Fix JDK 9

Issue: gh-5160

build.gradle

@@ -30,3 +30,11 @@ gradle.taskGraph.whenReady { graph ->
 		}
 	}
 }
+
+
+subprojects {
+	plugins.withType(JavaPlugin) {
+		project.sourceCompatibility='1.8'
+	}
+}
+

cas/src/test/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixinTests.java

@@ -137,7 +137,9 @@ public class CasAuthenticationTokenMixinTests {
 		assertThat(token.getUserDetails()).isNotNull().isInstanceOf(User.class);
 		assertThat(token.getAssertion()).isNotNull().isInstanceOf(AssertionImpl.class);
 		assertThat(token.getKeyHash()).isEqualTo(KEY.hashCode());
-		assertThat(token.getUserDetails().getAuthorities()).hasSize(1).contains(new SimpleGrantedAuthority("ROLE_USER"));
+		assertThat(token.getUserDetails().getAuthorities())
+			.extracting(GrantedAuthority::getAuthority)
+			.containsOnly("ROLE_USER");
 		assertThat(token.getAssertion().getAuthenticationDate()).isEqualTo(START_DATE);
 		assertThat(token.getAssertion().getValidFromDate()).isEqualTo(START_DATE);
 		assertThat(token.getAssertion().getValidUntilDate()).isEqualTo(END_DATE);

config/spring-security-config.gradle

@@ -36,6 +36,7 @@ dependencies {
 	testCompile spockDependencies
 	testCompile 'ch.qos.logback:logback-classic'
 	testCompile 'javax.annotation:jsr250-api:1.0'
+	testCompile 'javax.xml.bind:jaxb-api'
 	testCompile 'ldapsdk:ldapsdk:4.1'
 	testCompile('net.sourceforge.htmlunit:htmlunit') {
 		exclude group: 'commons-logging', module: 'commons-logging'

core/src/main/java/org/springframework/security/core/userdetails/User.java

@@ -327,6 +327,7 @@ public class User implements UserDetails, CredentialsContainer {
 	 * acceptable for demos and getting started. For production purposes, ensure the
 	 * password is encoded externally. See the method Javadoc for additional details.
 	 */
+	@Deprecated
 	public static UserBuilder withDefaultPasswordEncoder() {
 		logger.warn("User.withDefaultPasswordEncoder() is considered unsafe for production and is only intended for sample applications.");
 		PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();

core/src/main/java/org/springframework/security/jackson2/SecurityJackson2Modules.java

@@ -18,16 +18,28 @@ package org.springframework.security.jackson2;
 
 import com.fasterxml.jackson.annotation.JacksonAnnotation;
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
-import com.fasterxml.jackson.databind.*;
+import com.fasterxml.jackson.databind.DatabindContext;
+import com.fasterxml.jackson.databind.DeserializationConfig;
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.Module;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.cfg.MapperConfig;
-import com.fasterxml.jackson.databind.jsontype.*;
+import com.fasterxml.jackson.databind.jsontype.NamedType;
+import com.fasterxml.jackson.databind.jsontype.TypeIdResolver;
+import com.fasterxml.jackson.databind.jsontype.TypeResolverBuilder;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.core.annotation.AnnotationUtils;
 import org.springframework.util.ClassUtils;
 
 import java.io.IOException;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
 
 /**
  * This utility class will find all the SecurityModules in classpath.

core/src/test/java/org/springframework/security/jackson2/SecurityContextMixinTests.java

@@ -16,7 +16,12 @@
 
 package org.springframework.security.jackson2;
 
-import com.fasterxml.jackson.core.JsonProcessingException;
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Collections;
+
 import org.json.JSONException;
 import org.junit.Test;
 import org.skyscreamer.jsonassert.JSONAssert;
@@ -25,10 +30,7 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextImpl;
 
-import java.io.IOException;
+import com.fasterxml.jackson.core.JsonProcessingException;
-import java.util.Collections;
-
-import static org.assertj.core.api.Assertions.assertThat;
 
