From 339d44b5a15a8c6ccccc5dbab408501834768f96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A1vid=20Kov=C3=A1cs?= Date: Sat, 25 Apr 2020 15:27:47 +0200 Subject: [PATCH 1/4] Deprecate openID 2.0 support This commit puts deprecation notice on docs, sample applications and configurations (java and xml) Fixes gh-7153 --- .../annotation/web/builders/HttpSecurity.java | 7 +- .../openid/OpenIDLoginConfigurer.java | 3 + .../security/config/spring-security-4.2.xsd | 56 ++++++++-------- .../security/config/spring-security-5.4.xsd | 64 ++++++++++--------- .../src/docbook/codebase-structure.xml | 2 +- .../asciidoc/_includes/about/modules.adoc | 3 + .../servlet/authentication/index.adoc | 1 + .../servlet/authentication/openid.adoc | 4 ++ ...sageSecurityWebApplicationInitializer.java | 3 + .../samples/config/SecurityConfig.java | 5 ++ .../security/samples/mvc/UserController.java | 5 ++ .../security/CustomUserDetailsService.java | 7 +- .../src/main/resources/views/login.html | 7 +- .../samples/openid/CustomUserDetails.java | 3 + .../openid/CustomUserDetailsService.java | 3 + .../xml/openid/src/main/resources/logback.xml | 4 ++ samples/xml/openid/src/main/webapp/index.jsp | 6 ++ .../openid/src/main/webapp/openidlogin.jsp | 6 ++ 18 files changed, 128 insertions(+), 61 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java index d47727f08c..bda590ade0 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java @@ -233,7 +233,9 @@ public final class HttpSecurity extends * * * @return the {@link OpenIDLoginConfigurer} for further customizations. - * + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect, which is supported by spring-security-oauth2. * @throws Exception * @see OpenIDLoginConfigurer */ @@ -355,6 +357,9 @@ public final class HttpSecurity extends * * @param openidLoginCustomizer the {@link Customizer} to provide more options for * the {@link OpenIDLoginConfigurer} + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect, which is supported by spring-security-oauth2. * @return the {@link HttpSecurity} for further customizations * @throws Exception */ diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/openid/OpenIDLoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/openid/OpenIDLoginConfigurer.java index 76c24f7e0d..4fa74f0053 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/openid/OpenIDLoginConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/openid/OpenIDLoginConfigurer.java @@ -118,6 +118,9 @@ import org.springframework.security.web.util.matcher.RequestMatcher; * * * @author Rob Winch + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect, which is supported by spring-security-oauth2. * @since 3.2 */ public final class OpenIDLoginConfigurer> extends diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd index 83d77e1875..d6415b79e7 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd @@ -131,7 +131,7 @@ - + @@ -164,7 +164,7 @@ - + @@ -433,7 +433,7 @@ - + @@ -513,7 +513,7 @@ - + @@ -573,7 +573,7 @@ - + @@ -817,13 +817,13 @@ - - - - - - - + + + + + + + @@ -1265,7 +1265,7 @@ - + @@ -1290,7 +1290,7 @@ - + @@ -1361,7 +1361,7 @@ - + @@ -1408,7 +1408,7 @@ - + @@ -1496,7 +1496,7 @@ - + Sets up an attribute exchange configuration to request specified attributes from the @@ -1695,7 +1695,7 @@ - + @@ -1711,7 +1711,7 @@ - + @@ -1767,7 +1767,7 @@ - + @@ -1814,7 +1814,7 @@ - + @@ -1912,7 +1912,7 @@ - + @@ -1945,8 +1945,8 @@ - - + + @@ -1963,7 +1963,7 @@ - + @@ -2160,7 +2160,7 @@ - + @@ -2212,7 +2212,7 @@ - + @@ -2823,4 +2823,4 @@ - \ No newline at end of file + diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd index 1e15988a9d..7b0ab2433f 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd @@ -124,7 +124,7 @@ - + @@ -408,7 +408,7 @@ - + @@ -488,7 +488,7 @@ - + @@ -541,7 +541,7 @@ - + @@ -785,13 +785,13 @@ - - - - - - - + + + + + + + @@ -960,7 +960,10 @@ - Sets up form login for authentication with an Open ID identity + Sets up form login for authentication with an Open ID identity. + NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are + encouraged to migrate + to OpenID Connect, which is supported by spring-security-oauth2. @@ -1236,7 +1239,7 @@ - + @@ -1261,7 +1264,7 @@ - + @@ -1318,7 +1321,7 @@ - + @@ -1365,7 +1368,7 @@ - + @@ -1878,7 +1881,7 @@ - + Sets up an attribute exchange configuration to request specified attributes from the @@ -1905,7 +1908,10 @@ - Attributes used when making an OpenID AX Fetch Request + Attributes used when making an OpenID AX Fetch Request. + NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are + encouraged to migrate + to OpenID Connect, which is supported by spring-security-oauth2. @@ -2077,7 +2083,7 @@ - + @@ -2093,7 +2099,7 @@ - + @@ -2149,7 +2155,7 @@ - + @@ -2196,7 +2202,7 @@ - + @@ -2294,7 +2300,7 @@ - + @@ -2327,8 +2333,8 @@ - - + + @@ -2345,7 +2351,7 @@ - + @@ -2482,7 +2488,7 @@ - + @@ -2534,7 +2540,7 @@ - + @@ -3174,4 +3180,4 @@ - \ No newline at end of file + diff --git a/docs/articles/src/docbook/codebase-structure.xml b/docs/articles/src/docbook/codebase-structure.xml index bd2e06999c..c9ca7eb276 100644 --- a/docs/articles/src/docbook/codebase-structure.xml +++ b/docs/articles/src/docbook/codebase-structure.xml @@ -146,7 +146,7 @@ spring-security-openid OpenID web authentication support. If you need to authenticate users against an external OpenID - server. + server. (Deprecated) org.springframework.security.openid diff --git a/docs/manual/src/docs/asciidoc/_includes/about/modules.adoc b/docs/manual/src/docs/asciidoc/_includes/about/modules.adoc index 71e58801fd..ae976076fa 100644 --- a/docs/manual/src/docs/asciidoc/_includes/about/modules.