Merge remote-tracking branch 'origin/5.8.x'

aspects/src/main/java/org/springframework/security/access/intercept/aspectj/aspect/AnnotationSecurityAspect.aj

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,7 +37,9 @@ import org.springframework.security.access.prepost.PreFilter;
  * @author Mike Wiesner
  * @author Luke Taylor
  * @since 3.1
+ * @deprecated Use aspects in {@link org.springframework.security.authorization.method.aspectj} instead
  */
+@Deprecated
 public aspect AnnotationSecurityAspect implements InitializingBean {
 
 		/**

config/src/main/java/org/springframework/security/config/annotation/method/configuration/EnableGlobalMethodSecurity.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -42,7 +42,9 @@ import org.springframework.security.config.annotation.authentication.configurati
  *
  * @author Rob Winch
  * @since 3.2
+ * @deprecated Use {@link EnableMethodSecurity} instead
  */
+@Deprecated
 @Retention(RetentionPolicy.RUNTIME)
 @Target(ElementType.TYPE)
 @Documented

config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityAspectJAutoProxyRegistrar.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,7 +36,9 @@ import org.springframework.core.type.AnnotationMetadata;
  *
  * @author Rob Winch
  * @since 3.2
+ * @deprecated Use {@link EnableMethodSecurity} instead
  */
+@Deprecated
 class GlobalMethodSecurityAspectJAutoProxyRegistrar implements ImportBeanDefinitionRegistrar {
 
 	/**

config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java

@@ -86,7 +86,11 @@ import org.springframework.util.Assert;
  * @author Eddú Meléndez
  * @since 3.2
  * @see EnableGlobalMethodSecurity
+ * @deprecated Use {@link PrePostMethodSecurityConfiguration},
+ * {@link SecuredMethodSecurityConfiguration}, or
+ * {@link Jsr250MethodSecurityConfiguration} instead
  */
+@Deprecated
 @Configuration(proxyBeanMethods = false)
 @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 public class GlobalMethodSecurityConfiguration implements ImportAware, SmartInitializingSingleton, BeanFactoryAware {

config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecuritySelector.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -34,7 +34,9 @@ import org.springframework.util.ClassUtils;
  *
  * @author Rob Winch
  * @since 3.2
+ * @deprecated Use {@link MethodSecuritySelector} instead
  */
+@Deprecated
 final class GlobalMethodSecuritySelector implements ImportSelector {
 
 	@Override

config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MetadataSourceConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@ import org.springframework.security.access.annotation.Jsr250MethodSecurityMetada
 
 @Configuration(proxyBeanMethods = false)
 @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+@Deprecated
 class Jsr250MetadataSourceConfiguration {
 
 	@Bean

config/src/main/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityMetadataSourceAdvisorRegistrar.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,7 +32,9 @@ import org.springframework.util.MultiValueMap;
  * @author Rob Winch
  * @since 4.0.2
  * @see GlobalMethodSecuritySelector
+ * @deprecated Use {@link MethodSecuritySelector} instead
  */
+@Deprecated
 class MethodSecurityMetadataSourceAdvisorRegistrar implements ImportBeanDefinitionRegistrar {
 
 	/**

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -1059,8 +1059,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * </pre>
 	 * @return the {@link ExpressionUrlAuthorizationConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated Use {@link #authorizeHttpRequests()} instead
 	 * @see #requestMatcher(RequestMatcher)
 	 */
+	@Deprecated
 	public ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests()
 			throws Exception {
 		ApplicationContext context = getContext();
@@ -1173,8 +1175,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * for the {@link ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry}
 	 * @return the {@link HttpSecurity} for further customizations
 	 * @throws Exception
+	 * @deprecated Use {@link #authorizeHttpRequests} instead
 	 * @see #requestMatcher(RequestMatcher)
 	 */
+	@Deprecated
 	public HttpSecurity authorizeRequests(
 			Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer)
 			throws Exception {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java

