Deprecate SecurityMetadataSource

Closes gh-16772
9 months ago · 989aee244b
5 changed files with 42 additions and 1 deletions
--- a/core/src/main/java/org/springframework/security/access/SecurityMetadataSource.java
+++ b/core/src/main/java/org/springframework/security/access/SecurityMetadataSource.java
@ -20,13 +20,22 @@ import java.util.Collection;
				@@ -20,13 +20,22 @@ import java.util.Collection;

 import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;

 /**
 * Implemented by classes that store and can identify the {@link ConfigAttribute}s that
 * applies to a given secure object invocation.
 *
 * @author Ben Alex
+ * @deprecated In modern Spring Security APIs, each API manages its own configuration
+ * context. As such there is no direct replacement for this interface. In the case of
+ * method security, please see {@link SecurityAnnotationScanner} and
+ * {@link AuthorizationManager}. In the case of channel security, please see
+ * {@code HttpsRedirectFilter}. In the case of web security, please see
+ * {@link AuthorizationManager}.
 */
+@Deprecated
 public interface SecurityMetadataSource extends AopInfrastructureBean {

 	/**
--- a/web/src/main/java/org/springframework/security/web/access/expression/ExpressionBasedFilterInvocationSecurityMetadataSource.java
+++ b/web/src/main/java/org/springframework/security/web/access/expression/ExpressionBasedFilterInvocationSecurityMetadataSource.java
@ -31,6 +31,8 @@ import org.springframework.expression.ExpressionParser;
				@@ -31,6 +31,8 @@ import org.springframework.expression.ExpressionParser;
 import org.springframework.expression.ParseException;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.expression.SecurityExpressionHandler;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
 import org.springframework.security.web.FilterInvocation;
 import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@ -43,7 +45,14 @@ import org.springframework.util.Assert;
				@@ -43,7 +45,14 @@ import org.springframework.util.Assert;
 * @author Luke Taylor
 * @author Eddú Meléndez
 * @since 3.0
+ * @deprecated In modern Spring Security APIs, each API manages its own configuration
+ * context. As such there is no direct replacement for this interface. In the case of
+ * method security, please see {@link SecurityAnnotationScanner} and
+ * {@link AuthorizationManager}. In the case of channel security, please see
+ * {@code HttpsRedirectFilter}. In the case of web security, please see
+ * {@link AuthorizationManager}.
 */
+@Deprecated
 public final class ExpressionBasedFilterInvocationSecurityMetadataSource
 		extends DefaultFilterInvocationSecurityMetadataSource {

--- a/web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java
+++ b/web/src/main/java/org/springframework/security/web/access/intercept/DefaultFilterInvocationSecurityMetadataSource.java
@ -28,6 +28,8 @@ import org.apache.commons.logging.LogFactory;
				@@ -28,6 +28,8 @@ import org.apache.commons.logging.LogFactory;

 import org.springframework.core.log.LogMessage;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
 import org.springframework.security.web.FilterInvocation;
 import org.springframework.security.web.util.matcher.RequestMatcher;

@ -50,7 +52,14 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
				@@ -50,7 +52,14 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
 *
 * @author Ben Alex
 * @author Luke Taylor
+ * @deprecated In modern Spring Security APIs, each API manages its own configuration
+ * context. As such there is no direct replacement for this interface. In the case of
+ * method security, please see {@link SecurityAnnotationScanner} and
+ * {@link AuthorizationManager}. In the case of channel security, please see
+ * {@code HttpsRedirectFilter}. In the case of web security, please see
+ * {@link AuthorizationManager}.
 */
+@Deprecated
 public class DefaultFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {

 	protected final Log logger = LogFactory.getLog(getClass());
--- a/web/src/main/java/org/springframework/security/web/access/intercept/FilterInvocationSecurityMetadataSource.java
+++ b/web/src/main/java/org/springframework/security/web/access/intercept/FilterInvocationSecurityMetadataSource.java
@ -17,6 +17,8 @@
				@@ -17,6 +17,8 @@
 package org.springframework.security.web.access.intercept;

 import org.springframework.security.access.SecurityMetadataSource;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
 import org.springframework.security.web.FilterInvocation;

 /**
@ -24,7 +26,14 @@ import org.springframework.security.web.FilterInvocation;
				@@ -24,7 +26,14 @@ import org.springframework.security.web.FilterInvocation;
 * designed to perform lookups keyed on {@link FilterInvocation}s.
 *
 * @author Ben Alex
+ * @deprecated In modern Spring Security APIs, each API manages its own configuration
+ * context. As such there is no direct replacement for this interface. In the case of
+ * method security, please see {@link SecurityAnnotationScanner} and
+ * {@link AuthorizationManager}. In the case of channel security, please see
+ * {@code HttpsRedirectFilter}. In the case of web security, please see
+ * {@link AuthorizationManager}.
 */
+@Deprecated
 public interface FilterInvocationSecurityMetadataSource extends SecurityMetadataSource {

 }
--- a/web/src/main/java/org/springframework/security/web/servlet/util/matcher/PathPatternRequestMatcher.java
+++ b/web/src/main/java/org/springframework/security/web/servlet/util/matcher/PathPatternRequestMatcher.java
@ -127,7 +127,12 @@ public final class PathPatternRequestMatcher implements RequestMatcher {
				@@ -127,7 +127,12 @@ public final class PathPatternRequestMatcher implements RequestMatcher {
 	}

 	private RequestPath getRequestPath(HttpServletRequest request) {
-		return ServletRequestPathUtils.getParsedRequestPath(request);
+		if (ServletRequestPathUtils.hasParsedRequestPath(request)) {
+			return ServletRequestPathUtils.getParsedRequestPath(request);
+		}
+		else {
+			return ServletRequestPathUtils.parseAndCache(request);
+		}
 	}

 	/**