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/about/modules.adoc @@ -102,6 +102,9 @@ The top-level package is `org.springframework.security.cas`. [[spring-security-openid]] == OpenID -- `spring-security-openid.jar` +[NOTE] +The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2. + This module contains OpenID web authentication support. It is used to authenticate users against an external OpenID server. The top-level package is `org.springframework.security.openid`. diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc index 9536e950e6..4a0b75cdb0 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc @@ -33,6 +33,7 @@ This also gives a good idea of the high level flow of authentication and how pie * <> - How to remember a user past session expiration * <> - Authenticate with JAAS * <> - OpenID Authentication (not to be confused with OpenID Connect) +// FIXME: The one above is deprecated. Should it be removed from here as well? * <> - Authenticate with an external mechanism such as https://www.siteminder.com/[SiteMinder] or Java EE security but still use Spring Security for authorization and protection against common exploits. * <> - X509 Authentication diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/openid.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/openid.adoc index e3d14137d3..01362127ff 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/openid.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/openid.adoc @@ -1,5 +1,9 @@ [[servlet-openid]] == OpenID Support + +[NOTE] +The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2. + The namespace supports https://openid.net/[OpenID] login either instead of, or in addition to normal form-based login, with a simple change: [source,xml] diff --git a/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/MessageSecurityWebApplicationInitializer.java b/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/MessageSecurityWebApplicationInitializer.java index 4ed43fc3cb..3a4ec0ad52 100644 --- a/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/MessageSecurityWebApplicationInitializer.java +++ b/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/MessageSecurityWebApplicationInitializer.java @@ -20,6 +20,9 @@ import org.springframework.security.web.context.AbstractSecurityWebApplicationIn /** * No customizations of {@link AbstractSecurityWebApplicationInitializer} are necessary. * + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Rob Winch */ public class MessageSecurityWebApplicationInitializer extends diff --git a/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/SecurityConfig.java b/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/SecurityConfig.java index dc9134832c..452a80bdd0 100644 --- a/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/SecurityConfig.java +++ b/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/SecurityConfig.java @@ -20,6 +20,11 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.samples.security.CustomUserDetailsService; +/** + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect, which is supported by spring-security-oauth2. + */ @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { // @formatter:off diff --git a/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/mvc/UserController.java b/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/mvc/UserController.java index ebed04dd9c..d700a3e832 100644 --- a/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/mvc/UserController.java +++ b/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/mvc/UserController.java @@ -21,6 +21,11 @@ import org.springframework.ui.Model; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +/** + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect, which is supported by spring-security-oauth2. + */ @Controller @RequestMapping("/user/") public class UserController { diff --git a/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/security/CustomUserDetailsService.java b/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/security/CustomUserDetailsService.java index fd421b880e..faaa81afbe 100644 --- a/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/security/CustomUserDetailsService.java +++ b/samples/javaconfig/openid/src/main/java/org/springframework/security/samples/security/CustomUserDetailsService.java @@ -22,6 +22,11 @@ import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.openid.OpenIDAuthenticationToken; +/** + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect, which is supported by spring-security-oauth2. + */ public class CustomUserDetailsService implements AuthenticationUserDetailsService { public UserDetails loadUserDetails(OpenIDAuthenticationToken token) @@ -29,4 +34,4 @@ public class CustomUserDetailsService implements return new User(token.getName(), "", AuthorityUtils.createAuthorityList("ROLE_USER")); } -} \ No newline at end of file +} diff --git a/samples/javaconfig/openid/src/main/resources/views/login.html b/samples/javaconfig/openid/src/main/resources/views/login.html index 0d46e3b163..4c6f86c51a 100644 --- a/samples/javaconfig/openid/src/main/resources/views/login.html +++ b/samples/javaconfig/openid/src/main/resources/views/login.html @@ -7,6 +7,11 @@
+

+ NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are + encouraged to migrate + to OpenID Connect, which is supported by spring-security-oauth2. +

Sign-in or Create New Account @@ -43,4 +48,4 @@
- \ No newline at end of file + diff --git a/samples/xml/openid/src/main/java/org/springframework/security/samples/openid/CustomUserDetails.java b/samples/xml/openid/src/main/java/org/springframework/security/samples/openid/CustomUserDetails.java index f0b1bc4ee1..7a5e400ec2 100644 --- a/samples/xml/openid/src/main/java/org/springframework/security/samples/openid/CustomUserDetails.java +++ b/samples/xml/openid/src/main/java/org/springframework/security/samples/openid/CustomUserDetails.java @@ -23,6 +23,9 @@ import org.springframework.security.core.userdetails.User; /** * Customized {@code UserDetails} implementation. * + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Luke Taylor * @since 3.1 */ diff --git a/samples/xml/openid/src/main/java/org/springframework/security/samples/openid/CustomUserDetailsService.java b/samples/xml/openid/src/main/java/org/springframework/security/samples/openid/CustomUserDetailsService.java index ad23c3fc30..27a3bb409d 100644 --- a/samples/xml/openid/src/main/java/org/springframework/security/samples/openid/CustomUserDetailsService.java +++ b/samples/xml/openid/src/main/java/org/springframework/security/samples/openid/CustomUserDetailsService.java @@ -32,6 +32,9 @@ import org.springframework.security.openid.OpenIDAuthenticationToken; * Custom UserDetailsService which accepts any OpenID user, "registering" new users in a * map so they can be welcomed back to the site on subsequent logins. * + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Luke Taylor * @since 3.1 */ diff --git a/samples/xml/openid/src/main/resources/logback.xml b/samples/xml/openid/src/main/resources/logback.xml index 3ebbcc0ddd..1f54c08753 100644 --- a/samples/xml/openid/src/main/resources/logback.xml +++ b/samples/xml/openid/src/main/resources/logback.xml @@ -1,3 +1,7 @@ + + diff --git a/samples/xml/openid/src/main/webapp/index.jsp b/samples/xml/openid/src/main/webapp/index.jsp index 1ea6bb94ce..f78494ccef 100644 --- a/samples/xml/openid/src/main/webapp/index.jsp +++ b/samples/xml/openid/src/main/webapp/index.jsp @@ -6,6 +6,12 @@

OpenID Sample Home Page

+

+NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are +encouraged to migrate +to OpenID Connect, which is supported by spring-security-oauth2. +

+

Welcome back, ! diff --git a/samples/xml/openid/src/main/webapp/openidlogin.jsp b/samples/xml/openid/src/main/webapp/openidlogin.jsp index 17fde568ff..e95a0fe453 100644 --- a/samples/xml/openid/src/main/webapp/openidlogin.jsp +++ b/samples/xml/openid/src/main/webapp/openidlogin.jsp @@ -29,6 +29,12 @@ +

+NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are +encouraged to migrate +to OpenID Connect, which is supported by spring-security-oauth2. +

+ Your login attempt was not successful, try again.

