Deprecate openID 2.0 support

This commit puts deprecation notice on docs, sample applications and configurations (java and xml)

Fixes gh-7153

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -233,7 +233,9 @@ public final class HttpSecurity extends
 	 * </pre>
 	 *
 	 * @return the {@link OpenIDLoginConfigurer} for further customizations.
-	 *
+	 * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+	 *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+	 *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 	 * @throws Exception
 	 * @see OpenIDLoginConfigurer
 	 */
@@ -355,6 +357,9 @@ public final class HttpSecurity extends
 	 *
 	 * @param openidLoginCustomizer the {@link Customizer} to provide more options for
 	 * the {@link OpenIDLoginConfigurer}
+	 * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+	 *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+	 *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 	 * @return the {@link HttpSecurity} for further customizations
 	 * @throws Exception
 	 */

config/src/main/java/org/springframework/security/config/annotation/web/configurers/openid/OpenIDLoginConfigurer.java

@@ -118,6 +118,9 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
  * </ul>
  *
  * @author Rob Winch
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @since 3.2
  */
 public final class OpenIDLoginConfigurer<H extends HttpSecurityBuilder<H>> extends

config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd

@@ -131,7 +131,7 @@
       </xs:annotation>
       <xs:complexType/>
    </xs:element>
-  
+
   <xs:attributeGroup name="password-encoder.attlist">
       <xs:attribute name="ref" type="xs:token">
          <xs:annotation>
@@ -164,7 +164,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="user-property">
       <xs:attribute name="user-property" use="required" type="xs:token">
          <xs:annotation>
@@ -433,7 +433,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="ldap-ap.attlist">
       <xs:attribute name="server-ref" type="xs:token">
          <xs:annotation>
@@ -513,7 +513,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="password-compare.attlist">
       <xs:attribute name="password-attribute" type="xs:token">
          <xs:annotation>
@@ -573,7 +573,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="protect.attlist">
       <xs:attribute name="method" use="required" type="xs:token">
          <xs:annotation>
@@ -817,13 +817,13 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
-  
-  
-  
-  
-  
-  
+
+
+
+
+
+
+
   <xs:attributeGroup name="protect-pointcut.attlist">
       <xs:attribute name="expression" use="required" type="xs:string">
          <xs:annotation>
@@ -1265,7 +1265,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="access-denied-handler.attlist">
       <xs:attribute name="ref" type="xs:token">
          <xs:annotation>
@@ -1290,7 +1290,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="intercept-url.attlist">
       <xs:attribute name="pattern" type="xs:token">
          <xs:annotation>
@@ -1361,7 +1361,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="logout.attlist">
       <xs:attribute name="logout-url" type="xs:token">
          <xs:annotation>
@@ -1408,7 +1408,7 @@
          <xs:attributeGroup ref="security:ref"/>
       </xs:complexType>
    </xs:element>
-  
+
   <xs:attributeGroup name="form-login.attlist">
       <xs:attribute name="login-processing-url" type="xs:token">
          <xs:annotation>
@@ -1496,7 +1496,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:element name="attribute-exchange">
       <xs:annotation>
          <xs:documentation>Sets up an attribute exchange configuration to request specified attributes from the
@@ -1695,7 +1695,7 @@
          </xs:simpleType>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="http-basic.attlist">
       <xs:attribute name="entry-point-ref" type="xs:token">
          <xs:annotation>
@@ -1711,7 +1711,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="session-management.attlist">
       <xs:attribute name="session-fixation-protection">
          <xs:annotation>
@@ -1767,7 +1767,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="concurrency-control.attlist">
       <xs:attribute name="max-sessions" type="xs:integer">
          <xs:annotation>
@@ -1814,7 +1814,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="remember-me.attlist">
       <xs:attribute name="key" type="xs:token">
          <xs:annotation>
@@ -1912,7 +1912,7 @@
   <xs:attributeGroup name="remember-me-data-source-ref">
       <xs:attributeGroup ref="security:data-source-ref"/>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="anonymous.attlist">
       <xs:attribute name="key" type="xs:token">
          <xs:annotation>
@@ -1945,8 +1945,8 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
-  
+
+
   <xs:attributeGroup name="http-port">
       <xs:attribute name="http" use="required" type="xs:token">
          <xs:annotation>
@@ -1963,7 +1963,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="x509.attlist">
       <xs:attribute name="subject-principal-regex" type="xs:token">
          <xs:annotation>
@@ -2160,7 +2160,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="ap.attlist">
       <xs:attribute name="ref" type="xs:token">
          <xs:annotation>
@@ -2212,7 +2212,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="user.attlist">
       <xs:attribute name="name" use="required" type="xs:token">
          <xs:annotation>
@@ -2823,4 +2823,4 @@
          <xs:enumeration value="LAST"/>
       </xs:restriction>
   </xs:simpleType>
-</xs:schema>
+</xs:schema>

