saving updates to migrate
This commit is contained in:
Rob Winch
parent
b85ad33aef
commit
a18fa3f1db
|
|
@ -38,6 +38,9 @@ For thoroughness we have include the related links in the table below.
|
|||
| https://jira.spring.io/browse/SEC-2348[SEC-2348]
|
||||
| https://github.com/spring-projects/spring-security/commit/eedbf442359f9a99e367f2fdef61deea1cef46c9[eedbf44]
|
||||
|
||||
| https://jira.spring.io/browse/SEC-2781[SEC-2781]
|
||||
| https://github.com/spring-projects/spring-security/commit/6e204fff72b80196a83245cbc3bd0cd401feda00[6e204ff]
|
||||
|
||||
| https://jira.spring.io/browse/SEC-2873[SEC-2873]
|
||||
| https://github.com/spring-projects/spring-security/commit/5f57e5b0c3726466db4f5d0521ac26423f0d9cd4[5f57e5b]
|
||||
|====
|
||||
|
|
@ -188,7 +191,7 @@ The configuration will need to be updated to something similar to the following
|
|||
[source,xml]
|
||||
----
|
||||
<http>
|
||||
<openid-login login-processing-url="/j_spring_openid_security_login"/> <!--1-->
|
||||
<openid-login login-processing-url="/j_spring_openid_security_check"/> <!--1-->
|
||||
...
|
||||
</http>
|
||||
----
|
||||
|
|
@ -354,21 +357,21 @@ For example, if an application using Spring Security 3.2.x contains a configurat
|
|||
|
||||
[source,xml]
|
||||
----
|
||||
<bean id="casFilter"
|
||||
class="org.springframework.security.cas.web.CasAuthenticationFilter">
|
||||
<property name="authenticationManager" ref="authenticationManager"/>
|
||||
</bean>
|
||||
<b:bean id="casFilter"
|
||||
class="org.springframework.security.cas.web.CasAuthenticationFilter">
|
||||
<b:property name="authenticationManager" ref="authenticationManager"/>
|
||||
</b:bean>
|
||||
----
|
||||
|
||||
The configuration will need to be updated to something similar to the following when Spring Security 4.x:
|
||||
|
||||
[source,xml]
|
||||
----
|
||||
<bean id="casFilter"
|
||||
class="org.springframework.security.cas.web.CasAuthenticationFilter">
|
||||
<property name="authenticationManager" ref="authenticationManager"/>
|
||||
<property name="filterProcessesUrl" value="/j_spring_cas_security_check"/>
|
||||
</bean>
|
||||
<b:bean id="casFilter"
|
||||
class="org.springframework.security.cas.web.CasAuthenticationFilter">
|
||||
<b:property name="authenticationManager" ref="authenticationManager"/>
|
||||
<b:property name="filterProcessesUrl" value="/j_spring_cas_security_check"/>
|
||||
</b:bean>
|
||||
----
|
||||
|
||||
*Alternatively*, the `ServiceProperties` can be updated to use the new default:
|
||||
|
|
@ -394,10 +397,10 @@ For example, if an application using Spring Security 3.2.x contains a configurat
|
|||
|
||||
[source,xml]
|
||||
----
|
||||
<bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
|
||||
<property name="userDetailsService" ref="userDetailsService" />
|
||||
<property name="targetUrl" value="/" />
|
||||
</bean>
|
||||
<b:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
|
||||
<b:property name="userDetailsService" ref="userDetailsService" />
|
||||
<b:property name="targetUrl" value="/" />
|
||||
</b:bean>
|
||||
----
|
||||
|
||||
The configuration will need to be updated to something similar to the following when Spring Security 4.x:
|
||||
|
|
@ -405,8 +408,8 @@ The configuration will need to be updated to something similar to the following
|
|||
[source,xml]
|
||||
----
|
||||
<bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
|
||||
<property name="switchUserUrl" value="/login/impersonate" />
|
||||
<property name="exitUserUrl" value="/logout/impersonate" />
|
||||
<property name="switchUserUrl" value="/j_spring_security_switch_user" />
|
||||
<property name="exitUserUrl" value="/j_spring_security_exit_user" />
|
||||
|
||||
<property name="userDetailsService" ref="userDetailsService" />
|
||||
<property name="targetUrl" value="/" />
|
||||
|
|
@ -445,10 +448,12 @@ In Spring Security 3.x, the following configuration
|
|||
[source,xml]
|
||||
----
|
||||
<http>
|
||||
...