 /**
  * @author Jitendra Singh
@@ -59,6 +61,8 @@ public class SecurityContextMixinTests extends AbstractMixinTests {
 		assertThat(context.getAuthentication().getPrincipal()).isEqualTo("admin");
 		assertThat(context.getAuthentication().getCredentials()).isEqualTo("1234");
 		assertThat(context.getAuthentication().isAuthenticated()).isTrue();
-		assertThat(context.getAuthentication().getAuthorities()).hasSize(1).contains(new SimpleGrantedAuthority("ROLE_USER"));
+		Collection authorities = context.getAuthentication().getAuthorities();
+		assertThat(authorities).hasSize(1);
+		assertThat(authorities).contains(new SimpleGrantedAuthority("ROLE_USER"));
 	}
 }

crypto/src/main/java/org/springframework/security/crypto/codec/Base64.java

@@ -26,6 +26,7 @@ package org.springframework.security.crypto.codec;
  * @since 3.0
  * @deprecated Use java.util.Base64
  */
+@Deprecated
 public final class Base64 {
 
 	/** No options specified. Value is zero. */

data/spring-security-data.gradle

@@ -2,6 +2,8 @@ apply plugin: 'io.spring.convention.spring-module'
 
 dependencies {
 	compile project(':spring-security-core')
+	compile 'javax.xml.bind:jaxb-api'
 	compile 'org.springframework.data:spring-data-commons'
 	compile 'org.springframework:spring-core'
+
 }

gradle/dependency-management.gradle

@@ -58,6 +58,8 @@ dependencyManagement {
 		dependency 'com.nimbusds:oauth2-oidc-sdk:5.56'
 		dependency 'com.squareup.okhttp3:okhttp:3.9.0'
 		dependency 'com.squareup.okio:okio:1.13.0'
+		dependency 'com.sun.xml.bind:jaxb-core:2.3.0'
+		dependency 'com.sun.xml.bind:jaxb-impl:2.3.0'
 		dependency 'com.unboundid:unboundid-ldapsdk:4.0.4'
 		dependency 'com.vaadin.external.google:android-json:0.0.20131108.vaadin1'
 		dependency 'commons-cli:commons-cli:1.4'
@@ -76,6 +78,7 @@ dependencyManagement {
 		dependency 'javax.servlet.jsp:javax.servlet.jsp-api:2.3.2-b02'
 		dependency 'javax.servlet:javax.servlet-api:4.0.0'
 		dependency 'javax.validation:validation-api:2.0.1.Final'
+		dependency 'javax.xml.bind:jaxb-api:2.3.0'
 		dependency 'junit:junit:4.12'
 		dependency 'ldapsdk:ldapsdk:4.1'
 		dependency 'net.bytebuddy:byte-buddy-agent:1.7.9'
@@ -139,16 +142,16 @@ dependencyManagement {
 		dependency 'org.apache.tomcat.embed:tomcat-embed-logging-log4j:8.0.44'
 		dependency 'org.apache.tomcat.embed:tomcat-embed-websocket:8.5.23'
 		dependency 'org.apache.tomcat:tomcat-annotations-api:8.5.23'
-		dependency 'org.aspectj:aspectjrt:1.8.13'
+		dependency 'org.aspectj:aspectjrt:1.9.0.RC2'
-		dependency 'org.aspectj:aspectjtools:1.8.13'
+		dependency 'org.aspectj:aspectjtools:1.9.0.RC2'
 		dependency 'org.aspectj:aspectjweaver:1.8.13'
 		dependency 'org.assertj:assertj-core:3.9.0'
 		dependency 'org.attoparser:attoparser:2.0.4.RELEASE'
 		dependency 'org.bouncycastle:bcpkix-jdk15on:1.59'
 		dependency 'org.bouncycastle:bcprov-jdk15on:1.58'
-		dependency 'org.codehaus.groovy:groovy-all:2.5.0-beta-1'
+		dependency 'org.codehaus.groovy:groovy-all:2.4.14'
-		dependency 'org.codehaus.groovy:groovy-json:2.5.0-beta-1'
+		dependency 'org.codehaus.groovy:groovy-json:2.4.14'
-		dependency 'org.codehaus.groovy:groovy:2.5.0-beta-1'
+		dependency 'org.codehaus.groovy:groovy:2.4.14'
 		dependency 'org.eclipse.jdt:ecj:3.12.3'
 		dependency 'org.eclipse.jetty.websocket:websocket-api:9.4.7.v20170914'
 		dependency 'org.eclipse.jetty.websocket:websocket-client:9.4.7.v20170914'

