Deprecate openID 2.0 support

This commit puts deprecation notice on docs, sample applications and configurations (java and xml) Fixes gh-7153
2026-05-22 21:33:16 +00:00 · 2020-04-25 15:27:47 +02:00
parent f7b33da577
commit 339d44b5a1
18 changed files with 128 additions and 61 deletions
@@ -233,7 +233,9 @@ public final class HttpSecurity extends
 	 * </pre>
 	 *
 	 * @return the {@link OpenIDLoginConfigurer} for further customizations.
-	 *
+	 * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
 	 *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
 	 *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 	 * @throws Exception
 	 * @see OpenIDLoginConfigurer
 	 */
@@ -355,6 +357,9 @@ public final class HttpSecurity extends
 	 *
 	 * @param openidLoginCustomizer the {@link Customizer} to provide more options for
 	 * the {@link OpenIDLoginConfigurer}
 	 * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
 	 *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
 	 *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 	 * @return the {@link HttpSecurity} for further customizations
 	 * @throws Exception
 	 */
@@ -118,6 +118,9 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
 * </ul>
 *
 * @author Rob Winch
 * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
 *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
 *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 * @since 3.2
 */
 public final class OpenIDLoginConfigurer<H extends HttpSecurityBuilder<H>> extends
@@ -131,7 +131,7 @@
      </xs:annotation>
      <xs:complexType/>
   </xs:element>
-  
+
  <xs:attributeGroup name="password-encoder.attlist">
      <xs:attribute name="ref" type="xs:token">
         <xs:annotation>
@@ -164,7 +164,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="user-property">
      <xs:attribute name="user-property" use="required" type="xs:token">
         <xs:annotation>
@@ -433,7 +433,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="ldap-ap.attlist">
      <xs:attribute name="server-ref" type="xs:token">
         <xs:annotation>
@@ -513,7 +513,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="password-compare.attlist">
      <xs:attribute name="password-attribute" type="xs:token">
         <xs:annotation>
@@ -573,7 +573,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="protect.attlist">
      <xs:attribute name="method" use="required" type="xs:token">
         <xs:annotation>
@@ -817,13 +817,13 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
-  
+
-  
+
-  
+
-  
+
-  
+
-  
+
  <xs:attributeGroup name="protect-pointcut.attlist">
      <xs:attribute name="expression" use="required" type="xs:string">
         <xs:annotation>
@@ -1265,7 +1265,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="access-denied-handler.attlist">
      <xs:attribute name="ref" type="xs:token">
         <xs:annotation>
@@ -1290,7 +1290,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="intercept-url.attlist">
      <xs:attribute name="pattern" type="xs:token">
         <xs:annotation>
@@ -1361,7 +1361,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="logout.attlist">
      <xs:attribute name="logout-url" type="xs:token">
         <xs:annotation>
@@ -1408,7 +1408,7 @@
         <xs:attributeGroup ref="security:ref"/>
      </xs:complexType>
   </xs:element>
-  
+
  <xs:attributeGroup name="form-login.attlist">
      <xs:attribute name="login-processing-url" type="xs:token">
         <xs:annotation>
@@ -1496,7 +1496,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:element name="attribute-exchange">
      <xs:annotation>
         <xs:documentation>Sets up an attribute exchange configuration to request specified attributes from the
@@ -1695,7 +1695,7 @@
         </xs:simpleType>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="http-basic.attlist">
      <xs:attribute name="entry-point-ref" type="xs:token">
         <xs:annotation>
@@ -1711,7 +1711,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="session-management.attlist">
      <xs:attribute name="session-fixation-protection">
         <xs:annotation>
@@ -1767,7 +1767,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="concurrency-control.attlist">
      <xs:attribute name="max-sessions" type="xs:integer">
         <xs:annotation>
@@ -1814,7 +1814,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="remember-me.attlist">
      <xs:attribute name="key" type="xs:token">
         <xs:annotation>
@@ -1912,7 +1912,7 @@
  <xs:attributeGroup name="remember-me-data-source-ref">
      <xs:attributeGroup ref="security:data-source-ref"/>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="anonymous.attlist">
      <xs:attribute name="key" type="xs:token">
         <xs:annotation>
@@ -1945,8 +1945,8 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
-  
+
  <xs:attributeGroup name="http-port">
      <xs:attribute name="http" use="required" type="xs:token">
         <xs:annotation>
@@ -1963,7 +1963,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="x509.attlist">
      <xs:attribute name="subject-principal-regex" type="xs:token">
         <xs:annotation>
@@ -2160,7 +2160,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="ap.attlist">
      <xs:attribute name="ref" type="xs:token">
         <xs:annotation>
@@ -2212,7 +2212,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="user.attlist">
      <xs:attribute name="name" use="required" type="xs:token">
         <xs:annotation>
@@ -2823,4 +2823,4 @@
         <xs:enumeration value="LAST"/>
      </xs:restriction>
  </xs:simpleType>
-</xs:schema>
+</xs:schema>
@@ -124,7 +124,7 @@
      </xs:annotation>