From 84f45e4196db388e521f5b51c444830e9b94b990 Mon Sep 17 00:00:00 2001 From: Thomas Vitale Date: Tue, 22 Oct 2019 18:18:24 +0200 Subject: [PATCH 2/4] Deprecate OpenID 2.0 Support Add deprecation notice to all files in the spring-security-openid module Fixes gh-7263 --- openid/spring-security-openid.gradle | 4 ++++ .../security/openid/AuthenticationCancelledException.java | 3 +++ .../security/openid/AxFetchListFactory.java | 3 +++ .../security/openid/NullAxFetchListFactory.java | 3 +++ .../security/openid/OpenID4JavaConsumer.java | 3 +++ .../springframework/security/openid/OpenIDAttribute.java | 3 +++ .../security/openid/OpenIDAuthenticationFilter.java | 3 +++ .../security/openid/OpenIDAuthenticationProvider.java | 3 +++ .../security/openid/OpenIDAuthenticationStatus.java | 3 +++ .../security/openid/OpenIDAuthenticationToken.java | 3 +++ .../springframework/security/openid/OpenIDConsumer.java | 3 +++ .../security/openid/OpenIDConsumerException.java | 3 +++ .../security/openid/RegexBasedAxFetchListFactory.java | 4 +++- .../java/org/springframework/security/openid/package.html | 8 ++++++-- .../security/openid/MockOpenIDConsumer.java | 6 +++--- .../security/openid/OpenID4JavaConsumerTests.java | 3 +++ .../security/openid/OpenIDAuthenticationFilterTests.java | 5 +++++ .../openid/OpenIDAuthenticationProviderTests.java | 3 +++ openid/src/test/resources/logback-test.xml | 4 ++++ 19 files changed, 64 insertions(+), 6 deletions(-) diff --git a/openid/spring-security-openid.gradle b/openid/spring-security-openid.gradle index a24719a6f6..b225ceeb97 100644 --- a/openid/spring-security-openid.gradle +++ b/openid/spring-security-openid.gradle @@ -1,3 +1,7 @@ +// NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are +// encouraged to migrate +// to OpenID Connect. + apply plugin: 'io.spring.convention.spring-module' dependencies { diff --git a/openid/src/main/java/org/springframework/security/openid/AuthenticationCancelledException.java b/openid/src/main/java/org/springframework/security/openid/AuthenticationCancelledException.java index 243bde56e9..20d6bc8056 100644 --- a/openid/src/main/java/org/springframework/security/openid/AuthenticationCancelledException.java +++ b/openid/src/main/java/org/springframework/security/openid/AuthenticationCancelledException.java @@ -20,6 +20,9 @@ import org.springframework.security.core.AuthenticationException; /** * Indicates that OpenID authentication was cancelled * + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. * @author Robin Bramley, Opsera Ltd */ public class AuthenticationCancelledException extends AuthenticationException { diff --git a/openid/src/main/java/org/springframework/security/openid/AxFetchListFactory.java b/openid/src/main/java/org/springframework/security/openid/AxFetchListFactory.java index 16d1e64f59..f125c214c0 100644 --- a/openid/src/main/java/org/springframework/security/openid/AxFetchListFactory.java +++ b/openid/src/main/java/org/springframework/security/openid/AxFetchListFactory.java @@ -24,6 +24,9 @@ import java.util.List; * This allows the list of attributes for a fetch request to be tailored for different * OpenID providers, since they do not all support the same attributes. * + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. * @author Luke Taylor * @since 3.1 */ diff --git a/openid/src/main/java/org/springframework/security/openid/NullAxFetchListFactory.java b/openid/src/main/java/org/springframework/security/openid/NullAxFetchListFactory.java index 2a653ee132..1d305c7489 100644 --- a/openid/src/main/java/org/springframework/security/openid/NullAxFetchListFactory.java +++ b/openid/src/main/java/org/springframework/security/openid/NullAxFetchListFactory.java @@ -19,6 +19,9 @@ import java.util.Collections; import java.util.List; /** + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. * @author Luke Taylor * @since 3.1 */ diff --git a/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java b/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java index 2323f99985..63d6bec459 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java @@ -41,6 +41,9 @@ import org.openid4java.message.ax.FetchResponse; import org.springframework.util.StringUtils; /** + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. * @author Ray Krueger * @author Luke Taylor */ diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDAttribute.java b/openid/src/main/java/org/springframework/security/openid/OpenIDAttribute.java index 65a9774c8b..ec9d55dbd0 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenIDAttribute.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenIDAttribute.java @@ -27,6 +27,9 @@ import org.springframework.util.Assert; * should be requested during a fetch request, or to hold values for an attribute which * are returned during the authentication process. * + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. * @author Luke Taylor * @since 3.0 */ diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java index 430c707800..707d5a37c6 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java @@ -59,6 +59,9 @@ import java.util.*; * where it should (normally) be processed by an OpenIDAuthenticationProvider in * order to load the authorities for the user. * + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. * @author Robin Bramley * @author Ray Krueger * @author Luke Taylor diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationProvider.java b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationProvider.java index 6b9f723aac..f676a14c23 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationProvider.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationProvider.java @@ -44,6 +44,9 @@ import org.springframework.util.Assert; * {@code Authentication} token, so additional properties such as email addresses, * telephone numbers etc can easily be stored. * + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. * @author Robin Bramley, Opsera Ltd. * @author Luke Taylor */ diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationStatus.java b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationStatus.java index b7a52a0aea..958cf6f280 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationStatus.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationStatus.java @@ -18,6 +18,9 @@ package org.springframework.security.openid; /** * Authentication status codes, based on JanRain status codes * + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. * @author JanRain Inc. * @author Robin Bramley, Opsera Ltd * @author Luke Taylor diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationToken.java b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationToken.java index dc6f7fc466..49bc2e4dc6 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationToken.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationToken.java @@ -26,6 +26,9 @@ import org.springframework.security.core.SpringSecurityCoreVersion; /** * OpenID Authentication Token * + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. * @author Robin Bramley */ public class OpenIDAuthenticationToken extends AbstractAuthenticationToken { diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDConsumer.java b/openid/src/main/java/org/springframework/security/openid/OpenIDConsumer.java index ed57b1256c..760b3e6f2c 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenIDConsumer.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenIDConsumer.java @@ -20,6 +20,9 @@ import javax.servlet.http.HttpServletRequest; /** * An interface for OpenID library implementations * + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. * @author Ray Krueger * @author Robin Bramley, Opsera Ltd */ diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDConsumerException.java b/openid/src/main/java/org/springframework/security/openid/OpenIDConsumerException.java index e7bb4c3d0d..4748a3e84a 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenIDConsumerException.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenIDConsumerException.java @@ -18,6 +18,9 @@ package org.springframework.security.openid; /** * Thrown by an OpenIDConsumer if it cannot process a request * + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. * @author Robin Bramley, Opsera Ltd */ public class OpenIDConsumerException extends Exception { diff --git a/openid/src/main/java/org/springframework/security/openid/RegexBasedAxFetchListFactory.java b/openid/src/main/java/org/springframework/security/openid/RegexBasedAxFetchListFactory.java index 9283419981..35810f0a25 100644 --- a/openid/src/main/java/org/springframework/security/openid/RegexBasedAxFetchListFactory.java +++ b/openid/src/main/java/org/springframework/security/openid/RegexBasedAxFetchListFactory.java @@ -22,7 +22,9 @@ import java.util.Map; import java.util.regex.Pattern; /** - * + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. * @author Luke Taylor * @since 3.1 */ diff --git a/openid/src/main/java/org/springframework/security/openid/package.html b/openid/src/main/java/org/springframework/security/openid/package.html index 80e7f0c0f4..14c95d0992 100644 --- a/openid/src/main/java/org/springframework/security/openid/package.html +++ b/openid/src/main/java/org/springframework/security/openid/package.html @@ -1,5 +1,9 @@ -Authenticates standard web browser users via OpenID. +

Authenticates standard web browser users via OpenID.

+ +

NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are + encouraged to migrate + to OpenID Connect.