|
||||
<headers>
|
||||
<frame-options policy="SAMEORIGIN"/>
|
||||
</headers>
|
||||
|
||||
...
|
||||
</http>
|
||||
----
|
||||
|
||||
would add the following header:
|
||||
|
|
@ -583,8 +588,10 @@ http
|
|||
A number of deprecations were removed in Spring Security 4.
|
||||
The following section describes how to migrate the removal of all deprecations.
|
||||
|
||||
[[m3to4-deprecations-acl]]
|
||||
=== spring-security-acl
|
||||
|
||||
[[m3to4-deprecations-acl-aclimpl]]
|
||||
==== AclImpl
|
||||
|
||||
AclImpl had a deprecated constructor removed. Specifically, the constructor that defaults the `PermissionGrantingStrategy` was removed:
|
||||
|
|
@ -617,6 +624,7 @@ new AclImpl(objectIdentity, id, aclAuthorizationStrategy, permissionGrantingStra
|
|||
parentAcl, loadedSids, entriesInheriting, owner);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-acl-ehcachebasedaclcache]]
|
||||
==== EhCacheBasedAclCache
|
||||
|
||||
`EhCacheBasedAclCache` had a deprecated constructor removed. Specifically, the constructor that defaults the `PermissionGrantingStrategy` was removed:
|
||||
|
|
@ -646,8 +654,10 @@ PermissionGrantingStrategy permissionGrantingStrategy =
|
|||
new EhCacheBasedAclCache(ehCache, permissionGrantingStrategy);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-cas]]
|
||||
=== spring-security-cas
|
||||
|
||||
[[m3to4-deprecations-cas-serviceauthenticationdetailssource]]
|
||||
==== ServiceAuthenticationDetailsSource
|
||||
|
||||
`ServiceAuthenticationDetailsSource` removed the deprecated construtors that defaulted the `ServiceProperties`.
|
||||
|
|
@ -684,8 +694,11 @@ new ServiceAuthenticationDetailsSource(serviceProperties);
|
|||
new ServiceAuthenticationDetailsSource(serviceProperties, artifactId);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-config]]
|
||||
=== spring-security-config
|
||||
|
||||
|
||||
[[m3to4-deprecations-config-fids]]
|
||||
==== filter-invocation-definition-source
|
||||
|
||||
The XML element `filter-invocation-definition-source` was removed in favor of <<nsa-filter-security-metadata-source,filter-security-metadata-source>>.
|
||||
|
|
@ -707,6 +720,7 @@ it needs to be replaced with:
|
|||
</filter-security-metadata-source>
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-config-http-adp]]
|
||||
==== http@access-denied-page
|
||||
The XML attribute `http@access-denied-page` was removed in favor of <<nsa-access-denied-handler-error-page,access-denied-handler@error-page>>.
|
||||
This means if you have something like this:
|
||||
|
|
@ -728,6 +742,7 @@ it needs to be replaced with:
|
|||
</http>
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-config-http-pt]]
|
||||
==== http@path-type
|
||||
The XML attribute `http@path-type` was removed in favor of <<nsa-http-request-matcher,http@request-matcher>>.
|
||||
This means if you have something like this:
|
||||
|
|
@ -749,6 +764,7 @@ it needs to be replaced with:
|
|||
</http>
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-config-fcm-pt]]
|
||||
==== filter-chain-map@path-type
|
||||
The XML attribute `filter-chain-map@path-type` was removed in favor of <<nsa-filter-chain-map-request-matcher,filter-chain-map@request-matcher>>.
|
||||
This means if you have something like this:
|
||||
|
|
@ -770,6 +786,7 @@ it needs to be replaced with:
|
|||
</filter-chain-map>
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-config-sms-pt]]
|
||||
==== filter-security-metadata-source@path-type
|
||||
The XML attribute `filter-security-metadata-source@path-type` was removed in favor of <<nsa-filter-security-metadata-source-request-matcher,filter-security-metadata-source@request-matcher>>.
|
||||
This means if you have something like this:
|
||||
|
|
@ -791,8 +808,10 @@ it needs to be replaced with:
|
|||
</filter-security-metadata-source>
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-core]]
|
||||
=== spring-security-core
|
||||
|
||||
[[m3to4-deprecations-core-securityconfig]]
|
||||
==== SecurityConfig
|
||||
|
||||
`SecurityConfig.createSingleAttributeList(String)` was removed in favor of using `SecurityConfig.createList(String...)`.
