From 5dd40a7f100b2aff6c8c11f594e6aff2c5f2e1a8 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Thu, 19 Jun 2025 17:39:09 -0600
Subject: [PATCH] Remove ServerHttpSecurity and() DSL Methods
This commit removes all and() DSL methods with
the exception of featurePolicy, which will be
removed as a whole at another time.
Closes gh-13067
---
.../config/web/server/ServerHttpSecurity.java | 1062 +----------------
1 file changed, 5 insertions(+), 1057 deletions(-)
diff --git a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
index bd0b178804..3e93825f79 100644
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@@ -436,48 +436,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures HTTPS redirection rules. If the default is used:
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .redirectToHttps();
- * return http.build();
- * }
- *
- *
- * Then all non-HTTPS requests will be redirected to HTTPS.
- *
- * Typically, all requests should be HTTPS; however, the focus for redirection can
- * also be narrowed:
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .redirectToHttps()
- * .httpsRedirectWhen((serverWebExchange) ->
- * serverWebExchange.getRequest().getHeaders().containsKey("X-Requires-Https"))
- * return http.build();
- * }
- *
- * @return the {@link HttpsRedirectSpec} to customize
- * @deprecated For removal in 7.0. Use {@link #redirectToHttps(Customizer)} or
- * {@code redirectToHttps(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public HttpsRedirectSpec redirectToHttps() {
- this.httpsRedirectSpec = new HttpsRedirectSpec();
- return this.httpsRedirectSpec;
- }
-
/**
* Configures HTTPS redirection rules. If the default is used:
*
@@ -519,53 +477,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures CSRF
- * Protection which is enabled by default. You can disable it using:
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .csrf().disabled();
- * return http.build();
- * }
- *
- *
- * Additional configuration options can be seen below:
- *
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .csrf()
- * // Handle CSRF failures
- * .accessDeniedHandler(accessDeniedHandler)
- * // Custom persistence of CSRF Token
- * .csrfTokenRepository(csrfTokenRepository)
- * // custom matching when CSRF protection is enabled
- * .requireCsrfProtectionMatcher(matcher);
- * return http.build();
- * }
- *
- * @return the {@link CsrfSpec} to customize
- * @deprecated For removal in 7.0. Use {@link #csrf(Customizer)} or
- * {@code csrf(Customizer.withDefaults())} to stick with defaults. See the documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public CsrfSpec csrf() {
- if (this.csrf == null) {
- this.csrf = new CsrfSpec();
- }
- return this.csrf;
- }
-
/**
* Configures CSRF
@@ -615,26 +526,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures CORS headers. By default if a {@link CorsConfigurationSource} Bean is
- * found, it will be used to create a {@link CorsWebFilter}. If
- * {@link CorsSpec#configurationSource(CorsConfigurationSource)} is invoked it will be
- * used instead. If neither has been configured, the Cors configuration will do
- * nothing.
- * @return the {@link CorsSpec} to customize
- * @deprecated For removal in 7.0. Use {@link #cors(Customizer)} or
- * {@code cors(Customizer.withDefaults())} to stick with defaults. See the documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public CorsSpec cors() {
- if (this.cors == null) {
- this.cors = new CorsSpec();
- }
- return this.cors;
- }
-
/**
* Configures CORS headers. By default if a {@link CorsConfigurationSource} Bean is
* found, it will be used to create a {@link CorsWebFilter}. If
@@ -653,36 +544,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Enables and Configures anonymous authentication. Anonymous Authentication is
- * disabled by default.
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .anonymous().key("key")
- * .authorities("ROLE_ANONYMOUS");
- * return http.build();
- * }
- *
- * @return the {@link AnonymousSpec} to customize
- * @since 5.2.0
- * @deprecated For removal in 7.0. Use {@link #anonymous(Customizer)} or
- * {@code anonymous(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public AnonymousSpec anonymous() {
- if (this.anonymous == null) {
- this.anonymous = new AnonymousSpec();
- }
- return this.anonymous;
- }
-
/**
* Enables and Configures anonymous authentication. Anonymous Authentication is
* disabled by default.
