter - */ - @Deprecated(since = "6.1", forRemoval = true) - public ContentSecurityPolicyConfig contentSecurityPolicy(String policyDirectives) { - this.contentSecurityPolicy.writer = new ContentSecurityPolicyHeaderWriter(policyDirectives); - return this.contentSecurityPolicy; - } - /** *

* Allows configuration for Content Security @@ -456,71 +319,6 @@ public class HeadersConfigurer> } } - /** - *

- * Allows configuration for Referrer - * Policy. - *

- * - *

- * Configuration is provided to the {@link ReferrerPolicyHeaderWriter} which support - * the writing of the header as detailed in the W3C Technical Report: - *

- *
    - *
  • Referrer-Policy
    • - *
- * - *

- * Default value is: - *

- * - * 
-	 * Referrer-Policy: no-referrer
-	 *
- * @return the {@link ReferrerPolicyConfig} for additional configuration - * @since 4.2 - * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)} or - * {@code referrerPolicy(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - * @see ReferrerPolicyHeaderWriter - */ - @Deprecated(since = "6.1", forRemoval = true) - public ReferrerPolicyConfig referrerPolicy() { - this.referrerPolicy.writer = new ReferrerPolicyHeaderWriter(); - return this.referrerPolicy; - } - - /** - *

- * Allows configuration for Referrer - * Policy. - *

- * - *

- * Configuration is provided to the {@link ReferrerPolicyHeaderWriter} which support - * the writing of the header as detailed in the W3C Technical Report: - *

- *
    - *
  • Referrer-Policy
    • - *
- * @return the {@link ReferrerPolicyConfig} for additional configuration - * @throws IllegalArgumentException if policy is null or empty - * @since 4.2 - * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)} or - * {@code referrerPolicy(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - * @see ReferrerPolicyHeaderWriter - */ - @Deprecated(since = "6.1", forRemoval = true) - public ReferrerPolicyConfig referrerPolicy(ReferrerPolicy policy) { - this.referrerPolicy.writer = new ReferrerPolicyHeaderWriter(policy); - return this.referrerPolicy; - } - /** *

* Allows configuration for Referrer @@ -570,35 +368,6 @@ public class HeadersConfigurer> return this.featurePolicy; } - /** - *

- * Allows configuration for - * Permissions - * Policy. - *

- * - *

- * Configuration is provided to the {@link PermissionsPolicyHeaderWriter} which - * support the writing of the header as detailed in the W3C Technical Report: - *

- *
    - *
  • Permissions-Policy
    • - *
- * @return the {@link PermissionsPolicyConfig} for additional configuration - * @since 5.5 - * @deprecated For removal in 7.0. Use {@link #permissionsPolicyHeader(Customizer)} or - * {@code permissionsPolicy(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - * @see PermissionsPolicyHeaderWriter - */ - @Deprecated(since = "6.1", forRemoval = true) - public PermissionsPolicyConfig permissionsPolicy() { - this.permissionsPolicy.writer = new PermissionsPolicyHeaderWriter(); - return this.permissionsPolicy; - } - /** * Allows configuration for * Permissions @@ -645,26 +414,6 @@ public class HeadersConfigurer> return this; } - /** - * Allows configuration for - * Cross-Origin-Opener-Policy header. - *

- * Configuration is provided to the {@link CrossOriginOpenerPolicyHeaderWriter} which - * responsible for writing the header. - *

- * @return the {@link CrossOriginOpenerPolicyConfig} for additional confniguration - * @since 5.7 - * @deprecated For removal in 7.0. Use {@link #crossOriginOpenerPolicy(Customizer)} - * instead - * @see CrossOriginOpenerPolicyHeaderWriter - */ - @Deprecated(since = "6.1", forRemoval = true) - public CrossOriginOpenerPolicyConfig crossOriginOpenerPolicy() { - this.crossOriginOpenerPolicy.writer = new CrossOriginOpenerPolicyHeaderWriter(); - return this.crossOriginOpenerPolicy; - } - /** * Allows configuration for @@ -689,26 +438,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows configuration for - * Cross-Origin-Embedder-Policy header. - *