samples/javaconfig/hellomvc/spring-security-samples-javaconfig-hellomvc.gradle

@@ -7,6 +7,7 @@ dependencies {
 	compile project(':spring-security-web')
 	compile 'javax.servlet.jsp.jstl:javax.servlet.jsp.jstl-api'
 	compile 'javax.validation:validation-api'
+	compile 'javax.xml.bind:jaxb-api'
 	compile 'org.hibernate:hibernate-validator'
 	compile 'org.springframework:spring-jdbc'
 	compile 'org.springframework:spring-webmvc'

samples/javaconfig/inmemory/spring-security-samples-javaconfig-inmemory.gradle

@@ -7,6 +7,7 @@ dependencies {
 	compile project(':spring-security-web')
 	compile 'javax.servlet.jsp.jstl:javax.servlet.jsp.jstl-api'
 	compile 'javax.validation:validation-api'
+	compile 'javax.xml.bind:jaxb-api'
 	compile 'org.hibernate:hibernate-validator'
 	compile 'org.springframework:spring-jdbc'
 	compile 'org.springframework:spring-webmvc'

samples/javaconfig/ldap/spring-security-samples-javaconfig-ldap.gradle

@@ -24,6 +24,7 @@ dependencies {
 	compile project(':spring-security-web')
 	compile 'javax.servlet.jsp.jstl:javax.servlet.jsp.jstl-api'
 	compile 'javax.validation:validation-api'
+	compile 'javax.xml.bind:jaxb-api'
 	compile 'org.hibernate:hibernate-validator'
 	compile 'org.springframework:spring-webmvc'
 	compile apachedsDependencies

samples/javaconfig/openid/spring-security-samples-javaconfig-openid.gradle

@@ -8,6 +8,7 @@ dependencies {
 	compile project(':spring-security-web')
 	compile 'javax.servlet.jsp.jstl:javax.servlet.jsp.jstl-api'
 	compile 'javax.validation:validation-api'
+	compile 'javax.xml.bind:jaxb-api'
 	compile 'org.hibernate:hibernate-validator'
 	compile 'org.springframework:spring-jdbc'
 	compile 'org.springframework:spring-webmvc'

samples/xml/insecure/spring-security-samples-xml-insecure.gradle

@@ -19,6 +19,7 @@ apply plugin: 'io.spring.convention.spring-sample-war'
 dependencies {
 	compile jstlDependencies
 	compile slf4jDependencies
+	compile 'javax.xml.bind:jaxb-api'
 
 	providedCompile 'javax.servlet:javax.servlet-api'
 	providedCompile 'javax.servlet.jsp:javax.servlet.jsp-api'

samples/xml/insecuremvc/spring-security-samples-xml-insecuremvc.gradle

@@ -5,6 +5,7 @@ dependencies {
 	compile slf4jDependencies
 	compile 'javax.servlet.jsp.jstl:javax.servlet.jsp.jstl-api'
 	compile 'javax.validation:validation-api'
+	compile 'javax.xml.bind:jaxb-api'
 	compile 'org.hibernate:hibernate-validator'
 	compile 'org.springframework:spring-jdbc'
 	compile 'org.springframework:spring-webmvc'

test/spring-security-test.gradle

@@ -14,6 +14,7 @@ dependencies {
 
 	testCompile 'com.fasterxml.jackson.core:jackson-databind'
 	testCompile 'io.projectreactor:reactor-test'
+	testCompile 'javax.xml.bind:jaxb-api'
 	testCompile 'org.skyscreamer:jsonassert'
 	testCompile 'org.springframework:spring-webmvc'
 	testCompile 'org.springframework:spring-tx'

test/src/test/java/org/springframework/security/test/context/support/WithSecurityContextTestExcecutionListenerTests.java