@@ -712,37 +573,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures HTTP Basic authentication. An example configuration is provided below:
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .httpBasic()
- * // used for authenticating the credentials
- * .authenticationManager(authenticationManager)
- * // Custom persistence of the authentication
- * .securityContextRepository(securityContextRepository);
- * return http.build();
- * }
- *
- * @return the {@link HttpBasicSpec} to customize
- * @deprecated For removal in 7.0. Use {@link #httpBasic(Customizer)} or
- * {@code httpBasic(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public HttpBasicSpec httpBasic() {
- if (this.httpBasic == null) {
- this.httpBasic = new HttpBasicSpec();
- }
- return this.httpBasic;
- }
-
/**
* Configures HTTP Basic authentication. An example configuration is provided below:
*
@@ -803,34 +633,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures password management. An example configuration is provided below:
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .passwordManagement();
- * return http.build();
- * }
- *
- * @return the {@link PasswordManagementSpec} to customize
- * @since 5.6
- * @deprecated For removal in 7.0. Use {@link #passwordManagement(Customizer)} or
- * {@code passwordManagement(Customizer.withDefaults())} to stick with defaults. See
- * the documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public PasswordManagementSpec passwordManagement() {
- if (this.passwordManagement == null) {
- this.passwordManagement = new PasswordManagementSpec();
- }
- return this.passwordManagement;
- }
-
/**
* Configures password management. An example configuration is provided below:
*
@@ -859,41 +661,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures form based authentication. An example configuration is provided below:
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .formLogin()
- * // used for authenticating the credentials
- * .authenticationManager(authenticationManager)
- * // Custom persistence of the authentication
- * .securityContextRepository(securityContextRepository)
- * // expect a log in page at "/authenticate"
- * // a POST "/authenticate" is where authentication occurs
- * // error page at "/authenticate?error"
- * .loginPage("/authenticate");
- * return http.build();
- * }
- *
- * @return the {@link FormLoginSpec} to customize
- * @deprecated For removal in 7.0. Use {@link #formLogin(Customizer)} or
- * {@code formLogin(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public FormLoginSpec formLogin() {
- if (this.formLogin == null) {
- this.formLogin = new FormLoginSpec();
- }
- return this.formLogin;
- }
-
/**
* Configures form based authentication. An example configuration is provided below:
*
@@ -928,39 +695,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures x509 authentication using a certificate provided by a client.
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * .x509()
- * .authenticationManager(authenticationManager)
- * .principalExtractor(principalExtractor);
- * return http.build();
- * }
- *
- *
- * Note that if extractor is not specified, {@link SubjectX500PrincipalExtractor} will
- * be used. If authenticationManager is not specified,
- * {@link ReactivePreAuthenticatedAuthenticationManager} will be used.
- * @return the {@link X509Spec} to customize
- * @since 5.2
- * @deprecated For removal in 7.0. Use {@link #x509(Customizer)} or
- * {@code x509(Customizer.withDefaults())} to stick with defaults. See the documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public X509Spec x509() {
- if (this.x509 == null) {
- this.x509 = new X509Spec();
- }
-
- return this.x509;
- }
-
/**
* Configures x509 authentication using a certificate provided by a client.
*
@@ -993,36 +727,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0
- * Provider.
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .oauth2Login()
- * .authenticationConverter(authenticationConverter)
- * .authenticationManager(manager);
- * return http.build();
- * }
- *
- * @return the {@link OAuth2LoginSpec} to customize
- * @deprecated For removal in 7.0. Use {@link #oauth2Login(Customizer)} or
- * {@code oauth2Login(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public OAuth2LoginSpec oauth2Login() {
- if (this.oauth2Login == null) {
- this.oauth2Login = new OAuth2LoginSpec();
- }
- return this.oauth2Login;
- }
-
/**
* Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0
* Provider.
@@ -1052,35 +756,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures the OAuth2 client.
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .oauth2Client()
- * .clientRegistrationRepository(clientRegistrationRepository)
- * .authorizedClientRepository(authorizedClientRepository);
- * return http.build();
- * }
- *
- * @return the {@link OAuth2ClientSpec} to customize
- * @deprecated For removal in 7.0. Use {@link #oauth2Client(Customizer)} or
- * {@code oauth2Client(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public OAuth2ClientSpec oauth2Client() {
- if (this.client == null) {
- this.client = new OAuth2ClientSpec();
- }
- return this.client;
- }
-
/**
* Configures the OAuth2 client.