@@ -60,7 +60,9 @@ import org.springframework.security.web.access.intercept.FilterSecurityIntercept
  * @since 3.2
  * @see ExpressionUrlAuthorizationConfigurer
  * @see UrlAuthorizationConfigurer
+ * @deprecated Use {@link AuthorizeHttpRequestsConfigurer} instead
  */
+@Deprecated
 public abstract class AbstractInterceptUrlConfigurer<C extends AbstractInterceptUrlConfigurer<C, H>, H extends HttpSecurityBuilder<H>>
 		extends AbstractHttpConfigurer<C, H> {
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -79,7 +79,9 @@ import org.springframework.util.StringUtils;
  * @author Yanming Zhou
  * @since 3.2
  * @see org.springframework.security.config.annotation.web.builders.HttpSecurity#authorizeRequests()
+ * @deprecated Use {@link AuthorizeHttpRequestsConfigurer} instead
  */
+@Deprecated
 public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
 		extends AbstractInterceptUrlConfigurer<ExpressionUrlAuthorizationConfigurer<H>, H> {
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/UrlAuthorizationConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -85,7 +85,9 @@ import org.springframework.util.Assert;
  * @author Rob Winch
  * @since 3.2
  * @see ExpressionUrlAuthorizationConfigurer
+ * @deprecated Use {@link AuthorizeHttpRequestsConfigurer} instead
  */
+@Deprecated
 public final class UrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
 		extends AbstractInterceptUrlConfigurer<UrlAuthorizationConfigurer<H>, H> {
 

config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -46,7 +46,9 @@ import org.springframework.util.xml.DomUtils;
  * for use with a FilterSecurityInterceptor.
  *
  * @author Luke Taylor
+ * @deprecated Use `use-authorization-manager` property instead
  */
+@Deprecated
 public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinitionParser {
 
 	private static final String ATT_USE_EXPRESSIONS = "use-expressions";

config/src/main/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParser.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -89,7 +89,9 @@ import org.springframework.util.xml.DomUtils;
  * @author Luke Taylor
  * @author Rob Winch
  * @since 2.0
+ * @deprecated Use {@link MethodSecurityBeanDefinitionParser} instead
  */
+@Deprecated
 public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionParser {
 
 	private final Log logger = LogFactory.getLog(getClass());

config/src/main/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecorator.java

@@ -125,7 +125,11 @@ public class InterceptMethodsBeanDefinitionDecorator implements BeanDefinitionDe
 	/**
 	 * This is the real class which does the work. We need access to the ParserContext in
 	 * order to do bean registration.
+	 *
+	 * @deprecated Use
+	 * {@link InternalAuthorizationManagerInterceptMethodsBeanDefinitionDecorator}
 	 */
+	@Deprecated
 	static class InternalInterceptMethodsBeanDefinitionDecorator
 			extends AbstractInterceptorDrivenBeanDefinitionDecorator {
 

config/src/main/java/org/springframework/security/config/method/MethodSecurityMetadataSourceBeanDefinitionParser.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,7 +36,10 @@ import org.springframework.util.xml.DomUtils;
 /**
  * @author Luke Taylor
  * @since 3.1
+ * @deprecated Use {@code <intercept-methods>}, {@code <method-security>}, or
+ * {@code @EnableMethodSecurity}
  */
+@Deprecated
 public class MethodSecurityMetadataSourceBeanDefinitionParser extends AbstractBeanDefinitionParser {
 
 	static final String ATT_METHOD = "method";

config/src/main/java/org/springframework/security/config/method/ProtectPointcutPostProcessor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -63,7 +63,9 @@ import org.springframework.util.StringUtils;
  *
  * @author Ben Alex
  * @since 2.0
+ * @deprecated Use {@code use-authorization-manager} flag instead
  */
+@Deprecated
 final class ProtectPointcutPostProcessor implements BeanPostProcessor {
 
 	private static final Log logger = LogFactory.getLog(ProtectPointcutPostProcessor.class);

core/src/main/java/org/springframework/security/access/AccessDecisionManager.java

@@ -19,13 +19,16 @@ package org.springframework.security.access;
 import java.util.Collection;
 
 import org.springframework.security.authentication.InsufficientAuthenticationException;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.Authentication;
 
 /**
  * Makes a final access control (authorization) decision.
  *
  * @author Ben Alex
+ * @deprecated Use {@link AuthorizationManager} instead
  */
+@Deprecated
 public interface AccessDecisionManager {
 