- \ No newline at end of file + diff --git a/openid/src/test/java/org/springframework/security/openid/MockOpenIDConsumer.java b/openid/src/test/java/org/springframework/security/openid/MockOpenIDConsumer.java index 7f22d587af..695e264530 100644 --- a/openid/src/test/java/org/springframework/security/openid/MockOpenIDConsumer.java +++ b/openid/src/test/java/org/springframework/security/openid/MockOpenIDConsumer.java @@ -15,12 +15,12 @@ */ package org.springframework.security.openid; -import org.springframework.security.openid.OpenIDAuthenticationToken; -import org.springframework.security.openid.OpenIDConsumer; - import javax.servlet.http.HttpServletRequest; /** + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. * @author Robin Bramley, Opsera Ltd */ public class MockOpenIDConsumer implements OpenIDConsumer { diff --git a/openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java b/openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java index e87ce2fd2f..e076e7c1d8 100644 --- a/openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java +++ b/openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java @@ -40,6 +40,9 @@ import org.springframework.mock.web.MockHttpServletRequest; import java.util.*; /** + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. * @author Luke Taylor */ public class OpenID4JavaConsumerTests { diff --git a/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java b/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java index 818698313a..ac72d3a5bd 100644 --- a/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java +++ b/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java @@ -31,6 +31,11 @@ import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler; +/** + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. + */ public class OpenIDAuthenticationFilterTests { OpenIDAuthenticationFilter filter; diff --git a/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationProviderTests.java b/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationProviderTests.java index 8544cf68d5..3cf253cafc 100644 --- a/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationProviderTests.java +++ b/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationProviderTests.java @@ -35,6 +35,9 @@ import org.springframework.security.core.userdetails.UserDetailsService; /** * Tests {@link OpenIDAuthenticationProvider} * + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect. * @author Robin Bramley, Opsera Ltd */ public class OpenIDAuthenticationProviderTests { diff --git a/openid/src/test/resources/logback-test.xml b/openid/src/test/resources/logback-test.xml index 2d51ba4180..a3d205af5e 100644 --- a/openid/src/test/resources/logback-test.xml +++ b/openid/src/test/resources/logback-test.xml @@ -1,3 +1,7 @@ + + From 2d9a6aca98f074d63c135a39d907bd7efc32bc20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A1vid=20Kov=C3=A1cs?= Date: Sat, 2 May 2020 10:25:35 +0200 Subject: [PATCH 3/4] Deprecate openID 2.0 support This commit adds link to spring code on the top of ThomasVitale's changes. Fixes gh-7153 --- openid/spring-security-openid.gradle | 2 +- .../security/openid/AuthenticationCancelledException.java | 2 +- .../org/springframework/security/openid/AxFetchListFactory.java | 2 +- .../springframework/security/openid/NullAxFetchListFactory.java | 2 +- .../springframework/security/openid/OpenID4JavaConsumer.java | 2 +- .../org/springframework/security/openid/OpenIDAttribute.java | 2 +- .../security/openid/OpenIDAuthenticationFilter.java | 2 +- .../security/openid/OpenIDAuthenticationProvider.java | 2 +- .../security/openid/OpenIDAuthenticationStatus.java | 2 +- .../security/openid/OpenIDAuthenticationToken.java | 2 +- .../org/springframework/security/openid/OpenIDConsumer.java | 2 +- .../security/openid/OpenIDConsumerException.java | 2 +- .../security/openid/RegexBasedAxFetchListFactory.java | 2 +- .../main/java/org/springframework/security/openid/package.html | 2 +- .../org/springframework/security/openid/MockOpenIDConsumer.java | 2 +- .../security/openid/OpenID4JavaConsumerTests.java | 2 +- .../security/openid/OpenIDAuthenticationFilterTests.java | 2 +- .../security/openid/OpenIDAuthenticationProviderTests.java | 2 +- openid/src/test/resources/logback-test.xml | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/openid/spring-security-openid.gradle b/openid/spring-security-openid.gradle index b225ceeb97..8e3820d151 100644 --- a/openid/spring-security-openid.gradle +++ b/openid/spring-security-openid.gradle @@ -1,6 +1,6 @@ // NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are // encouraged to migrate -// to OpenID Connect. +// to OpenID Connect, which is supported by spring-security-oauth2. apply plugin: 'io.spring.convention.spring-module' diff --git a/openid/src/main/java/org/springframework/security/openid/AuthenticationCancelledException.java b/openid/src/main/java/org/springframework/security/openid/AuthenticationCancelledException.java index 20d6bc8056..e5e89d5e38 100644 --- a/openid/src/main/java/org/springframework/security/openid/AuthenticationCancelledException.java +++ b/openid/src/main/java/org/springframework/security/openid/AuthenticationCancelledException.java @@ -22,7 +22,7 @@ import org.springframework.security.core.AuthenticationException; * * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Robin Bramley, Opsera Ltd */ public class AuthenticationCancelledException extends AuthenticationException { diff --git a/openid/src/main/java/org/springframework/security/openid/AxFetchListFactory.java