*
@@ -1109,32 +784,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures OAuth 2.0 Resource Server support.
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .oauth2ResourceServer()
- * .jwt()
- * .publicKey(publicKey());
- * return http.build();
- * }
- *
- * @return the {@link OAuth2ResourceServerSpec} to customize
- * @deprecated For removal in 7.0. Use {@link #oauth2ResourceServer(Customizer)}
- * instead
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public OAuth2ResourceServerSpec oauth2ResourceServer() {
- if (this.resourceServer == null) {
- this.resourceServer = new OAuth2ResourceServerSpec();
- }
- return this.resourceServer;
- }
-
/**
* Configures OAuth 2.0 Resource Server support.
*
@@ -1193,51 +842,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures HTTP Response Headers. The default headers are:
- *
- *
- * Cache-Control: no-cache, no-store, max-age=0, must-revalidate
- * Pragma: no-cache
- * Expires: 0
- * X-Content-Type-Options: nosniff
- * Strict-Transport-Security: max-age=31536000 ; includeSubDomains
- * X-Frame-Options: DENY
- * X-XSS-Protection: 0
- *
- *
- * such that "Strict-Transport-Security" is only added on secure requests.
- *
- * An example configuration is provided below:
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .headers()
- * // customize frame options to be same origin
- * .frameOptions((frame) -> frame
- * .mode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN))
- * // disable cache control
- * .cache().disable();
- * return http.build();
- * }
- *
- * @return the {@link HeaderSpec} to customize
- * @deprecated For removal in 7.0. Use {@link #headers(Customizer)} or
- * {@code headers(Customizer.withDefaults())} to stick with defaults. See the documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public HeaderSpec headers() {
- if (this.headers == null) {
- this.headers = new HeaderSpec();
- }
- return this.headers;
- }
-
/**
* Configures HTTP Response Headers. The default headers are:
*
@@ -1288,36 +892,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures exception handling (i.e. handles when authentication is requested). An
- * example configuration can be found below:
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .exceptionHandling()
- * // customize how to request for authentication
- * .authenticationEntryPoint(entryPoint);
- * return http.build();
- * }
- *
- * @return the {@link ExceptionHandlingSpec} to customize
- * @deprecated For removal in 7.0. Use {@link #exceptionHandling(Customizer)} or
- * {@code exceptionHandling(Customizer.withDefaults())} to stick with defaults. See
- * the documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ExceptionHandlingSpec exceptionHandling() {
- if (this.exceptionHandling == null) {
- this.exceptionHandling = new ExceptionHandlingSpec();
- }
- return this.exceptionHandling;
- }
-
/**
* Configures exception handling (i.e. handles when authentication is requested). An
* example configuration can be found below:
@@ -1347,49 +921,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures authorization. An example configuration can be found below:
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .authorizeExchange()
- * // any URL that starts with /admin/ requires the role "ROLE_ADMIN"
- * .pathMatchers("/admin/**").hasRole("ADMIN")
- * // a POST to /users requires the role "USER_POST"
- * .pathMatchers(HttpMethod.POST, "/users").hasAuthority("USER_POST")
- * // a request to /users/{username} requires the current authentication's username
- * // to be equal to the {username}
- * .pathMatchers("/users/{username}").access((authentication, context) ->
- * authentication
- * .map(Authentication::getName)
- * .map((username) -> username.equals(context.getVariables().get("username")))
- * .map(AuthorizationDecision::new)
- * )
- * // allows providing a custom matching strategy that requires the role "ROLE_CUSTOM"
- * .matchers(customMatcher).hasRole("CUSTOM")
- * // any other request requires the user to be authenticated
- * .anyExchange().authenticated();
- * return http.build();
- * }
- *
- * @return the {@link AuthorizeExchangeSpec} to customize
- * @deprecated For removal in 7.0. Use {@link #authorizeExchange(Customizer)} or
- * {@code authorizeExchange(Customizer.withDefaults())} to stick with defaults. See
- * the documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public AuthorizeExchangeSpec authorizeExchange() {
- if (this.authorizeExchange == null) {
- this.authorizeExchange = new AuthorizeExchangeSpec();
- }
- return this.authorizeExchange;
- }
-
/**
* Configures authorization. An example configuration can be found below:
