GH-3897: Deprecate ChannelSecurityInterceptor (#3915)

* GH-3897: Deprecate `ChannelSecurityInterceptor`

Fixes #3897

Spring Security has deprecated `AccessDecisionManager` and all its infrastructure
in favor of `AuthorizationManager`

* Deprecate and AOP `ChannelSecurityInterceptor` and all its infrastructure,
including `@SecuredChannel` and respective XML configuration.
The `AuthorizationChannelInterceptor` added to respective channels for security
or configured as a global channel interceptor fully covers the previous AOP configuration
* Fix deprecation warnings in other tests with security

* Fix language in docs

Co-authored-by: Gary Russell <[email protected]>

* * Remove `forRemoval` attr from `@Deprecated` markers for Security classes:
looks like to mark `@Deprecated` and even `@SuppressWarnings("deprecation")`
don't silence warnings on compilation

Co-authored-by: Gary Russell <[email protected]>

Author: artembilan

build.gradle

@@ -169,6 +169,7 @@ allprojects {
             mavenBom "org.apache.camel:camel-bom:$camelVersion"
             mavenBom "org.testcontainers:testcontainers-bom:$testcontainersVersion"
             mavenBom "org.apache.groovy:groovy-bom:$groovyVersion"
+            mavenBom "org.springframework.security:spring-security-bom:$springSecurityVersion"
             mavenBom "org.jetbrains.kotlinx:kotlinx-coroutines-bom:$kotlinCoroutinesVersion"
         }
 
@@ -675,10 +676,10 @@ project('spring-integration-http') {
 
         testImplementation project(':spring-integration-security')
         testImplementation "org.hamcrest:hamcrest-core:$hamcrestVersion"
-        testImplementation("org.springframework.security:spring-security-config:$springSecurityVersion") {
+        testImplementation('org.springframework.security:spring-security-config') {
             exclude group: 'org.springframework'
         }
-        testImplementation("org.springframework.security:spring-security-test:$springSecurityVersion") {
+        testImplementation('org.springframework.security:spring-security-test') {
             exclude group: 'org.springframework'
         }
         testImplementation 'com.fasterxml.jackson.core:jackson-databind'
@@ -879,11 +880,11 @@ project('spring-integration-security') {
     description = 'Spring Integration Security Support'
     dependencies {
         api project(':spring-integration-core')
-        api("org.springframework.security:spring-security-core:$springSecurityVersion") {
+        api('org.springframework.security:spring-security-messaging') {
             exclude group: 'org.springframework'
         }
 
-        testImplementation("org.springframework.security:spring-security-config:$springSecurityVersion") {
+        testImplementation('org.springframework.security:spring-security-config') {
             exclude group: 'org.springframework'
         }
     }
@@ -971,10 +972,10 @@ project('spring-integration-webflux') {
         testImplementation "jakarta.servlet:jakarta.servlet-api:$servletApiVersion"
         testImplementation "org.hamcrest:hamcrest-core:$hamcrestVersion"
         testImplementation 'org.springframework:spring-webmvc'
-        testImplementation("org.springframework.security:spring-security-config:$springSecurityVersion") {
+        testImplementation('org.springframework.security:spring-security-config') {
             exclude group: 'org.springframework'
         }
-        testImplementation("org.springframework.security:spring-security-test:$springSecurityVersion") {
+        testImplementation('org.springframework.security:spring-security-test') {
             exclude group: 'org.springframework'
         }
         testImplementation 'com.fasterxml.jackson.core:jackson-databind'

spring-integration-http/src/test/java/org/springframework/integration/http/dsl/HttpDslTests.java

@@ -27,7 +27,6 @@
 
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
-import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 
@@ -52,22 +51,18 @@
 import org.springframework.integration.handler.AbstractReplyProducingMessageHandler;
 import org.springframework.integration.http.multipart.UploadedMultipartFile;
 import org.springframework.integration.http.outbound.HttpRequestExecutingMessageHandler;
-import org.springframework.integration.security.channel.ChannelSecurityInterceptor;
-import org.springframework.integration.security.channel.SecuredChannel;
 import org.springframework.messaging.Message;
 import org.springframework.messaging.MessageChannel;
 import org.springframework.messaging.PollableChannel;
 import org.springframework.messaging.support.ErrorMessage;
 import org.springframework.mock.web.MockPart;
-import org.springframework.security.access.AccessDecisionManager;
-import org.springframework.security.access.vote.AffirmativeBased;
-import org.springframework.security.access.vote.RoleVoter;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.authorization.AuthorityAuthorizationManager;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
+import org.springframework.security.messaging.access.intercept.AuthorizationChannelInterceptor;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@@ -335,9 +330,11 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 		}
 