 	/**

core/src/main/java/org/springframework/security/access/AccessDecisionVoter.java

@@ -18,6 +18,7 @@ package org.springframework.security.access;
 
 import java.util.Collection;
 
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.Authentication;
 
 /**
@@ -28,7 +29,9 @@ import org.springframework.security.core.Authentication;
  * {@link org.springframework.security.access.AccessDecisionManager}.
  *
  * @author Ben Alex
+ * @deprecated Use {@link AuthorizationManager} instead
  */
+@Deprecated
 public interface AccessDecisionVoter<S> {
 
 	int ACCESS_GRANTED = 1;

core/src/main/java/org/springframework/security/access/AfterInvocationProvider.java

@@ -19,6 +19,7 @@ package org.springframework.security.access;
 import java.util.Collection;
 
 import org.springframework.security.access.intercept.AfterInvocationProviderManager;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.Authentication;
 
 /**
@@ -26,7 +27,11 @@ import org.springframework.security.core.Authentication;
  * {@link AfterInvocationProviderManager} decision.
  *
  * @author Ben Alex
+ * @see org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor
+ * @see org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor
+ * @deprecated Use delegation with {@link AuthorizationManager}
  */
+@Deprecated
 public interface AfterInvocationProvider {
 
 	Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> attributes,

core/src/main/java/org/springframework/security/access/annotation/AnnotationMetadataExtractor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,7 +28,11 @@ import org.springframework.security.access.ConfigAttribute;
  * Used by {@code SecuredAnnotationSecurityMetadataSource}.
  *
  * @author Luke Taylor
+ * @deprecated Used only by now-deprecated classes. Consider
+ * {@link org.springframework.security.authorization.method.SecuredAuthorizationManager}
+ * for `@Secured` methods.
  */
+@Deprecated
 public interface AnnotationMetadataExtractor<A extends Annotation> {
 
 	Collection<? extends ConfigAttribute> extractAttributes(A securityAnnotation);

core/src/main/java/org/springframework/security/access/annotation/Jsr250MethodSecurityMetadataSource.java

@@ -35,7 +35,11 @@ import org.springframework.security.access.method.AbstractFallbackMethodSecurity
  *
  * @author Ben Alex
  * @since 2.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.Jsr250AuthorizationManager}
+ * instead
  */
+@Deprecated
 public class Jsr250MethodSecurityMetadataSource extends AbstractFallbackMethodSecurityMetadataSource {
 
 	private String defaultRolePrefix = "ROLE_";

core/src/main/java/org/springframework/security/access/annotation/Jsr250SecurityConfig.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,13 +20,16 @@ import jakarta.annotation.security.DenyAll;
 import jakarta.annotation.security.PermitAll;
 
 import org.springframework.security.access.SecurityConfig;
+import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
 
 /**
  * Security config applicable as a JSR 250 annotation attribute.
  *
  * @author Ryan Heaton
  * @since 2.0
+ * @deprecated Use {@link AuthorizationManagerBeforeMethodInterceptor#jsr250()} instead
  */
+@Deprecated
 public class Jsr250SecurityConfig extends SecurityConfig {
 
 	public static final Jsr250SecurityConfig PERMIT_ALL_ATTRIBUTE = new Jsr250SecurityConfig(PermitAll.class.getName());

core/src/main/java/org/springframework/security/access/annotation/Jsr250Voter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,7 +28,11 @@ import org.springframework.security.core.GrantedAuthority;
  *
  * @author Ryan Heaton
  * @since 2.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.Jsr250AuthorizationManager}
+ * instead
  */
+@Deprecated
 public class Jsr250Voter implements AccessDecisionVoter<Object> {
 
 	/**

core/src/main/java/org/springframework/security/access/annotation/SecuredAnnotationSecurityMetadataSource.java

@@ -38,7 +38,10 @@ import org.springframework.util.Assert;
  *
  * @author Ben Alex
  * @author Luke Taylor
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor#secured}
  */
+@Deprecated
 @SuppressWarnings({ "unchecked" })
 public class SecuredAnnotationSecurityMetadataSource extends AbstractFallbackMethodSecurityMetadataSource {
 

core/src/main/java/org/springframework/security/access/event/AbstractAuthorizationEvent.java