*
@@ -1432,38 +963,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures log out. An example configuration can be found below:
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .logout()
- * // configures how log out is done
- * .logoutHandler(logoutHandler)
- * // log out will be performed on POST /signout
- * .logoutUrl("/signout")
- * // configure what is done on logout success
- * .logoutSuccessHandler(successHandler);
- * return http.build();
- * }
- *
- * @return the {@link LogoutSpec} to customize
- * @deprecated For removal in 7.0. Use {@link #logout(Customizer)} or
- * {@code logout(Customizer.withDefaults())} to stick with defaults. See the documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public LogoutSpec logout() {
- if (this.logout == null) {
- this.logout = new LogoutSpec();
- }
- return this.logout;
- }
-
/**
* Configures log out. An example configuration can be found below:
*
@@ -1496,34 +995,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures the request cache which is used when a flow is interrupted (i.e. due to
- * requesting credentials) so that the request can be replayed after authentication.
- * An example configuration can be found below:
- *
- *
- * @Bean
- * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
- * http
- * // ...
- * .requestCache()
- * // configures how the request is cached
- * .requestCache(requestCache);
- * return http.build();
- * }
- *
- * @return the {@link RequestCacheSpec} to customize
- * @deprecated For removal in 7.0. Use {@link #requestCache(Customizer)} or
- * {@code requestCache(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public RequestCacheSpec requestCache() {
- return this.requestCache;
- }
-
/**
* Configures the request cache which is used when a flow is interrupted (i.e. due to
* requesting credentials) so that the request can be replayed after authentication.
@@ -1880,17 +1351,6 @@ public class ServerHttpSecurity {
postProcessor.ifUnique((p) -> this.postProcessor = p);
}
- /**
- * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
- * @return the {@link ServerHttpSecurity} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #authorizeExchange(Customizer)}
- * instead
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
/**
* Disables authorization.
* @return the {@link Access} to continue configuring
@@ -2358,16 +1818,6 @@ public class ServerHttpSecurity {
http.addFilterAt(httpsRedirectWebFilter, SecurityWebFiltersOrder.HTTPS_REDIRECT);
}
- /**
- * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
- * @return the {@link ServerHttpSecurity} to continue configuring
- * @deprecated use {@link #redirectToHttps(Customizer)}
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
}
/**
@@ -2438,20 +1888,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
- * @return the {@link ServerHttpSecurity} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #csrf(Customizer)} or
- * {@code csrf(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
/**
* Disables CSRF Protection. Disabling CSRF Protection is only recommended when
* the application is never used within a browser.
@@ -2510,17 +1946,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
- * @return the {@link ServerHttpSecurity} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #exceptionHandling(Customizer)}
- * instead
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
}
/**
@@ -2551,22 +1976,8 @@ public class ServerHttpSecurity {
protected void configure(ServerHttpSecurity http) {
ServerRequestCacheWebFilter filter = new ServerRequestCacheWebFilter();
- filter.setRequestCache(this.requestCache);
- http.addFilterAt(filter, SecurityWebFiltersOrder.SERVER_REQUEST_CACHE);
- }
-
- /**
- * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
- * @return the {@link ServerHttpSecurity} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #requestCache(Customizer)} or
- * {@code requestCache(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
+ filter.setRequestCache(this.requestCache);
+ http.addFilterAt(filter, SecurityWebFiltersOrder.SERVER_REQUEST_CACHE);
}
/**
@@ -2575,7 +1986,7 @@ public class ServerHttpSecurity {
*/
public ServerHttpSecurity disable() {
this.requestCache = NoOpServerRequestCache.getInstance();
- return and();
+ return ServerHttpSecurity.this;
}
}
@@ -2696,20 +2107,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
- * @return the {@link ServerHttpSecurity} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #httpBasic(Customizer)} or
- * {@code httpBasic(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
/**
* Disables HTTP Basic authentication.