b/openid/src/main/java/org/springframework/security/openid/AxFetchListFactory.java index f125c214c0..3c99c94626 100644 --- a/openid/src/main/java/org/springframework/security/openid/AxFetchListFactory.java +++ b/openid/src/main/java/org/springframework/security/openid/AxFetchListFactory.java @@ -26,7 +26,7 @@ import java.util.List; * * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Luke Taylor * @since 3.1 */ diff --git a/openid/src/main/java/org/springframework/security/openid/NullAxFetchListFactory.java b/openid/src/main/java/org/springframework/security/openid/NullAxFetchListFactory.java index 1d305c7489..75df033bac 100644 --- a/openid/src/main/java/org/springframework/security/openid/NullAxFetchListFactory.java +++ b/openid/src/main/java/org/springframework/security/openid/NullAxFetchListFactory.java @@ -21,7 +21,7 @@ import java.util.List; /** * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Luke Taylor * @since 3.1 */ diff --git a/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java b/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java index 63d6bec459..7ab6f47615 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java @@ -43,7 +43,7 @@ import org.springframework.util.StringUtils; /** * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Ray Krueger * @author Luke Taylor */ diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDAttribute.java b/openid/src/main/java/org/springframework/security/openid/OpenIDAttribute.java index ec9d55dbd0..c15d45856d 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenIDAttribute.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenIDAttribute.java @@ -29,7 +29,7 @@ import org.springframework.util.Assert; * * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Luke Taylor * @since 3.0 */ diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java index 707d5a37c6..9c3999d704 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java @@ -61,7 +61,7 @@ import java.util.*; * * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Robin Bramley * @author Ray Krueger * @author Luke Taylor diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationProvider.java b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationProvider.java index f676a14c23..e42baa6d1f 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationProvider.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationProvider.java @@ -46,7 +46,7 @@ import org.springframework.util.Assert; * * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Robin Bramley, Opsera Ltd. * @author Luke Taylor */ diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationStatus.java b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationStatus.java index 958cf6f280..db2eee832b 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationStatus.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationStatus.java @@ -20,7 +20,7 @@ package org.springframework.security.openid; * * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. * @author JanRain Inc. * @author Robin Bramley, Opsera Ltd * @author Luke Taylor diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationToken.java b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationToken.java index 49bc2e4dc6..0625e07727 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationToken.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationToken.java @@ -28,7 +28,7 @@ import org.springframework.security.core.SpringSecurityCoreVersion; * * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Robin Bramley */ public class OpenIDAuthenticationToken extends AbstractAuthenticationToken { diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDConsumer.java b/openid/src/main/java/org/springframework/security/openid/OpenIDConsumer.java index 760b3e6f2c..303b143a9a 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenIDConsumer.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenIDConsumer.java @@ -22,7 +22,7 @@ import javax.servlet.http.HttpServletRequest; * * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Ray Krueger * @author Robin Bramley, Opsera Ltd */ diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDConsumerException.java b/openid/src/main/java/org/springframework/security/openid/OpenIDConsumerException.java index 4748a3e84a..f184032c15 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenIDConsumerException.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenIDConsumerException.java @@ -20,7 +20,7 @@ package org.springframework.security.openid; * * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Robin Bramley, Opsera Ltd */ public class OpenIDConsumerException extends Exception { diff --git a/openid/src/main/java/org/springframework/security/openid/RegexBasedAxFetchListFactory.java b/openid/src/main/java/org/springframework/security/openid/RegexBasedAxFetchListFactory.java index 35810f0a25..b59481bb38 100644 --- a/openid/src/main/java/org/springframework/security/openid/RegexBasedAxFetchListFactory.java +++ b/openid/src/main/java/org/springframework/security/openid/RegexBasedAxFetchListFactory.java @@ -24,7 +24,7 @@ import java.util.regex.Pattern; /** * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Luke Taylor * @since 3.1 */ diff --git a/openid/src/main/java/org/springframework/security/openid/package.html b/openid/src/main/java/org/springframework/security/openid/package.html index 14c95d0992..f2417fd615 100644 --- a/openid/src/main/java/org/springframework/security/openid/package.html +++ b/openid/src/main/java/org/springframework/security/openid/package.html @@ -4,6 +4,6 @@

NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate - to OpenID Connect.

+ to OpenID Connect, which is supported by spring-security-oauth2.

diff --git a/openid/src/test/java/org/springframework/security/openid/MockOpenIDConsumer.java b/openid/src/test/java/org/springframework/security/openid/MockOpenIDConsumer.java index 695e264530..ce8f1a2382 100644 --- a/openid/src/test/java/org/springframework/security/openid/MockOpenIDConsumer.java +++ b/openid/src/test/java/org/springframework/security/openid/MockOpenIDConsumer.java @@ -20,7 +20,7 @@ import javax.servlet.http.HttpServletRequest; /** * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Robin Bramley, Opsera Ltd */ public class MockOpenIDConsumer implements OpenIDConsumer { diff --git a/openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java b/openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java index e076e7c1d8..971c19a15f 100644 --- a/openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java +++ b/openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java @@ -42,7 +42,7 @@ import java.util.*; /** * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Luke Taylor */ public class OpenID4JavaConsumerTests { diff --git a/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java b/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java index ac72d3a5bd..dbaf2eeb68 100644 --- a/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java +++ b/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java @@ -34,7 +34,7 @@ import org.springframework.security.web.authentication.SavedRequestAwareAuthenti /** * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. */ public class OpenIDAuthenticationFilterTests { diff --git a/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationProviderTests.java b/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationProviderTests.java index 3cf253cafc..902ca9b8fe 100644 --- a/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationProviderTests.java +++ b/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationProviderTests.java @@ -37,7 +37,7 @@ import org.springframework.security.core.userdetails.UserDetailsService; * * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are * encouraged to migrate - * to OpenID Connect. + * to OpenID Connect, which is supported by spring-security-oauth2. * @author Robin Bramley, Opsera Ltd */ public class OpenIDAuthenticationProviderTests { diff --git a/openid/src/test/resources/logback-test.xml b/openid/src/test/resources/logback-test.xml index a3d205af5e..cc1fc42b4e 100644 --- a/openid/src/test/resources/logback-test.xml +++ b/openid/src/test/resources/logback-test.xml @@ -1,6 +1,6 @@ +to OpenID Connect, which is supported by spring-security-oauth2. --> From f2a2b469c4add61f911e0e4404d37621b0ea7826 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A1vid=20Kov=C3=A1cs?= Date: Sat, 9 May 2020 12:04:13 +0200 Subject: [PATCH 4/4] Deprecate openID 2.0 support This commit adds deprecation notice to xml schema, parser of the schema and removes fixme comments. Fixes gh-7153 --- .../http/AuthenticationConfigBuilder.java | 105 ++++++++++-------- .../security/config/spring-security-4.2.xsd | 56 +++++----- .../security/config/spring-security-5.4.rnc | 4 +- .../security/config/spring-security-5.4.xsd | 72 ++++++------ .../servlet/authentication/index.adoc | 1 - 5 files changed, 127 insertions(+), 111 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java b/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java index fcfcbb5af1..6de6a2f711 100644 --- a/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java +++ b/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java @@ -350,51 +350,7 @@ final class AuthenticationConfigBuilder { RootBeanDefinition openIDFilter = null; if (openIDLoginElt != null) { - FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser( - "/login/openid", null, - OPEN_ID_AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache, - sessionStrategy, allowSessionCreation, portMapper, portResolver); - - parser.parse(openIDLoginElt, pc); - openIDFilter = parser.getFilterBean(); - openIDEntryPoint = parser.getEntryPointBean(); - openidLoginProcessingUrl = parser.getLoginProcessingUrl(); - openIDLoginPage = parser.getLoginPage(); - - List attrExElts = DomUtils.getChildElementsByTagName(openIDLoginElt, - Elements.OPENID_ATTRIBUTE_EXCHANGE); - - if (!attrExElts.isEmpty()) { - // Set up the consumer with the required attribute list - BeanDefinitionBuilder consumerBldr = BeanDefinitionBuilder - .rootBeanDefinition(OPEN_ID_CONSUMER_CLASS); - BeanDefinitionBuilder axFactory = BeanDefinitionBuilder - .rootBeanDefinition(OPEN_ID_ATTRIBUTE_FACTORY_CLASS); - ManagedMap> axMap = new ManagedMap<>(); - - for (Element attrExElt : attrExElts) { - String identifierMatch = attrExElt.getAttribute("identifier-match"); - - if (!StringUtils.hasText(identifierMatch)) { - if (attrExElts.size() > 1) { - pc.getReaderContext().error( - "You must supply an identifier-match attribute if using more" - + " than one " - + Elements.OPENID_ATTRIBUTE_EXCHANGE - + " element", attrExElt); - } - // Match anything - identifierMatch = ".*"; - } - - axMap.put(identifierMatch, parseOpenIDAttributes(attrExElt)); - } - axFactory.addConstructorArgValue(axMap); - - consumerBldr.addConstructorArgValue(axFactory.getBeanDefinition()); - openIDFilter.getPropertyValues().addPropertyValue("consumer", - consumerBldr.getBeanDefinition()); - } + openIDFilter = parseOpenIDFilter(sessionStrategy, openIDLoginElt); } if (openIDFilter != null) { @@ -412,6 +368,65 @@ final class AuthenticationConfigBuilder { } } + /** + * Parses OpenID 1.0 and 2.0 - related parts of configuration xmls + * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are + * encouraged to migrate + * to OpenID Connect, which is supported by spring-security-oauth2. + * @param sessionStrategy sessionStrategy + * @param openIDLoginElt the element from the xml file + * @return the parsed filter as rootBeanDefinition + */ + private RootBeanDefinition parseOpenIDFilter( BeanReference sessionStrategy, Element openIDLoginElt ) { + RootBeanDefinition