|
||||
|
|
@ -812,6 +831,7 @@ List<ConfigAttribute> attrs =
|
|||
SecurityConfig.createList("ROLE_USER");
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-core-udsw]]
|
||||
==== UserDetailsServiceWrapper
|
||||
|
||||
`UserDetailsServiceWrapper` was deprecated in favor of using `RoleHierarchyAuthoritiesMapper`.
|
||||
|
|
@ -841,6 +861,8 @@ then it needs to be migrated with something like this:
|
|||
|
||||
TBD
|
||||
|
||||
|
||||
[[m3to4-deprecations-core-udw]]
|
||||
==== UserDetailsWrapper
|
||||
`UserDetailsWrapper` was deprecated in favor of using `RoleHierarchyAuthoritiesMapper`.
|
||||
Typically users would not use the `UserDetailsWrapper` directly. However, if they are they can use `RoleHierarchyAuthoritiesMapper`
|
||||
|
|
@ -861,6 +883,7 @@ UserDetails authenticate =
|
|||
new User(userDetails.getUsername(), userDetails.getPassword(), allAuthorities);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-core-aadm]]
|
||||
==== AbstractAccessDecisionManager
|
||||
|
||||
The default constructor for `AbstractAccessDecisionManager` has been deprecated along with the `setDecisionVoters` method.
|
||||
|
|
@ -899,6 +922,7 @@ then it needs to be migrated to:
|
|||
</b:bean>
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-core-ae]]
|
||||
==== AuthenticationException
|
||||
|
||||
The constructor that accepts extraInformation within `AuthenticationException` was removed to prevent accidental leaking of the `UserDetails`.
|
||||
|
|
@ -927,6 +951,8 @@ to:
|
|||
new LockedException("Message");
|
||||
----
|
||||
|
||||
|
||||
[[m3to4-deprecations-core-aap]]
|
||||
==== AnonymousAuthenticationProvider
|
||||
|
||||
`AnonymousAuthenticationProvider` default constructor and `setKey` method was deprecated in favor of using constructor injection.
|
||||
|
|
@ -945,6 +971,7 @@ it should be changed to:
|
|||
AnonymousAuthenticationProvider provider = new AnonymousAuthenticationProvider(key);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-core-adsi]]
|
||||
==== AuthenticationDetailsSourceImpl
|
||||
|
||||
`AuthenticationDetailsSourceImpl` was deprecated in favor of writing a custom `AuthenticationDetailsSource`.
|
||||
|
|
@ -968,6 +995,7 @@ public CustomSourceAuthenticationDetailsSource implements AuthenticationDetailsS
|
|||
}
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-core-pm]]
|
||||
==== ProviderManager
|
||||
|
||||
`ProviderManager` has removed the deprecated default constructor and the correspdonding setter methods in favor of using constructor injection.
|
||||
|
|
@ -990,6 +1018,7 @@ then it should be changed to:
|
|||
ProviderManager provider = new ProviderManager(parent, providers);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-core-rmap]]
|
||||
==== RememberMeAuthenticationProvider
|
||||
`RememberMeAuthenticationProvider` had the default constructor and the `setKey` method removed in favor of constructor injection.
|
||||
For example:
|
||||
|
|
@ -1007,6 +1036,7 @@ should be migrated to:
|
|||
RememberMeAuthenticationProvider provider = new RememberMeAuthenticationProvider(key);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-core-gai]]
|
||||
==== GrantedAuthorityImpl
|
||||
|
||||
`GrantedAuthorityImpl` was removed in favor of `SimpleGrantedAuthority` or implementing your own.
|
||||
|
|
@ -1024,12 +1054,15 @@ should be replaced with
|
|||
new SimpleGrantedAuthority(role);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-core-imdi]]
|
||||
==== InMemoryDaoImpl
|
||||
|
||||
`InMemoryDaoImpl` was replaced in favor of `InMemoryUserDetailsManager`
|
||||
|
||||
[[m3to4-deprecations-openid]]
|
||||
==== spring-security-openid
|
||||
|
||||
[[m3to4-deprecations-openid-oi4jc]]
|
||||
==== OpenID4JavaConsumer
|
||||
|
||||
The `OpenID4JavaConsumer` constructors that accept `List<OpenIDAttribute>` have been removed in favor of using an `AxFetchListFactory`.