* @return the {@link ServerHttpSecurity} to continue configuring
@@ -2783,17 +2180,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Allows method chaining to continue configuring the {@link ServerHttpSecurity}.
- * @return the {@link ServerHttpSecurity} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #passwordManagement(Customizer)}
- * instead
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
protected void configure(ServerHttpSecurity http) {
ExchangeMatcherRedirectWebFilter changePasswordWebFilter = new ExchangeMatcherRedirectWebFilter(
new PathPatternParserServerWebExchangeMatcher(WELL_KNOWN_CHANGE_PASSWORD_PATTERN),
@@ -2967,20 +2353,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
- * @return the {@link ServerHttpSecurity} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #formLogin(Customizer)} or
- * {@code formLogin(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
/**
* Disables HTTP Basic authentication.
* @return the {@link ServerHttpSecurity} to continue configuring
@@ -3114,20 +2486,6 @@ public class ServerHttpSecurity {
this.crossOriginResourcePolicy));
}
- /**
- * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
- * @return the {@link ServerHttpSecurity} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #headers(Customizer)} or
- * {@code headers(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
/**
* Disables http response headers
* @return the {@link ServerHttpSecurity} to continue configuring
@@ -3137,20 +2495,6 @@ public class ServerHttpSecurity {
return ServerHttpSecurity.this;
}
- /**
- * Configures cache control headers
- * @return the {@link CacheSpec} to configure
- * @deprecated For removal in 7.0. Use {@link #cache(Customizer)} or
- * {@code cache(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public CacheSpec cache() {
- return new CacheSpec();
- }
-
/**
* Configures cache control headers
* @param cacheCustomizer the {@link Customizer} to provide more options for the
@@ -3162,17 +2506,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures content type response headers
- * @return the {@link ContentTypeOptionsSpec} to configure
- * @deprecated For removal in 7.0. Use {@link #contentTypeOptions(Customizer)}
- * instead
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ContentTypeOptionsSpec contentTypeOptions() {
- return new ContentTypeOptionsSpec();
- }
-
/**
* Configures content type response headers
* @param contentTypeOptionsCustomizer the {@link Customizer} to provide more
@@ -3184,20 +2517,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures frame options response headers
- * @return the {@link FrameOptionsSpec} to configure
- * @deprecated For removal in 7.0. Use {@link #frameOptions(Customizer)} or
- * {@code frameOptions(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public FrameOptionsSpec frameOptions() {
- return new FrameOptionsSpec();
- }
-
/**
* Configures frame options response headers
* @param frameOptionsCustomizer the {@link Customizer} to provide more options
@@ -3222,20 +2541,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures the Strict Transport Security response headers
- * @return the {@link HstsSpec} to configure
- * @deprecated For removal in 7.0. Use {@link #hsts(Customizer)} or
- * {@code hsts(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public HstsSpec hsts() {
- return new HstsSpec();
- }
-
/**
* Configures the Strict Transport Security response headers
* @param hstsCustomizer the {@link Customizer} to provide more options for the
@@ -3253,20 +2558,6 @@ public class ServerHttpSecurity {
http.addFilterAt(result, SecurityWebFiltersOrder.HTTP_HEADERS_WRITER);
}
- /**
- * Configures x-xss-protection response header.
- * @return the {@link XssProtectionSpec} to configure
- * @deprecated For removal in 7.0. Use {@link #xssProtection(Customizer)} or
- * {@code xssProtection(Customizer.withDefaults())} to stick with defaults. See
- * the documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public XssProtectionSpec xssProtection() {
- return new XssProtectionSpec();
- }
-
/**
* Configures x-xss-protection response header.
* @param xssProtectionCustomizer the {@link Customizer} to provide more options
@@ -3278,18 +2569,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures {@code Content-Security-Policy} response header.
- * @param policyDirectives the policy directive(s)
- * @return the {@link ContentSecurityPolicySpec} to configure
- * @deprecated For removal in 7.0. Use {@link #contentSecurityPolicy(Customizer)}
- * instead.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ContentSecurityPolicySpec contentSecurityPolicy(String policyDirectives) {
- return new ContentSecurityPolicySpec(policyDirectives);
- }
-
/**
* Configures {@code Content-Security-Policy} response header.