      <xs:complexType/>
   </xs:element>
-  
+
  <xs:attributeGroup name="password-encoder.attlist">
      <xs:attribute name="ref" type="xs:token">
         <xs:annotation>
@@ -408,7 +408,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="ldap-ap.attlist">
      <xs:attribute name="server-ref" type="xs:token">
         <xs:annotation>
@@ -488,7 +488,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="password-compare.attlist">
      <xs:attribute name="password-attribute" type="xs:token">
         <xs:annotation>
@@ -541,7 +541,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="protect.attlist">
      <xs:attribute name="method" use="required" type="xs:token">
         <xs:annotation>
@@ -785,13 +785,13 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
-  
+
-  
+
-  
+
-  
+
-  
+
-  
+
  <xs:attributeGroup name="protect-pointcut.attlist">
      <xs:attribute name="expression" use="required" type="xs:string">
         <xs:annotation>
@@ -960,7 +960,10 @@
            <xs:element ref="security:oauth2-resource-server"/>
            <xs:element name="openid-login">
               <xs:annotation>
-                  <xs:documentation>Sets up form login for authentication with an Open ID identity
+                  <xs:documentation>Sets up form login for authentication with an Open ID identity.
                      NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
                      <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
                      to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
                </xs:documentation>
               </xs:annotation>
               <xs:complexType>
@@ -1236,7 +1239,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="access-denied-handler.attlist">
      <xs:attribute name="ref" type="xs:token">
         <xs:annotation>
@@ -1261,7 +1264,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="intercept-url.attlist">
      <xs:attribute name="pattern" type="xs:token">
         <xs:annotation>
@@ -1318,7 +1321,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="logout.attlist">
      <xs:attribute name="logout-url" type="xs:token">
         <xs:annotation>
@@ -1365,7 +1368,7 @@
         <xs:attributeGroup ref="security:ref"/>
      </xs:complexType>
   </xs:element>
-  
+
  <xs:attributeGroup name="form-login.attlist">
      <xs:attribute name="login-processing-url" type="xs:token">
         <xs:annotation>
@@ -1878,7 +1881,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:element name="attribute-exchange">
      <xs:annotation>
         <xs:documentation>Sets up an attribute exchange configuration to request specified attributes from the
@@ -1905,7 +1908,10 @@
  </xs:attributeGroup>
  <xs:element name="openid-attribute">
      <xs:annotation>
-         <xs:documentation>Attributes used when making an OpenID AX Fetch Request
+         <xs:documentation>Attributes used when making an OpenID AX Fetch Request.
             NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
             <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
             to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
                </xs:documentation>
      </xs:annotation>
      <xs:complexType>
@@ -2077,7 +2083,7 @@
         </xs:simpleType>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="http-basic.attlist">
      <xs:attribute name="entry-point-ref" type="xs:token">
         <xs:annotation>
@@ -2093,7 +2099,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="session-management.attlist">
      <xs:attribute name="session-fixation-protection">
         <xs:annotation>
@@ -2149,7 +2155,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="concurrency-control.attlist">
      <xs:attribute name="max-sessions" type="xs:integer">
         <xs:annotation>
@@ -2196,7 +2202,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="remember-me.attlist">
      <xs:attribute name="key" type="xs:token">
         <xs:annotation>
@@ -2294,7 +2300,7 @@
  <xs:attributeGroup name="remember-me-data-source-ref">
      <xs:attributeGroup ref="security:data-source-ref"/>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="anonymous.attlist">
      <xs:attribute name="key" type="xs:token">
         <xs:annotation>
@@ -2327,8 +2333,8 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
-  
+
  <xs:attributeGroup name="http-port">
      <xs:attribute name="http" use="required" type="xs:token">
         <xs:annotation>
@@ -2345,7 +2351,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="x509.attlist">
      <xs:attribute name="subject-principal-regex" type="xs:token">
         <xs:annotation>
@@ -2482,7 +2488,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="ap.attlist">
      <xs:attribute name="ref" type="xs:token">
         <xs:annotation>
@@ -2534,7 +2540,7 @@
         </xs:annotation>
      </xs:attribute>
  </xs:attributeGroup>
-  
+
  <xs:attributeGroup name="user.attlist">
      <xs:attribute name="name" use="required" type="xs:token">
         <xs:annotation>
@@ -3174,4 +3180,4 @@
         <xs:enumeration value="LAST"/>
      </xs:restriction>
  </xs:simpleType>
-</xs:schema>
+</xs:schema>
@@ -146,7 +146,7 @@
 								<entry valign="middle">spring-security-openid</entry>
 								<entry>OpenID web authentication support.</entry>
 								<entry>If you need to authenticate users against an external OpenID
-									server.</entry>
+									server. (Deprecated)</entry>
 								<entry><literal>org.springframework.security.openid</literal></entry>
 							</row>
 						</tbody>
@@ -102,6 +102,9 @@ The top-level package is `org.springframework.security.cas`.
