*
* @author Ben Alex
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.event.AuthorizationGrantedEvent}
+ * instead
*/
+@Deprecated
public class AuthorizedEvent extends AbstractAuthorizationEvent {
private final Authentication authentication;
diff --git a/core/src/main/java/org/springframework/security/access/event/LoggerListener.java b/core/src/main/java/org/springframework/security/access/event/LoggerListener.java
index 02247ceb15..3c091f1518 100644
--- a/core/src/main/java/org/springframework/security/access/event/LoggerListener.java
+++ b/core/src/main/java/org/springframework/security/access/event/LoggerListener.java
@@ -30,7 +30,10 @@ import org.springframework.core.log.LogMessage;
*
*
* @author Ben Alex
+ * @deprecated Logging is now embedded in Spring Security components. If you need further
+ * logging, please consider using your own {@link ApplicationListener}
*/
+@Deprecated
public class LoggerListener implements ApplicationListener {
private static final Log logger = LogFactory.getLog(LoggerListener.class);
diff --git a/core/src/main/java/org/springframework/security/access/event/PublicInvocationEvent.java b/core/src/main/java/org/springframework/security/access/event/PublicInvocationEvent.java
index 2ce5db3a85..2aab5dba91 100644
--- a/core/src/main/java/org/springframework/security/access/event/PublicInvocationEvent.java
+++ b/core/src/main/java/org/springframework/security/access/event/PublicInvocationEvent.java
@@ -16,6 +16,8 @@
package org.springframework.security.access.event;
+import org.springframework.security.authorization.event.AuthorizationGrantedEvent;
+
/**
* Event that is generated whenever a public secure object is invoked.
*
*
* @author Ben Alex
+ * @deprecated Only used by now-deprecated classes. Consider
+ * {@link AuthorizationGrantedEvent#getSource()} to deduce public invocations.
*/
+@Deprecated
public class PublicInvocationEvent extends AbstractAuthorizationEvent {
/**
diff --git a/core/src/main/java/org/springframework/security/access/expression/method/AbstractExpressionBasedMethodConfigAttribute.java b/core/src/main/java/org/springframework/security/access/expression/method/AbstractExpressionBasedMethodConfigAttribute.java
index 722505f22a..95a2725a6b 100644
--- a/core/src/main/java/org/springframework/security/access/expression/method/AbstractExpressionBasedMethodConfigAttribute.java
+++ b/core/src/main/java/org/springframework/security/access/expression/method/AbstractExpressionBasedMethodConfigAttribute.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -32,7 +32,10 @@ import org.springframework.util.Assert;
*
* @author Luke Taylor
* @since 3.0
+ * @deprecated Use {@link org.springframework.security.authorization.AuthorizationManager}
+ * interceptors instead
*/
+@Deprecated
abstract class AbstractExpressionBasedMethodConfigAttribute implements ConfigAttribute {
private final Expression filterExpression;
diff --git a/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedAnnotationAttributeFactory.java b/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedAnnotationAttributeFactory.java
index d6fb761966..b309e890a8 100644
--- a/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedAnnotationAttributeFactory.java
+++ b/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedAnnotationAttributeFactory.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -30,7 +30,10 @@ import org.springframework.security.access.prepost.PrePostInvocationAttributeFac
* @author Luke Taylor
* @author Rob Winch
* @since 3.0
+ * @deprecated Use {@link org.springframework.security.authorization.AuthorizationManager}
+ * interceptors instead
*/
+@Deprecated
public class ExpressionBasedAnnotationAttributeFactory implements PrePostInvocationAttributeFactory {
private final Object parserLock = new Object();
diff --git a/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPostInvocationAdvice.java b/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPostInvocationAdvice.java
index 664f97102e..9e6131d081 100644
--- a/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPostInvocationAdvice.java
+++ b/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPostInvocationAdvice.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -32,7 +32,11 @@ import org.springframework.security.core.Authentication;
/**
* @author Luke Taylor
* @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * instead
*/
+@Deprecated
public class ExpressionBasedPostInvocationAdvice implements PostInvocationAuthorizationAdvice {
protected final Log logger = LogFactory.getLog(getClass());
diff --git a/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPreInvocationAdvice.java b/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPreInvocationAdvice.java
index 19c7659407..82f295ab23 100644
--- a/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPreInvocationAdvice.java
+++ b/core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPreInvocationAdvice.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -33,7 +33,11 @@ import org.springframework.util.Assert;
*
* @author Luke Taylor
* @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * instead
*/
+@Deprecated
public class ExpressionBasedPreInvocationAdvice implements PreInvocationAuthorizationAdvice {
private MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
diff --git a/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java b/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java
index 08d9c6f2b8..3dc86cc5a1 100644
--- a/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java
+++ b/core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -23,7 +23,11 @@ import org.springframework.security.access.prepost.PostInvocationAttribute;
/**
* @author Luke Taylor
* @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * instead
*/
+@Deprecated
class PostInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute
implements PostInvocationAttribute {
diff --git a/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java b/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java
index f8c3bae329..26af51a6f1 100644
--- a/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java
+++ b/core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -23,7 +23,11 @@ import org.springframework.security.access.prepost.PreInvocationAttribute;
/**
* @author Luke Taylor
* @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor}
+ * instead
*/
+@Deprecated
class PreInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute
implements PreInvocationAttribute {
diff --git a/core/src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java b/core/src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java
index 2c51a8e6d8..0e8bff01ee 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java
@@ -104,7 +104,17 @@ import org.springframework.util.CollectionUtils;
*
* @author Ben Alex
* @author Rob Winch
+ * @deprecated Use
+ * {@link org.springframework.security.web.access.intercept.AuthorizationFilter} instead
+ * for filter security,
+ * {@link org.springframework.security.messaging.access.intercept.AuthorizationChannelInterceptor}
+ * for messaging security, or
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor}
+ * and
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * for method security.
*/
+@Deprecated
public abstract class AbstractSecurityInterceptor
implements InitializingBean, ApplicationEventPublisherAware, MessageSourceAware {
diff --git a/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationManager.java b/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationManager.java
index 679b495d54..39d712f880 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationManager.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationManager.java
@@ -20,6 +20,7 @@ import java.util.Collection;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication;
/**
@@ -41,7 +42,11 @@ import org.springframework.security.core.Authentication;
*
*
* @author Ben Alex
+ * @see org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor
+ * @see org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor
+ * @deprecated Use delegation with {@link AuthorizationManager}
*/
+@Deprecated
public interface AfterInvocationManager {
/**
diff --git a/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationProviderManager.java b/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationProviderManager.java
index 44d42d850a..4003aa4659 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationProviderManager.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/AfterInvocationProviderManager.java
@@ -28,6 +28,7 @@ import org.springframework.core.log.LogMessage;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.AfterInvocationProvider;
import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
@@ -47,7 +48,11 @@ import org.springframework.util.CollectionUtils;
* given provider is configured to respond to).
*
* @author Ben Alex
+ * @see org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor
+ * @see org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor
+ * @deprecated Use delegation with {@link AuthorizationManager}
*/
+@Deprecated
public class AfterInvocationProviderManager implements AfterInvocationManager, InitializingBean {
protected static final Log logger = LogFactory.getLog(AfterInvocationProviderManager.class);
diff --git a/core/src/main/java/org/springframework/security/access/intercept/InterceptorStatusToken.java b/core/src/main/java/org/springframework/security/access/intercept/InterceptorStatusToken.java
index de97aebf60..56abcc0d57 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/InterceptorStatusToken.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/InterceptorStatusToken.java
@@ -19,6 +19,7 @@ package org.springframework.security.access.intercept;
import java.util.Collection;
import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.context.SecurityContext;
/**
@@ -29,7 +30,11 @@ import org.springframework.security.core.context.SecurityContext;
* can tidy up correctly.
*
* @author Ben Alex
+ * @see org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor
+ * @see org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor
+ * @deprecated Use delegation with {@link AuthorizationManager}
*/
+@Deprecated
public class InterceptorStatusToken {
private SecurityContext securityContext;
diff --git a/core/src/main/java/org/springframework/security/access/intercept/MethodInvocationPrivilegeEvaluator.java b/core/src/main/java/org/springframework/security/access/intercept/MethodInvocationPrivilegeEvaluator.java
index 95b98e2622..4101ed4c8d 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/MethodInvocationPrivilegeEvaluator.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/MethodInvocationPrivilegeEvaluator.java
@@ -43,7 +43,10 @@ import org.springframework.util.Assert;
*
*
* @author Ben Alex
+ * @deprecated Use {@link org.springframework.security.authorization.AuthorizationManager}
+ * instead
*/
+@Deprecated
public class MethodInvocationPrivilegeEvaluator implements InitializingBean {
protected static final Log logger = LogFactory.getLog(MethodInvocationPrivilegeEvaluator.class);
diff --git a/core/src/main/java/org/springframework/security/access/intercept/RunAsImplAuthenticationProvider.java b/core/src/main/java/org/springframework/security/access/intercept/RunAsImplAuthenticationProvider.java
index eb0fa743aa..c43dd2b17b 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/RunAsImplAuthenticationProvider.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/RunAsImplAuthenticationProvider.java
@@ -39,7 +39,12 @@ import org.springframework.util.Assert;
*
* If the key does not match, a BadCredentialsException is thrown.
