Deprecate SecurityMetadataSource

Closes gh-16772

core/src/main/java/org/springframework/security/access/SecurityMetadataSource.java

@@ -20,13 +20,22 @@ import java.util.Collection;
 
 import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
 
 /**
  * Implemented by classes that store and can identify the {@link ConfigAttribute}s that
  * applies to a given secure object invocation.
  *
  * @author Ben Alex
+ * @deprecated In modern Spring Security APIs, each API manages its own configuration
+ * context. As such there is no direct replacement for this interface. In the case of
+ * method security, please see {@link SecurityAnnotationScanner} and
+ * {@link AuthorizationManager}. In the case of channel security, please see
+ * {@code HttpsRedirectFilter}. In the case of web security, please see
+ * {@link AuthorizationManager}.
  */
+@Deprecated
 public interface SecurityMetadataSource extends AopInfrastructureBean {
 
 	/**

web/src/main/java/org/springframework/security/web/access/expression/ExpressionBasedFilterInvocationSecurityMetadataSource.java

@@ -31,6 +31,8 @@ import org.springframework.expression.ExpressionParser;
 import org.springframework.expression.ParseException;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.expression.SecurityExpressionHandler;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
 import org.springframework.security.web.FilterInvocation;
 import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@@ -43,7 +45,14 @@ import org.springframework.util.Assert;
  * @author Luke Taylor
  * @author Eddú Meléndez
  * @since 3.0
+ * @deprecated In modern Spring Security APIs, each API manages its own configuration
+ * context. As such there is no direct replacement for this interface. In the case of
+ * method security, please see {@link SecurityAnnotationScanner} and
+ * {@link AuthorizationManager}. In the case of channel security, please see
+ * {@code HttpsRedirectFilter}. In the case of web security, please see
+ * {@link AuthorizationManager}.
  */
+@Deprecated
 public final class ExpressionBasedFilterInvocationSecurityMetadataSource
 		extends DefaultFilterInvocationSecurityMetadataSource {
 

web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java

@@ -28,6 +28,8 @@ import org.apache.commons.logging.LogFactory;
 
 import org.springframework.core.log.LogMessage;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
 import org.springframework.security.web.FilterInvocation;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 
@@ -50,7 +52,14 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
  *
  * @author Ben Alex
  * @author Luke Taylor
+ * @deprecated In modern Spring Security APIs, each API manages its own configuration
+ * context. As such there is no direct replacement for this interface. In the case of
+ * method security, please see {@link SecurityAnnotationScanner} and
+ * {@link AuthorizationManager}. In the case of channel security, please see
+ * {@code HttpsRedirectFilter}. In the case of web security, please see
+ * {@link AuthorizationManager}.
  */
+@Deprecated
 public class DefaultFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
 
 	protected final Log logger = LogFactory.getLog(getClass());

web/src/main/java/org/springframework/security/web/access/intercept/FilterInvocationSecurityMetadataSource.java

@@ -17,6 +17,8 @@
 package org.springframework.security.web.access.intercept;
 
 import org.springframework.security.access.SecurityMetadataSource;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
 import org.springframework.security.web.FilterInvocation;
 
 /**
@@ -24,7 +26,14 @@ import org.springframework.security.web.FilterInvocation;
  * designed to perform lookups keyed on {@link FilterInvocation}s.
  *
  * @author Ben Alex
+ * @deprecated In modern Spring Security APIs, each API manages its own configuration
+ * context. As such there is no direct replacement for this interface. In the case of
+ * method security, please see {@link SecurityAnnotationScanner} and
+ * {@link AuthorizationManager}. In the case of channel security, please see
+ * {@code HttpsRedirectFilter}. In the case of web security, please see
+ * {@link AuthorizationManager}.
  */
+@Deprecated
 public interface FilterInvocationSecurityMetadataSource extends SecurityMetadataSource {
 
 }

web/src/main/java/org/springframework/security/web/servlet/util/matcher/PathPatternRequestMatcher.java

@@ -127,7 +127,12 @@ public final class PathPatternRequestMatcher implements RequestMatcher {
 	}
 
 	private RequestPath getRequestPath(HttpServletRequest request) {
-		return ServletRequestPathUtils.getParsedRequestPath(request);
+		if (ServletRequestPathUtils.hasParsedRequestPath(request)) {
+			return ServletRequestPathUtils.getParsedRequestPath(request);
+		}
+		else {
+			return ServletRequestPathUtils.parseAndCache(request);
+		}
 	}
 
 	/**