|
||||
|
|
@ -1050,6 +1083,7 @@ RegexBasedAxFetchListFactory factory = new RegexBasedAxFetchListFactory(regexMap
|
|||
new OpenIDJavaConsumer(factory);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-taglibs]]
|
||||
=== spring-security-taglibs
|
||||
|
||||
Spring Security's authorize JSP tag deprecated the properties `ifAllGranted`, `ifAnyGranted`, and `ifNotGranted` in favor of using expressions.
|
||||
|
|
@ -1084,8 +1118,10 @@ can be replaced with:
|
|||
</sec:authorize>
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-web]]
|
||||
=== spring-security-web
|
||||
|
||||
[[m3to4-deprecations-web-fcp]]
|
||||
==== FilterChainProxy
|
||||
|
||||
`FilterChainProxy` removed the `setFilterChainMap` method in favor of constructor injection.
|
||||
|
|
@ -1121,6 +1157,7 @@ FilterChainProxy filter = ...
|
|||
List<SecurityFilterChain> mappings = filter.getFilterChains();
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-web-etf]]
|
||||
==== ExceptionTranslationFilter
|
||||
|
||||
The default constructor for `ExceptionTranslationFilter` and the `setAuthenticationEntryPoint` method was removed in favor of using constructor injection.
|
||||
|
|
@ -1139,6 +1176,7 @@ can be replaced with
|
|||
ExceptionTranslationFilter filter = new ExceptionTranslationFilter(entryPoint, requestCache);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-web-aapf]]
|
||||
==== AbstractAuthenticationProcessingFilter
|
||||
|
||||
`AbstractAuthenticationProcessingFilter` had its `successfulAuthentication(HttpServletRequest,HttpServletResponse,Authentication)` method removed.
|
||||
|
|
@ -1160,6 +1198,7 @@ protected void successfulAuthentication(HttpServletRequest request, HttpServletR
|
|||
}
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-web-aaf]]
|
||||
==== AnonymousAuthenticationFilter
|
||||
|
||||
`AnonymousAuthenticationFilter` had the default constructor and the `setKey` and `setPrincipal` methods removed in favor of constructor injection.
|
||||
|
|
@ -1180,6 +1219,7 @@ AnonymousAuthenticationFilter filter =
|
|||
new AnonymousAuthenticationFilter(key,attrs.getPassword(),attrs.getAuthorities());
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-web-luaep]]
|
||||
==== LoginUrlAuthenticationEntryPoint
|
||||
|
||||
The `LoginUrlAuthenticationEntryPoint` default constructor and the `setLoginFormUrl` method was removed in favor of constructor injection.
|
||||
|
|
@ -1197,10 +1237,12 @@ should be replaced with
|
|||
LoginUrlAuthenticationEntryPoint entryPoint = new LoginUrlAuthenticationEntryPoint(loginFormUrl);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-web-pagauds]]
|
||||
==== PreAuthenticatedGrantedAuthoritiesUserDetailsService
|
||||
|
||||
`PreAuthenticatedGrantedAuthoritiesUserDetailsService` removed `createuserDetails` in favor of `createUserDetails`.
|
||||
|
||||
[[m3to4-deprecations-web-arms]]
|
||||
==== AbstractRememberMeServices
|
||||
|
||||
`AbstractRememberMeServices` and its subclasses `PersistentTokenBasedRememberMeServices` and `TokenBasedRememberMeServices` removed the default constructor and the `setKey` and `setUserDetailsService` methods in favor of constructor injection.
|
||||
|
|
@ -1222,6 +1264,7 @@ PersistentTokenBasedRememberMeServices services =
|
|||
new PersistentTokenBasedRememberMeServices(key, userDetailsService, tokenRepository);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-web-rmaf]]
|
||||
==== RememberMeAuthenticationFilter
|
||||
|
||||
`RememberMeAuthenticationFilter` default constructor and the `setAuthenticationManager` and `setRememberMeServices` methods were removed in favor of constructor injection.
|
||||
|
|
@ -1241,6 +1284,7 @@ RememberMeAuthenticationFilter filter =
|
|||
new RememberMeAuthenticationFilter(authenticationManager,rememberMeServices);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-web-tbrms]]
|
||||
==== TokenBasedRememberMeServices
|
||||
|
||||
`TokenBasedRememberMeServices` default constructor and the `setKey` and `setUserDetailsService` methods were removed in favor of constructor injection.
