Deprecate ConfigAttribute

jzheaux · jzheaux · commit 8e9634d25ca2 · 2025-03-19T17:39:38.000-06:00
Closes gh-16774
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractConfigAttributeRequestMatcherRegistry.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractConfigAttributeRequestMatcherRegistry.java
@@ -22,7 +22,9 @@
 import java.util.List;
 
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
@@ -36,7 +38,14 @@
  * @see ChannelSecurityConfigurer
  * @see UrlAuthorizationConfigurer
  * @see ExpressionUrlAuthorizationConfigurer
+ * @deprecated In modern Spring Security APIs, each API manages its own configuration
+ * context. As such there is no direct replacement for this interface. In the case of
+ * method security, please see {@link SecurityAnnotationScanner} and
+ * {@link AuthorizationManager}. In the case of channel security, please see
+ * {@code HttpsRedirectFilter}. In the case of web security, please see
+ * {@link AuthorizationManager}.
  */
+@Deprecated
 public abstract class AbstractConfigAttributeRequestMatcherRegistry<C> extends AbstractRequestMatcherRegistry<C> {
 
 	private List<UrlMapping> urlMappings = new ArrayList<>();
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java
@@ -151,6 +151,7 @@ private FilterSecurityInterceptor createFilterSecurityInterceptor(H http,
 		return securityInterceptor;
 	}
 
+	@Deprecated
 	public abstract class AbstractInterceptUrlRegistry<R extends AbstractInterceptUrlRegistry<R, T>, T>
 			extends AbstractConfigAttributeRequestMatcherRegistry<T> {
 
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java
@@ -202,6 +202,7 @@ private static String hasIpAddress(String ipAddressExpression) {
 		return "hasIpAddress('" + ipAddressExpression + "')";
 	}
 
+	@Deprecated
 	public final class ExpressionInterceptUrlRegistry extends
 			ExpressionUrlAuthorizationConfigurer<H>.AbstractInterceptUrlRegistry<ExpressionInterceptUrlRegistry, AuthorizedUrl> {
 
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java
@@ -203,6 +203,7 @@ private static String[] hasAnyAuthority(String... authorities) {
 		return authorities;
 	}
 
+	@Deprecated
 	public final class StandardInterceptUrlRegistry extends
 			UrlAuthorizationConfigurer<H>.AbstractInterceptUrlRegistry<StandardInterceptUrlRegistry, AuthorizedUrl> {
 
diff --git a/core/src/main/java/org/springframework/security/access/ConfigAttribute.java b/core/src/main/java/org/springframework/security/access/ConfigAttribute.java
@@ -19,6 +19,8 @@
 import java.io.Serializable;
 
 import org.springframework.security.access.intercept.RunAsManager;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
 
 /**
  * Stores a security system related configuration attribute.
@@ -35,7 +37,14 @@
  * target.
  *
  * @author Ben Alex
+ * @deprecated In modern Spring Security APIs, each API manages its own configuration
+ * context. As such there is no direct replacement for this interface. In the case of
+ * method security, please see {@link SecurityAnnotationScanner} and
+ * {@link AuthorizationManager}. In the case of channel security, please see
+ * {@code HttpsRedirectFilter}. In the case of web security, please see
+ * {@link AuthorizationManager}.
  */
+@Deprecated
 public interface ConfigAttribute extends Serializable {
 
 	/**
diff --git a/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionConfigAttribute.java b/web/src/main/java/org/springframework/security/web/access/expression/WebExpressionConfigAttribute.java
@@ -19,14 +19,19 @@
 import org.springframework.expression.EvaluationContext;
 import org.springframework.expression.Expression;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.web.FilterInvocation;
 
 /**
  * Simple expression configuration attribute for use in web request authorizations.
  *
  * @author Luke Taylor
  * @since 3.0
+ * @deprecated In modern Spring Security APIs, each API manages its own configuration
+ * context. As such there is no direct replacement for this interface. Please see
+ * {@link AuthorizationManager}.
  */
+@Deprecated
 class WebExpressionConfigAttribute implements ConfigAttribute, EvaluationContextPostProcessor<FilterInvocation> {
 
 	private final Expression authorizeExpression;

Original file line number	Diff line number	Diff line change
`@@ -151,6 +151,7 @@ private FilterSecurityInterceptor createFilterSecurityInterceptor(H http,`
`151`	`151`	`return securityInterceptor;`
`152`	`152`	`}`
`153`	`153`
	`154`	`+ @Deprecated`
`154`	`155`	`public abstract class AbstractInterceptUrlRegistry<R extends AbstractInterceptUrlRegistry<R, T>, T>`
`155`	`156`	`extends AbstractConfigAttributeRequestMatcherRegistry<T> {`
`156`	`157`
Original file line number	Diff line number	Diff line change
`@@ -202,6 +202,7 @@ private static String hasIpAddress(String ipAddressExpression) {`
`202`	`202`	`return "hasIpAddress('" + ipAddressExpression + "')";`
`203`	`203`	`}`
`204`	`204`
	`205`	`+ @Deprecated`
`205`	`206`	`public final class ExpressionInterceptUrlRegistry extends`
`206`	`207`	`ExpressionUrlAuthorizationConfigurer<H>.AbstractInterceptUrlRegistry<ExpressionInterceptUrlRegistry, AuthorizedUrl> {`
`207`	`208`
Original file line number	Diff line number	Diff line change
`@@ -203,6 +203,7 @@ private static String[] hasAnyAuthority(String... authorities) {`
`203`	`203`	`return authorities;`
`204`	`204`	`}`
`205`	`205`
	`206`	`+ @Deprecated`
`206`	`207`	`public final class StandardInterceptUrlRegistry extends`
`207`	`208`	`UrlAuthorizationConfigurer<H>.AbstractInterceptUrlRegistry<StandardInterceptUrlRegistry, AuthorizedUrl> {`
`208`	`209`