 [[spring-security-openid]]
 == OpenID -- `spring-security-openid.jar`
 [NOTE]
 The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
 This module contains OpenID web authentication support.
 It is used to authenticate users against an external OpenID server.
 The top-level package is `org.springframework.security.openid`.
@@ -33,6 +33,7 @@ This also gives a good idea of the high level flow of authentication and how pie
 * <<servlet-rememberme, Remember Me>> - How to remember a user past session expiration
 * <<servlet-jaas, JAAS Authentication>> - Authenticate with JAAS
 * <<servlet-openid,OpenID>> - OpenID Authentication (not to be confused with OpenID Connect)
 // FIXME: The one above is deprecated. Should it be removed from here as well?
 * <<servlet-preauth>> - Authenticate with an external mechanism such as https://www.siteminder.com/[SiteMinder] or Java EE security but still use Spring Security for authorization and protection against common exploits.
 * <<servlet-x509,X509 Authentication>> - X509 Authentication
@@ -1,5 +1,9 @@
 [[servlet-openid]]
 == OpenID Support
 [NOTE]
 The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
 The namespace supports https://openid.net/[OpenID] login either instead of, or in addition to normal form-based login, with a simple change:
 [source,xml]
@@ -20,6 +20,9 @@ import org.springframework.security.web.context.AbstractSecurityWebApplicationIn
 /**
 * No customizations of {@link AbstractSecurityWebApplicationInitializer} are necessary.
 *
 * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
 *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
 *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 * @author Rob Winch
 */
 public class MessageSecurityWebApplicationInitializer extends
@@ -20,6 +20,11 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.samples.security.CustomUserDetailsService;
 /**
 * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
 *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
 *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 */
@EnableWebSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
 	// @formatter:off
@@ -21,6 +21,11 @@ import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 /**
 * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
 *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
 *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 */
@Controller
@RequestMapping("/user/")
 public class UserController {
@@ -22,6 +22,11 @@ import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.openid.OpenIDAuthenticationToken;
 /**
 * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
 *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
 *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 */
 public class CustomUserDetailsService implements
 		AuthenticationUserDetailsService<OpenIDAuthenticationToken> {
 	public UserDetails loadUserDetails(OpenIDAuthenticationToken token)
@@ -29,4 +34,4 @@ public class CustomUserDetailsService implements
 		return new User(token.getName(), "",
 				AuthorityUtils.createAuthorityList("ROLE_USER"));
 	}
-}
+}
@@ -7,6 +7,11 @@
  <body th:include="layout :: body" th:with="content=~{::content}">
     <div th:fragment="content">
        <form name="f" th:action="@{/login/openid}" method="post" id="openid_form">
            <p><strong>
                NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
                <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
                to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
            </strong></p>
            <input type="hidden" name="action" value="verify" />
 	        <fieldset>
                <legend>Sign-in or Create New Account</legend>
@@ -43,4 +48,4 @@
    </script>
    </div>
  </body>
-</html>
+</html>
@@ -23,6 +23,9 @@ import org.springframework.security.core.userdetails.User;
 /**
 * Customized {@code UserDetails} implementation.
 *
 * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
 *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
 *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 * @author Luke Taylor
 * @since 3.1
 */
@@ -32,6 +32,9 @@ import org.springframework.security.openid.OpenIDAuthenticationToken;
 * Custom UserDetailsService which accepts any OpenID user, "registering" new users in a
 * map so they can be welcomed back to the site on subsequent logins.
 *
 * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
 *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
 *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 * @author Luke Taylor
 * @since 3.1
 */
@@ -1,3 +1,7 @@
 <!-- NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
 <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
 to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>. -->
 <configuration>
 	<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
 	<encoder>
@@ -6,6 +6,12 @@
 <h1>OpenID Sample Home Page</h1>
 <p><strong>
 NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
 <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
 to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 </strong></p>
 <sec:authentication property='principal.newUser' var='isNew' />
 <p>
 Welcome<c:if test="${!isNew}"> back,</c:if> <sec:authentication property='principal.name' />!
@@ -29,6 +29,12 @@
 <body>
 <p><strong>
 NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
 <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
 to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 </strong></p>
 <c:if test="${not empty param.login_error}">
  <font color="red">
    Your login attempt was not successful, try again.<br/><br/>