- * Configuration is provided to the {@link CrossOriginEmbedderPolicyHeaderWriter} - * which is responsible for writing the header. - *

- * @return the {@link CrossOriginEmbedderPolicyConfig} for additional customizations - * @since 5.7 - * @deprecated For removal in 7.0. Use {@link #crossOriginEmbedderPolicy(Customizer)} - * instead - * @see CrossOriginEmbedderPolicyHeaderWriter - */ - @Deprecated(since = "6.1", forRemoval = true) - public CrossOriginEmbedderPolicyConfig crossOriginEmbedderPolicy() { - this.crossOriginEmbedderPolicy.writer = new CrossOriginEmbedderPolicyHeaderWriter(); - return this.crossOriginEmbedderPolicy; - } - /** * Allows configuration for @@ -733,26 +462,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows configuration for - * Cross-Origin-Resource-Policy header. - *

- * Configuration is provided to the {@link CrossOriginResourcePolicyHeaderWriter} - * which is responsible for writing the header: - *

- * @return the {@link HeadersConfigurer} for additional customizations - * @since 5.7 - * @deprecated For removal in 7.0. Use {@link #crossOriginResourcePolicy(Customizer)} - * instead - * @see CrossOriginResourcePolicyHeaderWriter - */ - @Deprecated(since = "6.1", forRemoval = true) - public CrossOriginResourcePolicyConfig crossOriginResourcePolicy() { - this.crossOriginResourcePolicy.writer = new CrossOriginResourcePolicyHeaderWriter(); - return this.crossOriginResourcePolicy; - } - /** * Allows configuration for @@ -791,17 +500,6 @@ public class HeadersConfigurer> */ public HeadersConfigurer disable() { this.writer = null; - return and(); - } - - /** - * Allows customizing the {@link HeadersConfigurer} - * @return the {@link HeadersConfigurer} for additional customization - * @deprecated For removal in 7.0. Use {@link #contentTypeOptions(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { return HeadersConfigurer.this; } @@ -866,21 +564,6 @@ public class HeadersConfigurer> */ public HeadersConfigurer disable() { this.writer = null; - return and(); - } - - /** - * Allows completing configuration of X-XSS-Protection and continuing - * configuration of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use {@link #xssProtection(Customizer)} or - * {@code xssProtection(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { return HeadersConfigurer.this; } @@ -914,21 +597,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows completing configuration of Cache Control and continuing configuration - * of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use {@link #cacheControl(Customizer)} or - * {@code cacheControl(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - /** * Ensures the Cache Control headers are enabled if they are not already. * @return the {@link CacheControlConfig} for additional customization @@ -1026,18 +694,6 @@ public class HeadersConfigurer> return HeadersConfigurer.this; } - /** - * Allows completing configuration of Strict Transport Security and continuing - * configuration of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use - * {@link #httpStrictTransportSecurity(Customizer)} instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - /** * Ensures that Strict-Transport-Security is enabled if it is not already * @return the {@link HstsConfig} for additional customization @@ -1065,7 +721,7 @@ public class HeadersConfigurer> */ public HeadersConfigurer deny() { this.writer = new XFrameOptionsHeaderWriter(XFrameOptionsMode.DENY); - return and(); + return HeadersConfigurer.this; } /** @@ -1079,7 +735,7 @@ public class HeadersConfigurer> */ public HeadersConfigurer sameOrigin() { this.writer = new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN); - return and(); + return HeadersConfigurer.this; } /** @@ -1088,20 +744,6 @@ public class HeadersConfigurer> */ public HeadersConfigurer disable() { this.writer = null; - return and(); - } - - /** - * Allows continuing customizing the headers configuration. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use {@link #frameOptions(Customizer)} or - * {@code frameOptions(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { return HeadersConfigurer.this; } @@ -1319,18 +961,6 @@ public class HeadersConfigurer> return this; } - /** - * Allows completing configuration of Content Security Policy and continuing - * configuration of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use {@link #contentSecurityPolicy(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - } public final class ReferrerPolicyConfig { @@ -1351,18 +981,6 @@ public class HeadersConfigurer> return this; } - /** - * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)} or - * {@code referrerPolicy(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - } public final class FeaturePolicyConfig { @@ -1401,18 +1019,6 @@ public class HeadersConfigurer> return this; } - /** - * Allows completing configuration of Permissions Policy and continuing - * configuration of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use {@link #permissionsPolicy(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - } public final class CrossOriginOpenerPolicyConfig { @@ -1434,18 +1040,6 @@ public class HeadersConfigurer> return this; } - /** - * Allows completing configuration of Cross Origin Opener Policy and continuing - * configuration of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use - * {@link #crossOriginOpenerPolicy(Customizer)} instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - } public final class CrossOriginEmbedderPolicyConfig { @@ -1468,18 +1062,6 @@ public class HeadersConfigurer> return this; } - /** - * Allows completing configuration of Cross-Origin-Embedder-Policy and continuing - * configuration of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use - * {@link #crossOriginEmbedderPolicy(Customizer)} instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - } public final class CrossOriginResourcePolicyConfig { @@ -1502,18 +1084,6 @@ public class HeadersConfigurer> return this; } - /** - * Allows completing configuration of Cross-Origin-Resource-Policy and continuing - * configuration of headers. - * @return the {@link HeadersConfigurer} for additional configuration - * @deprecated For removal in 7.0. Use - * {@link #crossOriginResourcePolicy(Customizer)} instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public HeadersConfigurer and() { - return HeadersConfigurer.this; - } - } } diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java index 0ac0480e03..82c760a79d 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java @@ -66,8 +66,6 @@ import org.springframework.security.web.session.SimpleRedirectSessionInformation import org.springframework.util.Assert; import org.springframework.util.CollectionUtils; -import static org.springframework.security.config.Customizer.withDefaults; - /** * Allows configuring session management. * @@ -777,17 +775,6 @@ public final class SessionManagementConfigurer> return this; } - /** - * Used to chain back to the {@link SessionManagementConfigurer} - * @return the {@link SessionManagementConfigurer} for further customizations - * @deprecated For removal in 7.0. Use {@link #sessionConcurrency(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public SessionManagementConfigurer and() { - return SessionManagementConfigurer.this; - } - } } diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java index 5345ed5dd2..9386fee77e 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java @@ -248,7 +248,7 @@ public final class UrlAuthorizationConfigurer> } public H and() { - return UrlAuthorizationConfigurer.this.and(); + return UrlAuthorizationConfigurer.this.getBuilder(); } } diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java index 2aae05bbb9..9ed4da02fe 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java @@ -141,18 +141,6 @@ public final class OAuth2ClientConfigurer> return this; } - /** - * Returns the {@link AuthorizationCodeGrantConfigurer} for configuring the OAuth 2.0 - * Authorization Code Grant. - * @return the {@link AuthorizationCodeGrantConfigurer} - * @deprecated For removal in 7.0. Use {@link #authorizationCodeGrant(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public AuthorizationCodeGrantConfigurer authorizationCodeGrant() { - return this.authorizationCodeGrantConfigurer; - } - /** * Configures the OAuth 2.0 Authorization Code Grant. * @param authorizationCodeGrantCustomizer the {@link Customizer} to provide more @@ -242,17 +230,6 @@ public final class OAuth2ClientConfigurer> return this; } - /** - * Returns the {@link OAuth2ClientConfigurer} for further configuration. - * @return the {@link OAuth2ClientConfigurer} - * @deprecated For removal in 7.0. Use {@link #authorizationCodeGrant(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public OAuth2ClientConfigurer and() { - return OAuth2ClientConfigurer.this; - } - private void init(B builder) { OAuth2AuthorizationCodeAuthenticationProvider authorizationCodeAuthenticationProvider = new OAuth2AuthorizationCodeAuthenticationProvider( getAccessTokenResponseClient()); diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java index