* @param contentSecurityPolicyCustomizer the {@link Customizer} to provide more
@@ -3313,17 +2592,6 @@ public class ServerHttpSecurity {
return new FeaturePolicySpec(policyDirectives);
}
- /**
- * Configures {@code Permissions-Policy} response header.
- * @return the {@link PermissionsPolicySpec} to configure
- * @deprecated For removal in 7.0. Use {@link #permissionsPolicy(Customizer)}
- * instead.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public PermissionsPolicySpec permissionsPolicy() {
- return new PermissionsPolicySpec();
- }
-
/**
* Configures {@code Permissions-Policy} response header.
* @param permissionsPolicyCustomizer the {@link Customizer} to provide more
@@ -3335,29 +2603,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures {@code Referrer-Policy} response header.
- * @param referrerPolicy the policy to use
- * @return the {@link ReferrerPolicySpec} to configure
- * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)}
- * instead.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ReferrerPolicySpec referrerPolicy(ReferrerPolicy referrerPolicy) {
- return new ReferrerPolicySpec(referrerPolicy);
- }
-
- /**
- * Configures {@code Referrer-Policy} response header.
- * @return the {@link ReferrerPolicySpec} to configure
- * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)}
- * instead.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ReferrerPolicySpec referrerPolicy() {
- return new ReferrerPolicySpec();
- }
-
/**
* Configures {@code Referrer-Policy} response header.
* @param referrerPolicyCustomizer the {@link Customizer} to provide more options
@@ -3369,21 +2614,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures the
- * Cross-Origin-Opener-Policy header.
- * @return the {@link CrossOriginOpenerPolicySpec} to configure
- * @since 5.7
- * @deprecated For removal in 7.0. Use
- * {@link #crossOriginOpenerPolicy(Customizer)} instead.
- * @see CrossOriginOpenerPolicyServerHttpHeadersWriter
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public CrossOriginOpenerPolicySpec crossOriginOpenerPolicy() {
- return new CrossOriginOpenerPolicySpec();
- }
-
/**
* Configures the
@@ -3398,21 +2628,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures the
- * Cross-Origin-Embedder-Policy header.
- * @return the {@link CrossOriginEmbedderPolicySpec} to configure
- * @since 5.7
- * @deprecated For removal in 7.0. Use
- * {@link #crossOriginEmbedderPolicy(Customizer)} instead.
- * @see CrossOriginEmbedderPolicyServerHttpHeadersWriter
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public CrossOriginEmbedderPolicySpec crossOriginEmbedderPolicy() {
- return new CrossOriginEmbedderPolicySpec();
- }
-
/**
* Configures the
@@ -3427,21 +2642,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Configures the
- * Cross-Origin-Resource-Policy header.
- * @return the {@link CrossOriginResourcePolicySpec} to configure
- * @since 5.7
- * @deprecated For removal in 7.0. Use
- * {@link #crossOriginResourcePolicy(Customizer)} instead.
- * @see CrossOriginResourcePolicyServerHttpHeadersWriter
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public CrossOriginResourcePolicySpec crossOriginResourcePolicy() {
- return new CrossOriginResourcePolicySpec();
- }
-
/**
* Configures the
@@ -3516,18 +2716,6 @@ public class ServerHttpSecurity {
*/
public HeaderSpec mode(XFrameOptionsServerHttpHeadersWriter.Mode mode) {
HeaderSpec.this.frameOptions.setMode(mode);
- return and();
- }
-
- /**
- * Allows method chaining to continue configuring the
- * {@link ServerHttpSecurity}
- * @return the {@link HeaderSpec} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #frameOptions(Customizer)}
- * instead
- */
- @Deprecated(since = "6.1", forRemoval = true)
- private HeaderSpec and() {
return HeaderSpec.this;
}
@@ -3537,7 +2725,7 @@ public class ServerHttpSecurity {
*/
public HeaderSpec disable() {
HeaderSpec.this.writers.remove(HeaderSpec.this.frameOptions);
- return and();
+ return HeaderSpec.this;
}
}
@@ -3590,21 +2778,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Allows method chaining to continue configuring the
- * {@link ServerHttpSecurity}
- * @return the {@link HeaderSpec} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #hsts(Customizer)} or
- * {@code hsts(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public HeaderSpec and() {
- return HeaderSpec.this;
- }
-
/**
* Disables strict transport security response header
* @return the {@link HeaderSpec} to continue configuring
@@ -3685,18 +2858,6 @@ public class ServerHttpSecurity {
return HeaderSpec.this;
}
- /**
- * Allows method chaining to continue configuring the
- * {@link ServerHttpSecurity}.
