diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java index d8f3cc0e52..6740525941 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java @@ -266,7 +266,11 @@ public class HeadersConfigurer> * @return the {@link HpkpConfig} for additional customizations * * @since 4.1 + * @deprecated see Certificate + * and Public Key Pinning for more context */ + @Deprecated public HpkpConfig httpPublicKeyPinning() { return this.hpkp.enable(); } @@ -277,7 +281,11 @@ public class HeadersConfigurer> * @param hpkpCustomizer the {@link Customizer} to provide more options for the * {@link HpkpConfig} * @return the {@link HeadersConfigurer} for additional customizations + * @deprecated see Certificate + * and Public Key Pinning for more context */ + @Deprecated public HeadersConfigurer httpPublicKeyPinning(Customizer hpkpCustomizer) { hpkpCustomizer.customize(this.hpkp.enable()); return HeadersConfigurer.this; @@ -1040,6 +1048,12 @@ public class HeadersConfigurer> } + /** + * @deprecated see Certificate + * and Public Key Pinning for more context + */ + @Deprecated public final class HpkpConfig { private HpkpHeaderWriter writer; diff --git a/config/src/main/kotlin/org/springframework/security/config/annotation/web/HeadersDsl.kt b/config/src/main/kotlin/org/springframework/security/config/annotation/web/HeadersDsl.kt index a468be3b23..0fb20823a4 100644 --- a/config/src/main/kotlin/org/springframework/security/config/annotation/web/HeadersDsl.kt +++ b/config/src/main/kotlin/org/springframework/security/config/annotation/web/HeadersDsl.kt @@ -117,7 +117,9 @@ class HeadersDsl { * href="https://tools.ietf.org/html/rfc7469">HTTP Public Key Pinning (HPKP). * * @param hpkpConfig the customization to apply to the header + * @deprecated see Certificate and Public Key Pinning for more context */ + @Deprecated(message = "as of 5.8 with no replacement") fun httpPublicKeyPinning(hpkpConfig: HttpPublicKeyPinningDsl.() -> Unit) { this.hpkp = HttpPublicKeyPinningDsl().apply(hpkpConfig).get() } diff --git a/config/src/main/kotlin/org/springframework/security/config/annotation/web/headers/HttpPublicKeyPinningDsl.kt b/config/src/main/kotlin/org/springframework/security/config/annotation/web/headers/HttpPublicKeyPinningDsl.kt index 987278476f..bd5261e91c 100644 --- a/config/src/main/kotlin/org/springframework/security/config/annotation/web/headers/HttpPublicKeyPinningDsl.kt +++ b/config/src/main/kotlin/org/springframework/security/config/annotation/web/headers/HttpPublicKeyPinningDsl.kt @@ -33,8 +33,10 @@ import org.springframework.security.config.annotation.web.configurers.HeadersCon * @property reportOnly if true, the browser should not terminate the connection with * the server. * @property reportUri the URI to which the browser should report pin validation failures. + * @deprecated see Certificate and Public Key Pinning for more context */ @HeadersSecurityMarker +@Deprecated(message = "as of 5.8 with no replacement") class HttpPublicKeyPinningDsl { var pins: Map? = null var maxAgeInSeconds: Long? = null diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc index 5e61b3ee74..b171e0c3c8 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc @@ -1193,6 +1193,7 @@ cors-options.attlist &= attribute configuration-source-ref {xsd:token}? hpkp = + ## Deprecated. The HPKP header no longer works in modern browsers, see Certificate and Public Key Pinning for more context ## Adds support for HTTP Public Key Pinning (HPKP). element hpkp {hpkp.pins,hpkp.attlist} hpkp.pins = diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd index b5642bb293..2ae969f13d 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd @@ -3373,7 +3373,10 @@ - Adds support for HTTP Public Key Pinning (HPKP). + Deprecated. The HPKP header no longer works in modern browsers, see <a + href="https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate + and Public Key Pinning</a> for more context Adds support for HTTP Public Key Pinning + (HPKP). @@ -3875,4 +3878,4 @@ - \ No newline at end of file + diff --git a/web/src/main/java/org/springframework/security/web/header/writers/HpkpHeaderWriter.java b/web/src/main/java/org/springframework/security/web/header/writers/HpkpHeaderWriter.java index 8ef540c721..a34d0bfa09 100644 --- a/web/src/main/java/org/springframework/security/web/header/writers/HpkpHeaderWriter.java +++ b/web/src/main/java/org/springframework/security/web/header/writers/HpkpHeaderWriter.java @@ -109,7 +109,11 @@ import org.springframework.util.Assert; * @author Tim Ysewyn * @author Ankur Pathak * @since 4.1 + * @deprecated see Certificate + * and Public Key Pinning for more context */ +@Deprecated public final class HpkpHeaderWriter implements HeaderWriter { private static final long DEFAULT_MAX_AGE_SECONDS = 5184000;