 		@Bean
-		@SecuredChannel(interceptor = "channelSecurityInterceptor", sendAccess = "ROLE_ADMIN")
 		public MessageChannel transformSecuredChannel() {
-			return new DirectChannel();
+			DirectChannel directChannel = new DirectChannel();
+			directChannel.addInterceptor(
+					new AuthorizationChannelInterceptor(AuthorityAuthorizationManager.hasRole("ADMIN")));
+			return directChannel;
 		}
 
 		@Bean
@@ -393,21 +390,6 @@ public MultipartResolver multipartResolver() {
 			return new StandardServletMultipartResolver();
 		}
 
-		@Bean
-		public AccessDecisionManager accessDecisionManager() {
-			return new AffirmativeBased(Collections.singletonList(new RoleVoter()));
-		}
-
-		@Bean
-		public ChannelSecurityInterceptor channelSecurityInterceptor(AccessDecisionManager accessDecisionManager,
-				AuthenticationManagerBuilder authenticationManagerBuilder) {
-
-			ChannelSecurityInterceptor channelSecurityInterceptor = new ChannelSecurityInterceptor();
-			channelSecurityInterceptor.setAuthenticationManager(authenticationManagerBuilder.getOrBuild());
-			channelSecurityInterceptor.setAccessDecisionManager(accessDecisionManager);
-			return channelSecurityInterceptor;
-		}
-
 		@Bean
 		public Validator customValidator() {
 			return new TestModelValidator();

spring-integration-http/src/test/java/org/springframework/integration/http/outbound/CookieTests.java

@@ -111,12 +111,6 @@ public HttpMethod getMethod() {
 					return null;
 				}
 
-				@Override
-				@Deprecated
-				public String getMethodValue() {
-					return null;
-				}
-
 				public ClientHttpResponse execute() {
 					allHeaders.add(headers);
 					return new ClientHttpResponse() {

spring-integration-security/src/main/java/org/springframework/integration/security/channel/ChannelAccessPolicy.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,7 +26,11 @@
  *
  * @author Oleg Zhurakousky
  * @since 2.0
+ *
+ * @deprecated since 6.0 in favor of literally
+ * {@code new AuthorizationChannelInterceptor(AuthorityAuthorizationManager.hasAnyRole())}
  */
+@Deprecated(since = "6.0")
 public interface ChannelAccessPolicy {
 
 	Collection<ConfigAttribute> getConfigAttributesForSend();

spring-integration-security/src/main/java/org/springframework/integration/security/channel/ChannelInvocation.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,7 +29,11 @@
  * is a <em>send</em> operation, the {@link Message} is also available.
  *
  * @author Mark Fisher
+ *
+ * @deprecated since 6.0 in favor of literally
+ * {@code new AuthorizationChannelInterceptor(AuthorityAuthorizationManager.hasAnyRole())}
  */
+@Deprecated(since = "6.0")
 public class ChannelInvocation {
 
 	private final MessageChannel channel;

spring-integration-security/src/main/java/org/springframework/integration/security/channel/ChannelSecurityInterceptor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,8 +31,15 @@
  *
  * @author Mark Fisher
  * @author Oleg Zhurakousky
+ *
  * @see SecuredChannel
+ *
+ * @deprecated since 6.0 in favor of literally
+ * {@code new AuthorizationChannelInterceptor(AuthorityAuthorizationManager.hasAnyRole())}.
+ * However, the {@link org.springframework.security.messaging.access.intercept.AuthorizationChannelInterceptor}
+ * can be configured with any {@link org.springframework.security.authorization.AuthorizationManager} implementation.
  */
+@Deprecated(since = "6.0")
 public final class ChannelSecurityInterceptor extends AbstractSecurityInterceptor implements MethodInterceptor {
 
 	private final ChannelSecurityMetadataSource securityMetadataSource;