config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd

@@ -124,7 +124,7 @@
       </xs:annotation>
       <xs:complexType/>
    </xs:element>
-  
+
   <xs:attributeGroup name="password-encoder.attlist">
       <xs:attribute name="ref" type="xs:token">
          <xs:annotation>
@@ -408,7 +408,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="ldap-ap.attlist">
       <xs:attribute name="server-ref" type="xs:token">
          <xs:annotation>
@@ -488,7 +488,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="password-compare.attlist">
       <xs:attribute name="password-attribute" type="xs:token">
          <xs:annotation>
@@ -541,7 +541,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="protect.attlist">
       <xs:attribute name="method" use="required" type="xs:token">
          <xs:annotation>
@@ -785,13 +785,13 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
-  
-  
-  
-  
-  
-  
+
+
+
+
+
+
+
   <xs:attributeGroup name="protect-pointcut.attlist">
       <xs:attribute name="expression" use="required" type="xs:string">
          <xs:annotation>
@@ -960,7 +960,10 @@
             <xs:element ref="security:oauth2-resource-server"/>
             <xs:element name="openid-login">
                <xs:annotation>
-                  <xs:documentation>Sets up form login for authentication with an Open ID identity
+                  <xs:documentation>Sets up form login for authentication with an Open ID identity.
+                      NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+                      <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+                      to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
                 </xs:documentation>
                </xs:annotation>
                <xs:complexType>
@@ -1236,7 +1239,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="access-denied-handler.attlist">
       <xs:attribute name="ref" type="xs:token">
          <xs:annotation>
@@ -1261,7 +1264,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="intercept-url.attlist">
       <xs:attribute name="pattern" type="xs:token">
          <xs:annotation>
@@ -1318,7 +1321,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="logout.attlist">
       <xs:attribute name="logout-url" type="xs:token">
          <xs:annotation>
@@ -1365,7 +1368,7 @@
          <xs:attributeGroup ref="security:ref"/>
       </xs:complexType>
    </xs:element>
-  
+
   <xs:attributeGroup name="form-login.attlist">
       <xs:attribute name="login-processing-url" type="xs:token">
          <xs:annotation>
@@ -1878,7 +1881,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:element name="attribute-exchange">
       <xs:annotation>
          <xs:documentation>Sets up an attribute exchange configuration to request specified attributes from the
@@ -1905,7 +1908,10 @@
   </xs:attributeGroup>
   <xs:element name="openid-attribute">
       <xs:annotation>
-         <xs:documentation>Attributes used when making an OpenID AX Fetch Request
+         <xs:documentation>Attributes used when making an OpenID AX Fetch Request.
+             NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+             <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+             to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
                 </xs:documentation>
       </xs:annotation>
       <xs:complexType>
@@ -2077,7 +2083,7 @@
          </xs:simpleType>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="http-basic.attlist">
       <xs:attribute name="entry-point-ref" type="xs:token">
          <xs:annotation>
@@ -2093,7 +2099,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="session-management.attlist">
       <xs:attribute name="session-fixation-protection">
          <xs:annotation>
@@ -2149,7 +2155,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="concurrency-control.attlist">
       <xs:attribute name="max-sessions" type="xs:integer">
          <xs:annotation>
@@ -2196,7 +2202,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="remember-me.attlist">
       <xs:attribute name="key" type="xs:token">
          <xs:annotation>
@@ -2294,7 +2300,7 @@
   <xs:attributeGroup name="remember-me-data-source-ref">
       <xs:attributeGroup ref="security:data-source-ref"/>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="anonymous.attlist">
       <xs:attribute name="key" type="xs:token">
          <xs:annotation>
@@ -2327,8 +2333,8 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
-  
+
+
   <xs:attributeGroup name="http-port">
       <xs:attribute name="http" use="required" type="xs:token">
          <xs:annotation>
@@ -2345,7 +2351,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="x509.attlist">
       <xs:attribute name="subject-principal-regex" type="xs:token">
          <xs:annotation>
@@ -2482,7 +2488,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="ap.attlist">
       <xs:attribute name="ref" type="xs:token">
          <xs:annotation>
@@ -2534,7 +2540,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  
+
   <xs:attributeGroup name="user.attlist">
       <xs:attribute name="name" use="required" type="xs:token">
          <xs:annotation>
@@ -3174,4 +3180,4 @@
          <xs:enumeration value="LAST"/>
       </xs:restriction>
   </xs:simpleType>
-</xs:schema>
+</xs:schema>

docs/articles/src/docbook/codebase-structure.xml

@@ -146,7 +146,7 @@
 								<entry valign="middle">spring-security-openid</entry>
 								<entry>OpenID web authentication support.</entry>
 								<entry>If you need to authenticate users against an external OpenID
-									server.</entry>
+									server. (Deprecated)</entry>
 								<entry><literal>org.springframework.security.openid</literal></entry>
 							</row>
 						</tbody>

docs/manual/src/docs/asciidoc/_includes/about/modules.adoc

@@ -102,6 +102,9 @@ The top-level package is `org.springframework.security.cas`.
 