- * @return the {@link HeaderSpec} to continue configuring
- * @deprecated For removal in 7.0. Use
- * {@link #contentSecurityPolicy(Customizer)} instead
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public HeaderSpec and() {
- return HeaderSpec.this;
- }
-
private ContentSecurityPolicySpec(String policyDirectives) {
HeaderSpec.this.contentSecurityPolicy.setPolicyDirectives(policyDirectives);
}
@@ -3750,18 +2911,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Allows method chaining to continue configuring the
- * {@link ServerHttpSecurity}.
- * @return the {@link HeaderSpec} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #permissionsPolicy(Customizer)}
- * instead
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public HeaderSpec and() {
- return HeaderSpec.this;
- }
-
}
/**
@@ -3790,18 +2939,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Allows method chaining to continue configuring the
- * {@link ServerHttpSecurity}.
- * @return the {@link HeaderSpec} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)}
- * instead
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public HeaderSpec and() {
- return HeaderSpec.this;
- }
-
}
/**
@@ -3824,18 +2961,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Allows method chaining to continue configuring the
- * {@link ServerHttpSecurity}.
- * @return the {@link HeaderSpec} to continue configuring
- * @deprecated For removal in 7.0. Use
- * {@link #crossOriginOpenerPolicy(Customizer)} instead
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public HeaderSpec and() {
- return HeaderSpec.this;
- }
-
}
/**
@@ -3858,18 +2983,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Allows method chaining to continue configuring the
- * {@link ServerHttpSecurity}.
- * @return the {@link HeaderSpec} to continue configuring
- * @deprecated For removal in 7.0. Use
- * {@link #crossOriginEmbedderPolicy(Customizer)} instead
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public HeaderSpec and() {
- return HeaderSpec.this;
- }
-
}
/**
@@ -3892,18 +3005,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Allows method chaining to continue configuring the
- * {@link ServerHttpSecurity}.
- * @return the {@link HeaderSpec} to continue configuring
- * @deprecated For removal in 7.0. Use
- * {@link #crossOriginResourcePolicy(Customizer)} instead
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public HeaderSpec and() {
- return HeaderSpec.this;
- }
-
}
}
@@ -3972,27 +3073,13 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
- * @return the {@link ServerHttpSecurity} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #logout(Customizer)} or
- * {@code logout(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
/**
* Disables log out
* @return the {@link ServerHttpSecurity} to continue configuring
*/
public ServerHttpSecurity disable() {
ServerHttpSecurity.this.logout = null;
- return and();
+ return ServerHttpSecurity.this;
}
private ServerLogoutHandler createLogoutHandler() {
@@ -4089,20 +3176,6 @@ public class ServerHttpSecurity {
return ServerHttpSecurity.this;
}
- /**
- * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
- * @return the {@link ServerHttpSecurity} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #cors(Customizer)} or
- * {@code cors(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
protected void configure(ServerHttpSecurity http) {
CorsWebFilter corsFilter = getCorsFilter();
if (corsFilter != null) {
@@ -4154,18 +3227,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * @deprecated For removal in 7.0. Use {@link #x509(Customizer)} or
- * {@code x509(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
protected void configure(ServerHttpSecurity http) {
ReactiveAuthenticationManager authenticationManager = getAuthenticationManager();
X509PrincipalExtractor principalExtractor = getPrincipalExtractor();
@@ -4466,20 +3527,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
- * @return the {@link ServerHttpSecurity} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #oauth2Login(Customizer)} or
- * {@code oauth2Login(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
protected void configure(ServerHttpSecurity http) {
ReactiveClientRegistrationRepository clientRegistrationRepository = getClientRegistrationRepository();
ServerOAuth2AuthorizedClientRepository authorizedClientRepository = getAuthorizedClientRepository();
@@ -4998,20 +4045,6 @@ public class ServerHttpSecurity {
return this.authorizationRedirectStrategy;
}
- /**
- * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
- * @return the {@link ServerHttpSecurity} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #oauth2Client(Customizer)} or
- * {@code oauth2Client(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
protected void configure(ServerHttpSecurity http) {
ServerOAuth2AuthorizedClientRepository authorizedClientRepository = getAuthorizedClientRepository();
ServerAuthenticationConverter authenticationConverter = getAuthenticationConverter();
@@ -5152,22 +4185,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Enables JWT Resource Server support.