d270f55731..c27cb4f2a7 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java @@ -104,8 +104,6 @@ import org.springframework.util.Assert; import org.springframework.util.ClassUtils; import org.springframework.util.ReflectionUtils; -import static org.springframework.security.config.Customizer.withDefaults; - /** * An {@link AbstractHttpConfigurer} for OAuth 2.0 Login, which leverages the OAuth 2.0 * Authorization Code Grant Flow. @@ -248,18 +246,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link AuthorizationEndpointConfig} for configuring the Authorization - * Server's Authorization Endpoint. - * @return the {@link AuthorizationEndpointConfig} - * @deprecated For removal in 7.0. Use {@link #authorizationEndpoint(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public AuthorizationEndpointConfig authorizationEndpoint() { - return this.authorizationEndpointConfig; - } - /** * Configures the Authorization Server's Authorization Endpoint. * @param authorizationEndpointCustomizer the {@link Customizer} to provide more @@ -272,21 +258,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link TokenEndpointConfig} for configuring the Authorization Server's - * Token Endpoint. - * @return the {@link TokenEndpointConfig} - * @deprecated For removal in 7.0. Use {@link #tokenEndpoint(Customizer)} or - * {@code tokenEndpoint(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public TokenEndpointConfig tokenEndpoint() { - return this.tokenEndpointConfig; - } - /** * Configures the Authorization Server's Token Endpoint. * @param tokenEndpointCustomizer the {@link Customizer} to provide more options for @@ -299,18 +270,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link RedirectionEndpointConfig} for configuring the Client's - * Redirection Endpoint. - * @return the {@link RedirectionEndpointConfig} - * @deprecated For removal in 7.0. Use {@link #redirectionEndpoint(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public RedirectionEndpointConfig redirectionEndpoint() { - return this.redirectionEndpointConfig; - } - /** * Configures the Client's Redirection Endpoint. * @param redirectionEndpointCustomizer the {@link Customizer} to provide more options @@ -323,21 +282,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link UserInfoEndpointConfig} for configuring the Authorization - * Server's UserInfo Endpoint. - * @return the {@link UserInfoEndpointConfig} - * @deprecated For removal in 7.0. Use {@link #userInfoEndpoint(Customizer)} or - * {@code userInfoEndpoint(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public UserInfoEndpointConfig userInfoEndpoint() { - return this.userInfoEndpointConfig; - } - /** * Configures the Authorization Server's UserInfo Endpoint. * @param userInfoEndpointCustomizer the {@link Customizer} to provide more options @@ -726,17 +670,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link OAuth2LoginConfigurer} for further configuration. - * @return the {@link OAuth2LoginConfigurer} - * @deprecated For removal in 7.0. Use {@link #authorizationEndpoint(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public OAuth2LoginConfigurer and() { - return OAuth2LoginConfigurer.this; - } - } /** @@ -763,20 +696,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link OAuth2LoginConfigurer} for further configuration. - * @return the {@link OAuth2LoginConfigurer} - * @deprecated For removal in 7.0. Use {@link #tokenEndpoint(Customizer)} or - * {@code tokenEndpoint(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public OAuth2LoginConfigurer and() { - return OAuth2LoginConfigurer.this; - } - } /** @@ -801,17 +720,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link OAuth2LoginConfigurer} for further configuration. - * @return the {@link OAuth2LoginConfigurer} - * @deprecated For removal in 7.0. Use {@link #redirectionEndpoint(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public OAuth2LoginConfigurer and() { - return OAuth2LoginConfigurer.this; - } - } /** @@ -866,17 +774,6 @@ public final class OAuth2LoginConfigurer> return this; } - /** - * Returns the {@link OAuth2LoginConfigurer} for further configuration. - * @return the {@link OAuth2LoginConfigurer} - * @deprecated For removal in 7.0. Use {@link #userInfoEndpoint(Customizer)} - * instead - */ - @Deprecated(since = "6.1", forRemoval = true) - public OAuth2LoginConfigurer and() { - return OAuth2LoginConfigurer.this; - } - } private static class OidcAuthenticationRequestChecker implements AuthenticationProvider { diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java index 