*
+ *
+ * @deprecated Authentication is now separated from authorization in Spring Security. This
+ * class is only used by now-deprecated components. There is not yet an equivalent
+ * replacement in Spring Security.
*/
+@Deprecated
public class RunAsImplAuthenticationProvider implements InitializingBean, AuthenticationProvider, MessageSourceAware {
protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
diff --git a/core/src/main/java/org/springframework/security/access/intercept/RunAsManager.java b/core/src/main/java/org/springframework/security/access/intercept/RunAsManager.java
index e121b9bb5b..bb3b8f8ac2 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/RunAsManager.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/RunAsManager.java
@@ -57,7 +57,11 @@ import org.springframework.security.core.Authentication;
*
*
* @author Ben Alex
+ * @deprecated Authentication is now separated from authorization in Spring Security. This
+ * class is only used by now-deprecated components. There is not yet an equivalent
+ * replacement in Spring Security.
*/
+@Deprecated
public interface RunAsManager {
/**
diff --git a/core/src/main/java/org/springframework/security/access/intercept/RunAsManagerImpl.java b/core/src/main/java/org/springframework/security/access/intercept/RunAsManagerImpl.java
index 352ff66f9f..f16bd5b13b 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/RunAsManagerImpl.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/RunAsManagerImpl.java
@@ -52,7 +52,11 @@ import org.springframework.util.Assert;
*
* @author Ben Alex
* @author colin sampaleanu
+ * @deprecated Authentication is now separated from authorization in Spring Security. This
+ * class is only used by now-deprecated components. There is not yet an equivalent
+ * replacement in Spring Security.
*/
+@Deprecated
public class RunAsManagerImpl implements RunAsManager, InitializingBean {
private String key;
diff --git a/core/src/main/java/org/springframework/security/access/intercept/RunAsUserToken.java b/core/src/main/java/org/springframework/security/access/intercept/RunAsUserToken.java
index 1019947440..2fc19b0ca7 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/RunAsUserToken.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/RunAsUserToken.java
@@ -28,7 +28,11 @@ import org.springframework.security.core.SpringSecurityCoreVersion;
* that supports {@link RunAsManagerImpl}.
*
* @author Ben Alex
+ * @deprecated Authentication is now separated from authorization in Spring Security. This
+ * class is only used by now-deprecated components. There is not yet an equivalent
+ * replacement in Spring Security.
*/
+@Deprecated
public class RunAsUserToken extends AbstractAuthenticationToken {
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
diff --git a/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityInterceptor.java b/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityInterceptor.java
index fadf5baf42..4287231eb5 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityInterceptor.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityInterceptor.java
@@ -36,7 +36,13 @@ import org.springframework.security.access.method.MethodSecurityMetadataSource;
*
* @author Ben Alex
* @author Rob Winch
+ * @deprecated Please use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor}
+ * and
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * instead
*/
+@Deprecated
public class MethodSecurityInterceptor extends AbstractSecurityInterceptor implements MethodInterceptor {
private MethodSecurityMetadataSource securityMetadataSource;
diff --git a/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java b/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java
index 1d8902d82c..4bc3d19b5b 100644
--- a/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java
+++ b/core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java
@@ -51,7 +51,9 @@ import org.springframework.util.CollectionUtils;
*
* @author Ben Alex
* @author Luke Taylor
+ * @deprecated Use {@link EnableMethodSecurity} or publish interceptors directly
*/
+@Deprecated
public class MethodSecurityMetadataSourceAdvisor extends AbstractPointcutAdvisor implements BeanFactoryAware {
private transient MethodSecurityMetadataSource attributeSource;
diff --git a/core/src/main/java/org/springframework/security/access/method/AbstractFallbackMethodSecurityMetadataSource.java b/core/src/main/java/org/springframework/security/access/method/AbstractFallbackMethodSecurityMetadataSource.java
index 3b3be3effb..ef2feb7505 100644
--- a/core/src/main/java/org/springframework/security/access/method/AbstractFallbackMethodSecurityMetadataSource.java
+++ b/core/src/main/java/org/springframework/security/access/method/AbstractFallbackMethodSecurityMetadataSource.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@ import java.util.Collections;