- * @return the {@link JwtSpec} for additional configuration
- * @deprecated For removal in 7.0. Use {@link #jwt(Customizer)} or
- * {@code jwt(Customizer.withDefaults())} to stick with defaults. See the documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public JwtSpec jwt() {
- if (this.jwt == null) {
- this.jwt = new JwtSpec();
- }
- return this.jwt;
- }
-
/**
* Enables JWT Resource Server support.
* @param jwtCustomizer the {@link Customizer} to provide more options for the
@@ -5182,23 +4199,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Enables Opaque Token Resource Server support.
- * @return the {@link OpaqueTokenSpec} for additional configuration
- * @deprecated For removal in 7.0. Use {@link #opaqueToken(Customizer)} or
- * {@code opaqueToken(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public OpaqueTokenSpec opaqueToken() {
- if (this.opaqueToken == null) {
- this.opaqueToken = new OpaqueTokenSpec();
- }
- return this.opaqueToken;
- }
-
/**
* Enables Opaque Token Resource Server support.
* @param opaqueTokenCustomizer the {@link Customizer} to provide more options for
@@ -5283,15 +4283,6 @@ public class ServerHttpSecurity {
return new ServerAuthenticationEntryPointFailureHandler(this.entryPoint);
}
- /**
- * @deprecated For removal in 7.0. Use {@link #oauth2ResourceServer(Customizer)}
- * instead
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
/**
* Configures JWT Resource Server Support
*/
@@ -5361,18 +4352,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * @deprecated For removal in 7.0. Use {@link #jwt(Customizer)} or
- * {@code jwt(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public OAuth2ResourceServerSpec and() {
- return OAuth2ResourceServerSpec.this;
- }
-
protected void configure(ServerHttpSecurity http) {
ReactiveAuthenticationManager authenticationManager = getAuthenticationManager();
AuthenticationWebFilter oauth2 = new AuthenticationWebFilter(authenticationManager);
@@ -5481,18 +4460,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Allows method chaining to continue configuring the
- * {@link ServerHttpSecurity}
- * @return the {@link ServerHttpSecurity} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #opaqueToken(Customizer)}
- * instead
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public OAuth2ResourceServerSpec and() {
- return OAuth2ResourceServerSpec.this;
- }
-
protected ReactiveAuthenticationManager getAuthenticationManager() {
OpaqueTokenReactiveAuthenticationManager authenticationManager = new OpaqueTokenReactiveAuthenticationManager(
getIntrospector());
@@ -5581,11 +4548,6 @@ public class ServerHttpSecurity {
return this;
}
- @Deprecated(forRemoval = true, since = "6.2")
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
void configure(ServerHttpSecurity http) {
if (this.backChannel != null) {
this.backChannel.configure(http);
@@ -5884,20 +4846,6 @@ public class ServerHttpSecurity {
return this;
}
- /**
- * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
- * @return the {@link ServerHttpSecurity} to continue configuring
- * @deprecated For removal in 7.0. Use {@link #anonymous(Customizer)} or
- * {@code anonymous(Customizer.withDefaults())} to stick with defaults. See the
- * documentation
- * for more details.
- */
- @Deprecated(since = "6.1", forRemoval = true)
- public ServerHttpSecurity and() {
- return ServerHttpSecurity.this;
- }
-
/**
* Disables anonymous authentication.
* @return the {@link ServerHttpSecurity} to continue configuring