1095350dc5..36361600d5 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java @@ -111,11 +111,6 @@ public final class OidcLogoutConfigurer> return this; } - @Deprecated(forRemoval = true, since = "6.2") - public B and() { - return getBuilder(); - } - @Override public void configure(B builder) throws Exception { if (this.backChannel != null) { diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java index 5bb6fdcbc4..209ba03007 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java @@ -214,20 +214,6 @@ public final class OAuth2ResourceServerConfigurerdocumentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public JwtConfigurer jwt() { - if (this.jwtConfigurer == null) { - this.jwtConfigurer = new JwtConfigurer(this.context); - } - return this.jwtConfigurer; - } - /** * Enables Jwt-encoded bearer token support. * @param jwtCustomizer the {@link Customizer} to provide more options for the @@ -242,21 +228,6 @@ public final class OAuth2ResourceServerConfigurerdocumentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public OpaqueTokenConfigurer opaqueToken() { - if (this.opaqueTokenConfigurer == null) { - this.opaqueTokenConfigurer = new OpaqueTokenConfigurer(this.context); - } - return this.opaqueTokenConfigurer; - } - /** * Enables opaque bearer token support. * @param opaqueTokenCustomizer the {@link Customizer} to provide more options for the @@ -441,17 +412,6 @@ public final class OAuth2ResourceServerConfigurerdocumentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public OAuth2ResourceServerConfigurer and() { - return OAuth2ResourceServerConfigurer.this; - } - Converter getJwtAuthenticationConverter() { if (this.jwtAuthenticationConverter == null) { if (this.context.getBeanNamesForType(JwtAuthenticationConverter.class).length > 0) { diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java index 22358ea3a2..7ae92aafca 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java @@ -71,8 +71,6 @@ import org.springframework.security.web.util.matcher.AndRequestMatcher; import org.springframework.security.web.util.matcher.ParameterRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; -import static org.springframework.security.config.Customizer.withDefaults; - /** * Adds SAML 2.0 logout support. * @@ -179,20 +177,6 @@ public final class Saml2LogoutConfigurer> return this; } - /** - * Get configurer for SAML 2.0 Logout Request components - * @return the {@link LogoutRequestConfigurer} for further customizations - * @deprecated For removal in 7.0. Use {@link #logoutRequest(Customizer)} or - * {@code logoutRequest(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public LogoutRequestConfigurer logoutRequest() { - return this.logoutRequestConfigurer; - } - /** * Configures SAML 2.0 Logout Request components * @param logoutRequestConfigurerCustomizer the {@link Customizer} to provide more @@ -205,20 +189,6 @@ public final class Saml2LogoutConfigurer> return this; } - /** - * Get configurer for SAML 2.0 Logout Response components - * @return the {@link LogoutResponseConfigurer} for further customizations - * @deprecated For removal in 7.0. Use {@link #logoutResponse(Customizer)} or - * {@code logoutResponse(Customizer.withDefaults())} to stick with defaults. See the - * documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public LogoutResponseConfigurer logoutResponse() { - return this.logoutResponseConfigurer; - } - /** * Configures SAML 2.0 Logout Response components * @param logoutResponseConfigurerCustomizer the {@link Customizer} to provide more @@ -408,18 +378,6 @@ public final class Saml2LogoutConfigurer> return this; } - /** - * @deprecated For removal in 7.0. Use {@link #logoutRequest(Customizer)} or - * {@code logoutRequest(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public Saml2LogoutConfigurer and() { - return Saml2LogoutConfigurer.this; - } - private Saml2LogoutRequestValidator logoutRequestValidator() { if (this.logoutRequestValidator != null) { return this.logoutRequestValidator; @@ -490,18 +448,6 @@ public final class Saml2LogoutConfigurer> return this; } - /** - * @deprecated For removal in 7.0. Use {@link #logoutResponse(Customizer)} or - * {@code logoutResponse(Customizer.withDefaults())} to stick with defaults. See - * the documentation - * for more details. - */ - @Deprecated(since = "6.1", forRemoval = true) - public Saml2LogoutConfigurer and() { - return Saml2LogoutConfigurer.this; - } - private Saml2LogoutResponseValidator logoutResponseValidator() { if (this.logoutResponseValidator != null) { return this.logoutResponseValidator;