openIDFilter; + FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser( + "/login/openid", null, + OPEN_ID_AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache, + sessionStrategy, allowSessionCreation, portMapper, portResolver); + + parser.parse(openIDLoginElt, pc); + openIDFilter = parser.getFilterBean(); + openIDEntryPoint = parser.getEntryPointBean(); + openidLoginProcessingUrl = parser.getLoginProcessingUrl(); + openIDLoginPage = parser.getLoginPage(); + + List attrExElts = DomUtils.getChildElementsByTagName(openIDLoginElt, + Elements.OPENID_ATTRIBUTE_EXCHANGE); + + if (!attrExElts.isEmpty()) { + // Set up the consumer with the required attribute list + BeanDefinitionBuilder consumerBldr = BeanDefinitionBuilder + .rootBeanDefinition(OPEN_ID_CONSUMER_CLASS); + BeanDefinitionBuilder axFactory = BeanDefinitionBuilder + .rootBeanDefinition(OPEN_ID_ATTRIBUTE_FACTORY_CLASS); + ManagedMap> axMap = new ManagedMap<>(); + + for (Element attrExElt : attrExElts) { + String identifierMatch = attrExElt.getAttribute("identifier-match"); + + if (!StringUtils.hasText(identifierMatch)) { + if (attrExElts.size() > 1) { + pc.getReaderContext().error( + "You must supply an identifier-match attribute if using more" + + " than one " + + Elements.OPENID_ATTRIBUTE_EXCHANGE + + " element", attrExElt); + } + // Match anything + identifierMatch = ".*"; + } + + axMap.put(identifierMatch, parseOpenIDAttributes(attrExElt)); + } + axFactory.addConstructorArgValue(axMap); + + consumerBldr.addConstructorArgValue(axFactory.getBeanDefinition()); + openIDFilter.getPropertyValues().addPropertyValue("consumer", + consumerBldr.getBeanDefinition()); + } + return openIDFilter; + } + private ManagedList parseOpenIDAttributes(Element attrExElt) { ManagedList attributes = new ManagedList<>(); for (Element attElt : DomUtils.getChildElementsByTagName(attrExElt, diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd index d6415b79e7..83d77e1875 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd @@ -131,7 +131,7 @@
- + @@ -164,7 +164,7 @@ - + @@ -433,7 +433,7 @@ - + @@ -513,7 +513,7 @@ - + @@ -573,7 +573,7 @@ - + @@ -817,13 +817,13 @@ - - - - - - - + + + + + + + @@ -1265,7 +1265,7 @@ - + @@ -1290,7 +1290,7 @@ - + @@ -1361,7 +1361,7 @@ - + @@ -1408,7 +1408,7 @@ - + @@ -1496,7 +1496,7 @@ - + Sets up an attribute exchange configuration to request specified attributes from the @@ -1695,7 +1695,7 @@
- + @@ -1711,7 +1711,7 @@ - + @@ -1767,7 +1767,7 @@ - + @@ -1814,7 +1814,7 @@ - + @@ -1912,7 +1912,7 @@ - + @@ -1945,8 +1945,8 @@ - - + + @@ -1963,7 +1963,7 @@ - + @@ -2160,7 +2160,7 @@ - + @@ -2212,7 +2212,7 @@ - + @@ -2823,4 +2823,4 @@ - + \ No newline at end of file diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.4.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-5.4.rnc index 86c6885a99..678318e0f8 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-5.4.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.4.rnc @@ -615,7 +615,7 @@ opaque-token.attlist &= attribute introspector-ref {xsd:token}? openid-login = - ## Sets up form login for authentication with an Open ID identity + ## Sets up form login for authentication with an Open ID identity. NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2. element openid-login {form-login.attlist, user-service-ref?, attribute-exchange*} attribute-exchange = @@ -627,7 +627,7 @@ attribute-exchange.attlist &= attribute identifier-match {xsd:token}? openid-attribute = - ## Attributes used when making an OpenID AX Fetch Request + ## Attributes used when making an OpenID AX Fetch Request. NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2. element openid-attribute {openid-attribute.attlist} openid-attribute.attlist &= diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd index 7b0ab2433f..775697606e 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd @@ -124,7 +124,7 @@ - + @@ -408,7 +408,7 @@ - + @@ -488,7 +488,7 @@ - + @@ -541,7 +541,7 @@ - + @@ -785,13 +785,13 @@ - - - - - - - + + + + + + + @@ -960,10 +960,11 @@ - Sets up form login for authentication with an Open ID identity. - NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are - encouraged to migrate - to OpenID Connect, which is supported by spring-security-oauth2. + Sets up form login for authentication with an Open ID identity. NOTE: The OpenID 1.0 and + 2.0 protocols have been deprecated and users are <a + href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to + migrate</a> to <a href="https://openid.net/connect/">OpenID Connect</a>, which is + supported by <code>spring-security-oauth2</code>. @@ -1239,7 +1240,7 @@ - + @@ -1264,7 +1265,7 @@ - + @@ -1321,7 +1322,7 @@ - + @@ -1368,7 +1369,7 @@ - + @@ -1881,7 +1882,7 @@ - + Sets up an attribute exchange configuration to request specified attributes from the @@ -1908,10 +1909,11 @@ - Attributes used when making an OpenID AX Fetch Request. - NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are - encouraged to migrate - to OpenID Connect, which is supported by spring-security-oauth2. + Attributes used when making an OpenID AX Fetch Request. NOTE: The OpenID 1.0 and 2.0 + protocols have been deprecated and users are <a + href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to + migrate</a> to <a href="https://openid.net/connect/">OpenID Connect</a>, which is + supported by <code>spring-security-oauth2</code>. @@ -2083,7 +2085,7 @@ - + @@ -2099,7 +2101,7 @@ - + @@ -2155,7 +2157,7 @@ - + @@ -2202,7 +2204,7 @@ - + @@ -2300,7 +2302,7 @@ - + @@ -2333,8 +2335,8 @@ - - + + @@ -2351,7 +2353,7 @@ - + @@ -2488,7 +2490,7 @@ - + @@ -2540,7 +2542,7 @@ - + @@ -3180,4 +3182,4 @@ - + \ No newline at end of file diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc index 4a0b75cdb0..9536e950e6 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc @@ -33,7 +33,6 @@ This also gives a good idea of the high level flow of authentication and how pie * <> - How to remember a user past session expiration * <> - Authenticate with JAAS * <> - OpenID Authentication (not to be confused with OpenID Connect) -// FIXME: The one above is deprecated. Should it be removed from here as well? * <> - Authenticate with an external mechanism such as https://www.siteminder.com/[SiteMinder] or Java EE security but still use Spring Security for authorization and protection against common exploits. * <> - X509 Authentication