import org.springframework.aop.support.AopUtils;
import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
/**
* Abstract implementation of {@link MethodSecurityMetadataSource} that supports both
@@ -43,7 +44,11 @@ import org.springframework.security.access.ConfigAttribute;
* @author Ben Alex
* @author Luke taylor
* @since 2.0
+ * @deprecated Use the {@code use-authorization-manager} attribute for
+ * {@code } and {@code } instead or use
+ * annotation-based or {@link AuthorizationManager}-based authorization
*/
+@Deprecated
public abstract class AbstractFallbackMethodSecurityMetadataSource extends AbstractMethodSecurityMetadataSource {
@Override
diff --git a/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java b/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java
index 3ed17acc70..219b3f7eb8 100644
--- a/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java
+++ b/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java
@@ -24,6 +24,7 @@ import org.apache.commons.logging.LogFactory;
import org.springframework.aop.framework.AopProxyUtils;
import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
/**
* Abstract implementation of MethodSecurityMetadataSource which resolves the
@@ -31,7 +32,11 @@ import org.springframework.security.access.ConfigAttribute;
*
* @author Ben Alex
* @author Luke Taylor
+ * @deprecated Use the {@code use-authorization-manager} attribute for
+ * {@code } and {@code } instead or use
+ * annotation-based or {@link AuthorizationManager}-based authorization
*/
+@Deprecated
public abstract class AbstractMethodSecurityMetadataSource implements MethodSecurityMetadataSource {
protected final Log logger = LogFactory.getLog(getClass());
diff --git a/core/src/main/java/org/springframework/security/access/method/DelegatingMethodSecurityMetadataSource.java b/core/src/main/java/org/springframework/security/access/method/DelegatingMethodSecurityMetadataSource.java
index 2591d099fc..3b4c5c2eec 100644
--- a/core/src/main/java/org/springframework/security/access/method/DelegatingMethodSecurityMetadataSource.java
+++ b/core/src/main/java/org/springframework/security/access/method/DelegatingMethodSecurityMetadataSource.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -27,6 +27,7 @@ import java.util.Set;
import org.springframework.core.log.LogMessage;
import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.util.Assert;
import org.springframework.util.ObjectUtils;
@@ -37,7 +38,11 @@ import org.springframework.util.ObjectUtils;
*
* @author Ben Alex
* @author Luke Taylor
+ * @deprecated Use the {@code use-authorization-manager} attribute for
+ * {@code } and {@code } instead or use
+ * annotation-based or {@link AuthorizationManager}-based authorization
*/
+@Deprecated
public final class DelegatingMethodSecurityMetadataSource extends AbstractMethodSecurityMetadataSource {
private static final List NULL_CONFIG_ATTRIBUTE = Collections.emptyList();
diff --git a/core/src/main/java/org/springframework/security/access/method/MapBasedMethodSecurityMetadataSource.java b/core/src/main/java/org/springframework/security/access/method/MapBasedMethodSecurityMetadataSource.java
index 4fb00cc78e..1c41d40d98 100644
--- a/core/src/main/java/org/springframework/security/access/method/MapBasedMethodSecurityMetadataSource.java
+++ b/core/src/main/java/org/springframework/security/access/method/MapBasedMethodSecurityMetadataSource.java
@@ -28,6 +28,7 @@ import java.util.Set;
import org.springframework.beans.factory.BeanClassLoaderAware;
import org.springframework.core.log.LogMessage;
import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
@@ -42,7 +43,11 @@ import org.springframework.util.ClassUtils;
*
* @author Ben Alex
* @since 2.0
+ * @deprecated Use the {@code use-authorization-manager} attribute for
+ * {@code } and {@code } instead or use
+ * annotation-based or {@link AuthorizationManager}-based authorization
*/
+@Deprecated
public class MapBasedMethodSecurityMetadataSource extends AbstractFallbackMethodSecurityMetadataSource
implements BeanClassLoaderAware {
diff --git a/core/src/main/java/org/springframework/security/access/method/MethodSecurityMetadataSource.java b/core/src/main/java/org/springframework/security/access/method/MethodSecurityMetadataSource.java
index 5cfb3ff9ca..2243236fa9 100644
--- a/core/src/main/java/org/springframework/security/access/method/MethodSecurityMetadataSource.java
+++ b/core/src/main/java/org/springframework/security/access/method/MethodSecurityMetadataSource.java
@@ -21,12 +21,18 @@ import java.util.Collection;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityMetadataSource;
+import org.springframework.security.authorization.AuthorizationManager;
/**
* Interface for SecurityMetadataSource implementations that are designed to
* perform lookups keyed on Methods.