 [[spring-security-openid]]
 == OpenID -- `spring-security-openid.jar`
+[NOTE]
+The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
+
 This module contains OpenID web authentication support.
 It is used to authenticate users against an external OpenID server.
 The top-level package is `org.springframework.security.openid`.

docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc

@@ -33,6 +33,7 @@ This also gives a good idea of the high level flow of authentication and how pie
 * <<servlet-rememberme, Remember Me>> - How to remember a user past session expiration
 * <<servlet-jaas, JAAS Authentication>> - Authenticate with JAAS
 * <<servlet-openid,OpenID>> - OpenID Authentication (not to be confused with OpenID Connect)
+// FIXME: The one above is deprecated. Should it be removed from here as well?
 * <<servlet-preauth>> - Authenticate with an external mechanism such as https://www.siteminder.com/[SiteMinder] or Java EE security but still use Spring Security for authorization and protection against common exploits.
 * <<servlet-x509,X509 Authentication>> - X509 Authentication
 

docs/manual/src/docs/asciidoc/_includes/servlet/authentication/openid.adoc

@@ -1,5 +1,9 @@
 [[servlet-openid]]
 == OpenID Support
+
+[NOTE]
+The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
+
 The namespace supports https://openid.net/[OpenID] login either instead of, or in addition to normal form-based login, with a simple change:
 
 [source,xml]

samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/MessageSecurityWebApplicationInitializer.java

@@ -20,6 +20,9 @@ import org.springframework.security.web.context.AbstractSecurityWebApplicationIn
 /**
  * No customizations of {@link AbstractSecurityWebApplicationInitializer} are necessary.
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Rob Winch
  */
 public class MessageSecurityWebApplicationInitializer extends

samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/SecurityConfig.java

@@ -20,6 +20,11 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.samples.security.CustomUserDetailsService;
 
+/**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+ */
 @EnableWebSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
 	// @formatter:off

samples/javaconfig/openid/src/main/java/org/springframework/security/samples/mvc/UserController.java

@@ -21,6 +21,11 @@ import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
+/**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+ */
 @Controller
 @RequestMapping("/user/")
 public class UserController {

samples/javaconfig/openid/src/main/java/org/springframework/security/samples/security/CustomUserDetailsService.java

@@ -22,6 +22,11 @@ import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.openid.OpenIDAuthenticationToken;
 
+/**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+ */
 public class CustomUserDetailsService implements
 		AuthenticationUserDetailsService<OpenIDAuthenticationToken> {
 	public UserDetails loadUserDetails(OpenIDAuthenticationToken token)
@@ -29,4 +34,4 @@ public class CustomUserDetailsService implements
 		return new User(token.getName(), "",
 				AuthorityUtils.createAuthorityList("ROLE_USER"));
 	}
-}
+}

samples/javaconfig/openid/src/main/resources/views/login.html

@@ -7,6 +7,11 @@
   <body th:include="layout :: body" th:with="content=~{::content}">
      <div th:fragment="content">
         <form name="f" th:action="@{/login/openid}" method="post" id="openid_form">
+            <p><strong>
+                NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+                <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+                to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+            </strong></p>
             <input type="hidden" name="action" value="verify" />
 	        <fieldset>
                 <legend>Sign-in or Create New Account</legend>
@@ -43,4 +48,4 @@
     </script>
     </div>
   </body>
-</html>
+</html>

samples/xml/openid/src/main/java/org/springframework/security/samples/openid/CustomUserDetails.java

@@ -23,6 +23,9 @@ import org.springframework.security.core.userdetails.User;
 /**
  * Customized {@code UserDetails} implementation.
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Luke Taylor
  * @since 3.1
  */

samples/xml/openid/src/main/java/org/springframework/security/samples/openid/CustomUserDetailsService.java

@@ -32,6 +32,9 @@ import org.springframework.security.openid.OpenIDAuthenticationToken;
  * Custom UserDetailsService which accepts any OpenID user, "registering" new users in a
  * map so they can be welcomed back to the site on subsequent logins.
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Luke Taylor
  * @since 3.1
  */

samples/xml/openid/src/main/resources/logback.xml

@@ -1,3 +1,7 @@
+<!-- NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+<a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>. -->
+
 <configuration>
 	<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
 	<encoder>

samples/xml/openid/src/main/webapp/index.jsp

@@ -6,6 +6,12 @@
 
 <h1>OpenID Sample Home Page</h1>
 
+<p><strong>
+NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+<a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+</strong></p>
+
 <sec:authentication property='principal.newUser' var='isNew' />
 <p>
 Welcome<c:if test="${!isNew}"> back,</c:if> <sec:authentication property='principal.name' />!

samples/xml/openid/src/main/webapp/openidlogin.jsp

@@ -29,6 +29,12 @@
 
 <body>
 
+<p><strong>
+NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+<a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+</strong></p>
+
 <c:if test="${not empty param.login_error}">
   <font color="red">
     Your login attempt was not successful, try again.<br/><br/>