@@ -101,7 +101,7 @@ public class WithSecurityContextTestExcecutionListenerTests {
 		SqlScriptsTestExecutionListener sql = new SqlScriptsTestExecutionListener();
 		WithSecurityContextTestExecutionListener security = new WithSecurityContextTestExecutionListener();
 
-		List<? extends TestExecutionListener> listeners = Arrays.asList(security, sql);
+		List<TestExecutionListener> listeners = Arrays.asList(security, sql);
 
 		AnnotationAwareOrderComparator.sort(listeners);
 

test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsUserTests.java

@@ -24,6 +24,7 @@ import static org.powermock.api.mockito.PowerMockito.when;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
 
 import java.util.Arrays;
+import java.util.List;
 
 import javax.servlet.http.HttpServletResponse;
 
@@ -114,8 +115,8 @@ public class SecurityMockMvcRequestPostProcessorsUserTests {
 		verify(repository).saveContext(contextCaptor.capture(), eq(request),
 				any(HttpServletResponse.class));
 		SecurityContext context = contextCaptor.getValue();
-		assertThat(context.getAuthentication().getAuthorities()).containsOnly(authority1,
+		assertThat((List<GrantedAuthority>) context.getAuthentication().getAuthorities())
-				authority2);
+				.containsOnly(authority1, authority2);
 	}
 
 	@Test(expected = IllegalArgumentException.class)
@@ -133,12 +134,12 @@ public class SecurityMockMvcRequestPostProcessorsUserTests {
 		verify(repository).saveContext(contextCaptor.capture(), eq(request),
 				any(HttpServletResponse.class));
 		SecurityContext context = contextCaptor.getValue();
-		assertThat(context.getAuthentication().getAuthorities()).containsOnly(authority1,
+		assertThat((List<GrantedAuthority>) context.getAuthentication().getAuthorities())
-				authority2);
+				.containsOnly(authority1, authority2);
 	}
 
 	private void mockWebTestUtils() {
 		spy(WebTestUtils.class);
 		when(WebTestUtils.getSecurityContextRepository(request)).thenReturn(repository);
 	}
-}
+}

web/spring-security-web.gradle

@@ -21,12 +21,12 @@ dependencies {
 	testCompile project(path: ':spring-security-core', configuration: 'tests')
 	testCompile 'commons-codec:commons-codec'
 	testCompile 'io.projectreactor:reactor-test'
+	testCompile 'javax.xml.bind:jaxb-api'
 	testCompile 'org.codehaus.groovy:groovy-all'
 	testCompile 'org.skyscreamer:jsonassert'
 	testCompile 'org.springframework:spring-webflux'
 	testCompile powerMock2Dependencies
 	testCompile spockDependencies
-	testCompile slf4jDependencies
 
 	testRuntime 'org.hsqldb:hsqldb'
 }

web/src/main/java/org/springframework/security/web/authentication/preauth/websphere/DefaultWASUsernameAndGroupsExtractor.java

@@ -25,7 +25,6 @@ import java.util.List;
 import javax.naming.Context;
 import javax.naming.InitialContext;
 import javax.naming.NamingException;
-import javax.rmi.PortableRemoteObject;
 import javax.security.auth.Subject;
 
 import org.apache.commons.logging.Log;
@@ -44,6 +43,8 @@ final class DefaultWASUsernameAndGroupsExtractor implements WASUsernameAndGroups
 	private static final Log logger = LogFactory
 			.getLog(DefaultWASUsernameAndGroupsExtractor.class);
 