spring-integration-security/src/main/java/org/springframework/integration/security/channel/ChannelSecurityMetadataSource.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,7 +36,11 @@
  *
  * @author Mark Fisher
  * @author Oleg Zhurakousky
+ *
+ * @deprecated since 6.0 in favor of literally
+ * {@code new AuthorizationChannelInterceptor(AuthorityAuthorizationManager.hasAnyRole())}
  */
+@Deprecated(since = "6.0")
 public class ChannelSecurityMetadataSource implements SecurityMetadataSource {
 
 	private final Map<Pattern, ChannelAccessPolicy> patternMappings;

spring-integration-security/src/main/java/org/springframework/integration/security/channel/DefaultChannelAccessPolicy.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -33,7 +33,11 @@
  * @author Mark Fisher
  * @author Oleg Zhurakousky
  * @author Artem Bilan
+ *
+ * @deprecated since 6.0 in favor of literally
+ * {@code new AuthorizationChannelInterceptor(AuthorityAuthorizationManager.hasAnyRole())}
  */
+@Deprecated(since = "6.0")
 public class DefaultChannelAccessPolicy implements ChannelAccessPolicy {
 
 	private final Collection<ConfigAttribute> configAttributeDefinitionForSend;

spring-integration-security/src/main/java/org/springframework/integration/security/channel/SecuredChannel.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2015-2019 the original author or authors.
+ * Copyright 2015-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -33,7 +33,11 @@
  *
  * @author Artem Bilan
  * @since 4.2
+ *
+ * @deprecated since 6.0 in favor of literally
+ * {@code new AuthorizationChannelInterceptor(AuthorityAuthorizationManager.hasAnyRole())}
  */
+@Deprecated(since = "6.0")
 @Target(ElementType.METHOD)
 @Retention(RetentionPolicy.RUNTIME)
 @Documented

spring-integration-security/src/main/java/org/springframework/integration/security/config/ChannelSecurityInterceptorBeanPostProcessor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -42,7 +42,11 @@
  * @author Oleg Zhurakousky
  * @author Artem Bilan
  * @author Gary Russell
+
+ * @deprecated since 6.0 in favor of literally
+ * {@code new AuthorizationChannelInterceptor(AuthorityAuthorizationManager.hasAnyRole())}
  */
+@Deprecated(since = "6.0")
 @SuppressWarnings("serial")
 public class ChannelSecurityInterceptorBeanPostProcessor extends AbstractAutoProxyCreator {
 

spring-integration-security/src/main/java/org/springframework/integration/security/config/IntegrationSecurityNamespaceHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,7 +22,11 @@
  * Namespace handler for the security namespace.
  *
  * @author Jonas Partner
+ *
+ * @deprecated since 6.0 in favor of literally
+ * {@code new AuthorizationChannelInterceptor(AuthorityAuthorizationManager.hasAnyRole())}
  */
+@Deprecated(since = "6.0", forRemoval = true)
 public class IntegrationSecurityNamespaceHandler extends AbstractIntegrationNamespaceHandler {
 
 	public void init() {

spring-integration-security/src/main/java/org/springframework/integration/security/config/SecuredChannelsParser.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -41,7 +41,11 @@
  * @author Jonas Partner
  * @author Mark Fisher
  * @author Artem Bilan
+ *
+ * @deprecated since 6.0 in favor of literally
+ * {@code new AuthorizationChannelInterceptor(AuthorityAuthorizationManager.hasAnyRole())}
  */
+@Deprecated(since = "6.0")
 public class SecuredChannelsParser extends AbstractSingleBeanDefinitionParser {
 
 	@Override

spring-integration-security/src/main/java/org/springframework/integration/security/config/SecurityIntegrationConfigurationInitializer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,7 +43,11 @@
  * @author Artem Bilan
  *
  * @since 4.0
+ *
+ * @deprecated since 6.0 in favor of literally
+ * {@code new AuthorizationChannelInterceptor(AuthorityAuthorizationManager.hasAnyRole())}
  */
+@Deprecated(since = "6.0", forRemoval = true)
 public class SecurityIntegrationConfigurationInitializer implements IntegrationConfigurationInitializer {
 
 	private static final String CHANNEL_SECURITY_INTERCEPTOR_BPP_BEAN_NAME =