|
||||
|
|
@ -1260,6 +1304,7 @@ TokenBasedRememberMeServices services =
|
|||
new TokenBasedRememberMeServices(key,userDetailsService);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-web-cscs]]
|
||||
==== ConcurrentSessionControlStrategy
|
||||
|
||||
`ConcurrentSessionControlStrategy` was replaced with `ConcurrentSessionControlAuthenticationStrategy`.
|
||||
|
|
@ -1283,10 +1328,12 @@ delegates.add(new RegisterSessionAuthenticationStrategy(sessionRegistry));
|
|||
CompositeSessionAuthenticationStrategy strategy = new CompositeSessionAuthenticationStrategy(delegates);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-web-sfps]]
|
||||
==== SessionFixationProtectionStrategy
|
||||
|
||||
`SessionFixationProtectionStrategy` removed `setRetainedAttributes` method in favor of users subclassing `SessionFixationProtectionStrategy` and overriding `extractAttributes` method.
|
||||
|
||||
[[m3to4-deprecations-web-baf]]
|
||||
==== BasicAuthenticationFilter
|
||||
|
||||
`BasicAuthenticationFilter` default constructor and the `setAuthenticationManager` and `setRememberMeServices` methods were removed in favor of constructor injection.
|
||||
|
|
@ -1307,6 +1354,7 @@ BasicAuthenticationFilter filter =
|
|||
new BasicAuthenticationFilter(authenticationManager,entryPoint, ignoreFailure);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-web-scpf]]
|
||||
==== SecurityContextPersistenceFilter
|
||||
|
||||
`SecurityContextPersistenceFilter` removed the `setSecurityContextRepository` in favor of constructor injection.
|
||||
|
|
@ -1325,6 +1373,7 @@ should be replaced with
|
|||
SecurityContextPersistenceFilter filter = new SecurityContextPersistenceFilter(securityContextRepository);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-web-rcaf]]
|
||||
==== RequestCacheAwareFilter
|
||||
|
||||
`RequestCacheAwareFilter` removed the `setRequestCache` in favor of constructor injection.
|
||||
|
|
@ -1343,6 +1392,7 @@ should be replaced with
|
|||
RequestCacheAwareFilter filter = new RequestCacheAwareFilter(requestCache);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-web-csf]]
|
||||
==== ConcurrentSessionFilter
|
||||
|
||||
`ConcurrentSessionFilter` removed the default constructor and the `setExpiredUrl` and `setSessionRegistry` methods in favor of constructor injection.
|
||||
|
|
@ -1362,6 +1412,7 @@ should be replaced with
|
|||
ConcurrentSessionFilter filter = new ConcurrentSessionFilter(sessionRegistry,expiredUrl);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-web-smf]]
|
||||
==== SessionManagementFilter
|
||||
|
||||
`SessionManagementFilter` removed the `setSessionAuthenticationStrategy` method in favor of constructor injection.
|
||||
|
|
@ -1380,6 +1431,7 @@ should be replaced with
|
|||
SessionManagementFilter filter = new SessionManagementFilter(securityContextRepository, sessionAuthenticationStrategy);
|
||||
----
|
||||
|
||||
[[m3to4-deprecations-web-rm]]
|
||||
==== RequestMatcher
|
||||
|
||||
The `RequestMatcher` and its implementations have moved from the package `org.springframework.security.web.util` to `org.springframework.security.web.util.matcher`.
|
||||
|
|
@ -1393,6 +1445,7 @@ Specifically
|
|||
* `org.springframework.security.web.util.RequestMatcherEditor` -> `org.springframework.security.web.util.matcher.RequestMatcherEditor`
|
||||
* `org.springframework.security.web.util.RegexRequestMatcher` -> `org.springframework.security.web.util.matcher.RegexRequestMatcher`
|
||||
|
||||
[[m3to4-deprecations-web-wseh]]
|
||||
==== WebSecurityExpressionHandler
|
||||
|
||||
`WebSecurityExpressionHandler` was removed in favor of using `SecurityExpressionHandler<FilterInvocation>`.
|
||||
|
|
@ -1411,6 +1464,7 @@ it needs to be updated to
|
|||
SecurityExpressionHandler<FilterInvocation> handler = ...
|
||||
----
|
||||
|
||||
[[m3to4-role-prefixing]]
|
||||
== Automatic ROLE_ prefixing
|
||||
|
||||
Spring Security 4 made the use of ROLE_ consistent.
|
||||
|
|
|
|||
Loading…
Reference in New Issue