+	private static final String PORTABLE_REMOTE_OBJECT_CLASSNAME = "javax.rmi.PortableRemoteObject";
+
 	private static final String USER_REGISTRY = "UserRegistry";
 
 	private static Method getRunAsSubject = null;
@@ -52,6 +53,8 @@ final class DefaultWASUsernameAndGroupsExtractor implements WASUsernameAndGroups
 
 	private static Method getSecurityName = null;
 
+	private static Method narrow = null;
+
 	// SEC-803
 	private static Class<?> wsCredentialClass = null;
 
@@ -80,7 +83,7 @@ final class DefaultWASUsernameAndGroupsExtractor implements WASUsernameAndGroups
 					.iterator().next();
 			if (credential != null) {
 				userSecurityName = (String) invokeMethod(getSecurityNameMethod(),
-						credential, null);
+						credential);
 			}
 		}
 		if (logger.isDebugEnabled()) {
@@ -125,8 +128,7 @@ final class DefaultWASUsernameAndGroupsExtractor implements WASUsernameAndGroups
 			// TODO: Cache UserRegistry object
 			ic = new InitialContext();
 			Object objRef = ic.lookup(USER_REGISTRY);
-			Object userReg = PortableRemoteObject.narrow(objRef,
+			Object userReg = invokeMethod(getNarrowMethod(), null , objRef, Class.forName("com.ibm.websphere.security.UserRegistry"));
-					Class.forName("com.ibm.websphere.security.UserRegistry"));
 			if (logger.isDebugEnabled()) {
 				logger.debug("Determining WebSphere groups for user " + securityName
 						+ " using WebSphere UserRegistry " + userReg);
@@ -156,7 +158,7 @@ final class DefaultWASUsernameAndGroupsExtractor implements WASUsernameAndGroups
 		}
 	}
 
-	private static Object invokeMethod(Method method, Object instance, Object[] args) {
+	private static Object invokeMethod(Method method, Object instance, Object... args) {
 		try {
 			return method.invoke(instance, args);
 		}
@@ -230,6 +232,13 @@ final class DefaultWASUsernameAndGroupsExtractor implements WASUsernameAndGroups
 		return getSecurityName;
 	}
 
+	private static Method getNarrowMethod() {
+		if (narrow == null) {
+			narrow = getMethod(PORTABLE_REMOTE_OBJECT_CLASSNAME, "narrow", new String[] { Object.class.getName() , Class.class.getName()});
+		}
+		return narrow;
+	}
+
 	// SEC-803
 	private static Class<?> getWSCredentialClass() {
 		if (wsCredentialClass == null) {

web/src/main/java/org/springframework/security/web/bind/annotation/AuthenticationPrincipal.java

@@ -37,6 +37,7 @@ import org.springframework.security.core.Authentication;
 @Target({ ElementType.PARAMETER, ElementType.ANNOTATION_TYPE })
 @Retention(RetentionPolicy.RUNTIME)
 @Documented
+@Deprecated
 public @interface AuthenticationPrincipal {
 
 	/**

web/src/main/java/org/springframework/security/web/session/ConcurrentSessionFilter.java

@@ -162,6 +162,7 @@ public class ConcurrentSessionFilter extends GenericFilterBean {
 	 * @return the URL for expiration
 	 * @deprecated Use {@link #ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy)} instead.
 	 */
+	@Deprecated
 	protected String determineExpiredUrl(HttpServletRequest request,
 			SessionInformation info) {
 		return expiredUrl;
@@ -182,6 +183,7 @@ public class ConcurrentSessionFilter extends GenericFilterBean {
 	 * @param redirectStrategy the {@link RedirectStrategy} to use
 	 * @deprecated use {@link #ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy)} instead.
 	 */
+	@Deprecated
 	public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
 		this.redirectStrategy = redirectStrategy;
 	}