*
* @author Ben Alex
+ * @see org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager
+ * @see org.springframework.security.authorization.method.PostAuthorizeAuthorizationManager
+ * @deprecated Use the {@code use-authorization-manager} attribute for
+ * {@code } and {@code } instead or use
+ * annotation-based or {@link AuthorizationManager}-based authorization
*/
public interface MethodSecurityMetadataSource extends SecurityMetadataSource {
diff --git a/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java b/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java
index f1de8dc0d1..f974735509 100644
--- a/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java
+++ b/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -36,7 +36,11 @@ import org.springframework.security.core.Authentication;
* @author Luke Taylor
* @author Alexander Furer
* @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * instead
*/
+@Deprecated
public class PostInvocationAdviceProvider implements AfterInvocationProvider {
protected final Log logger = LogFactory.getLog(getClass());
diff --git a/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAttribute.java b/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAttribute.java
index c5f6d280fa..737b47c7cb 100644
--- a/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAttribute.java
+++ b/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAttribute.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -26,7 +26,11 @@ import org.springframework.security.access.ConfigAttribute;
*
* @author Luke Taylor
* @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * instead
*/
+@Deprecated
public interface PostInvocationAttribute extends ConfigAttribute {
}
diff --git a/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAuthorizationAdvice.java b/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAuthorizationAdvice.java
index 31501ce000..c57fed585f 100644
--- a/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAuthorizationAdvice.java
+++ b/core/src/main/java/org/springframework/security/access/prepost/PostInvocationAuthorizationAdvice.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -27,7 +27,11 @@ import org.springframework.security.core.Authentication;
*
* @author Luke Taylor
* @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * instead
*/
+@Deprecated
public interface PostInvocationAuthorizationAdvice extends AopInfrastructureBean {
Object after(Authentication authentication, MethodInvocation mi, PostInvocationAttribute pia, Object returnedObject)
diff --git a/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAttribute.java b/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAttribute.java
index 1fa478c32e..3da5c99be9 100644
--- a/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAttribute.java
+++ b/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAttribute.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -26,7 +26,11 @@ import org.springframework.security.access.ConfigAttribute;
*
* @author Luke Taylor
* @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor}
+ * instead
*/
+@Deprecated
public interface PreInvocationAttribute extends ConfigAttribute {
}
diff --git a/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdvice.java b/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdvice.java
index b0647568e7..741bbd83fe 100644
--- a/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdvice.java
+++ b/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdvice.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -26,7 +26,11 @@ import org.springframework.security.core.Authentication;
*
* @author Luke Taylor
* @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor}
+ * instead
*/
+@Deprecated
public interface PreInvocationAuthorizationAdvice extends AopInfrastructureBean {
/**
diff --git a/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java b/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java
index 2b9979290a..9a94601e1d 100644
--- a/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java
+++ b/core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -38,7 +38,11 @@ import org.springframework.security.core.Authentication;
*
* @author Luke Taylor
* @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor}
+ * instead
*/
+@Deprecated
public class PreInvocationAuthorizationAdviceVoter implements AccessDecisionVoter {
protected final Log logger = LogFactory.getLog(getClass());
diff --git a/core/src/main/java/org/springframework/security/access/prepost/PrePostAnnotationSecurityMetadataSource.java b/core/src/main/java/org/springframework/security/access/prepost/PrePostAnnotationSecurityMetadataSource.java
index 24334a99b1..02d8230033 100644
--- a/core/src/main/java/org/springframework/security/access/prepost/PrePostAnnotationSecurityMetadataSource.java
+++ b/core/src/main/java/org/springframework/security/access/prepost/PrePostAnnotationSecurityMetadataSource.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -48,7 +48,13 @@ import org.springframework.util.ClassUtils;
* @author Luke Taylor
* @since 3.0
* @see PreInvocationAuthorizationAdviceVoter
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager}
+ * and
+ * {@link org.springframework.security.authorization.method.PostAuthorizeAuthorizationManager}
+ * instead
*/
+@Deprecated
public class PrePostAnnotationSecurityMetadataSource extends AbstractMethodSecurityMetadataSource {
private final PrePostInvocationAttributeFactory attributeFactory;
diff --git a/core/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java b/core/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java
index 1feaba1395..90ef060207 100644
--- a/core/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java
+++ b/core/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -17,10 +17,14 @@
package org.springframework.security.access.prepost;
import org.springframework.aop.framework.AopInfrastructureBean;
+import org.springframework.security.authorization.AuthorizationManager;
/**
* @author Luke Taylor
* @since 3.0
+ * @see org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor
+ * @see org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor
+ * @deprecated Use delegation with {@link AuthorizationManager}
*/
public interface PrePostInvocationAttributeFactory extends AopInfrastructureBean {
diff --git a/core/src/main/java/org/springframework/security/access/vote/AbstractAccessDecisionManager.java b/core/src/main/java/org/springframework/security/access/vote/AbstractAccessDecisionManager.java
index 75b41a54ae..b9b2390cfd 100644
--- a/core/src/main/java/org/springframework/security/access/vote/AbstractAccessDecisionManager.java
+++ b/core/src/main/java/org/springframework/security/access/vote/AbstractAccessDecisionManager.java
@@ -29,6 +29,7 @@ import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.SpringSecurityMessageSource;
import org.springframework.util.Assert;
@@ -39,7 +40,10 @@ import org.springframework.util.Assert;
* Handles configuration of a bean context defined list of {@link AccessDecisionVoter}s
* and the access control behaviour if all voters abstain from voting (defaults to deny
* access).
+ *
+ * @deprecated Use {@link AuthorizationManager} instead
*/
+@Deprecated
public abstract class AbstractAccessDecisionManager
implements AccessDecisionManager, InitializingBean, MessageSourceAware {
diff --git a/core/src/main/java/org/springframework/security/access/vote/AbstractAclVoter.java b/core/src/main/java/org/springframework/security/access/vote/AbstractAclVoter.java
index 5e1fd32180..8417d368e4 100644
--- a/core/src/main/java/org/springframework/security/access/vote/AbstractAclVoter.java
+++ b/core/src/main/java/org/springframework/security/access/vote/AbstractAclVoter.java
@@ -27,7 +27,10 @@ import org.springframework.util.Assert;
* particular ACL system.
*
* @author Ben Alex
+ * @deprecated Now used by only-deprecated classes. Generally speaking, in-memory ACL is
+ * no longer advised, so no replacement is planned at this point.
*/
+@Deprecated
public abstract class AbstractAclVoter implements AccessDecisionVoter {
private Class> processDomainObjectClass;
diff --git a/core/src/main/java/org/springframework/security/access/vote/AffirmativeBased.java b/core/src/main/java/org/springframework/security/access/vote/AffirmativeBased.java
index 86841e1f05..1d691dabcc 100644
--- a/core/src/main/java/org/springframework/security/access/vote/AffirmativeBased.java
+++ b/core/src/main/java/org/springframework/security/access/vote/AffirmativeBased.java
@@ -22,13 +22,17 @@ import java.util.List;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication;
/**
* Simple concrete implementation of
* {@link org.springframework.security.access.AccessDecisionManager} that grants access if
* any AccessDecisionVoter returns an affirmative response.
+ *
+ * @deprecated Use {@link AuthorizationManager} instead
*/
+@Deprecated
public class AffirmativeBased extends AbstractAccessDecisionManager {
public AffirmativeBased(List> decisionVoters) {
diff --git a/core/src/main/java/org/springframework/security/access/vote/AuthenticatedVoter.java b/core/src/main/java/org/springframework/security/access/vote/AuthenticatedVoter.java
index eec33f2d53..6a6731b498 100644
--- a/core/src/main/java/org/springframework/security/access/vote/AuthenticatedVoter.java
+++ b/core/src/main/java/org/springframework/security/access/vote/AuthenticatedVoter.java
@@ -45,7 +45,11 @@ import org.springframework.util.Assert;
* All comparisons and prefixes are case sensitive.
*
* @author Ben Alex
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.AuthorityAuthorizationManager}
+ * instead
*/
+@Deprecated
public class AuthenticatedVoter implements AccessDecisionVoter