@@ -22,7 +22,11 @@ import org.springframework.context.ApplicationEvent;
  * Abstract superclass for all security interception related events.
  *
  * @author Ben Alex
+ * @deprecated Authorization events have moved. Consider
+ * {@link org.springframework.security.authorization.event.AuthorizationGrantedEvent} and
+ * {@link org.springframework.security.authorization.event.AuthorizationDeniedEvent}
  */
+@Deprecated
 public abstract class AbstractAuthorizationEvent extends ApplicationEvent {
 
 	/**

core/src/main/java/org/springframework/security/access/event/AuthenticationCredentialsNotFoundEvent.java

@@ -27,7 +27,11 @@ import org.springframework.util.Assert;
  * could not be obtained from the <code>SecurityContextHolder</code>.
  *
  * @author Ben Alex
+ * @deprecated Authentication is now separated from authorization. Consider
+ * {@link org.springframework.security.authentication.event.AbstractAuthenticationFailureEvent}
+ * instead.
  */
+@Deprecated
 public class AuthenticationCredentialsNotFoundEvent extends AbstractAuthorizationEvent {
 
 	private final AuthenticationCredentialsNotFoundException credentialsNotFoundException;

core/src/main/java/org/springframework/security/access/event/AuthorizationFailureEvent.java

@@ -34,7 +34,11 @@ import org.springframework.util.Assert;
  * AfterInvocationManager}.
  *
  * @author Ben Alex
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.event.AuthorizationDeniedEvent}
+ * instead
  */
+@Deprecated
 public class AuthorizationFailureEvent extends AbstractAuthorizationEvent {
 
 	private final AccessDeniedException accessDeniedException;

core/src/main/java/org/springframework/security/access/event/AuthorizedEvent.java

@@ -29,7 +29,11 @@ import org.springframework.util.Assert;
  * </p>
  *
  * @author Ben Alex
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.event.AuthorizationGrantedEvent}
+ * instead
  */
+@Deprecated
 public class AuthorizedEvent extends AbstractAuthorizationEvent {
 
 	private final Authentication authentication;

core/src/main/java/org/springframework/security/access/event/LoggerListener.java

@@ -30,7 +30,10 @@ import org.springframework.core.log.LogMessage;
  * </p>
  *
  * @author Ben Alex
+ * @deprecated Logging is now embedded in Spring Security components. If you need further
+ * logging, please consider using your own {@link ApplicationListener}
  */
+@Deprecated
 public class LoggerListener implements ApplicationListener<AbstractAuthorizationEvent> {
 
 	private static final Log logger = LogFactory.getLog(LoggerListener.class);

core/src/main/java/org/springframework/security/access/event/PublicInvocationEvent.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.access.event;
 
+import org.springframework.security.authorization.event.AuthorizationGrantedEvent;
+
 /**
  * Event that is generated whenever a public secure object is invoked.
  * <p>
@@ -28,7 +30,10 @@ package org.springframework.security.access.event;
  * </p>
  *
  * @author Ben Alex
+ * @deprecated Only used by now-deprecated classes. Consider
+ * {@link AuthorizationGrantedEvent#getSource()} to deduce public invocations.
  */
+@Deprecated
 public class PublicInvocationEvent extends AbstractAuthorizationEvent {
 
 	/**

core/src/main/java/org/springframework/security/access/expression/method/AbstractExpressionBasedMethodConfigAttribute.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,7 +32,10 @@ import org.springframework.util.Assert;
  *
  * @author Luke Taylor
  * @since 3.0
+ * @deprecated Use {@link org.springframework.security.authorization.AuthorizationManager}
+ * interceptors instead
  */
+@Deprecated
 abstract class AbstractExpressionBasedMethodConfigAttribute implements ConfigAttribute {
 
 	private final Expression filterExpression;

core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedAnnotationAttributeFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,7 +30,10 @@ import org.springframework.security.access.prepost.PrePostInvocationAttributeFac
  * @author Luke Taylor
  * @author Rob Winch
  * @since 3.0
+ * @deprecated Use {@link org.springframework.security.authorization.AuthorizationManager}
+ * interceptors instead
  */
+@Deprecated
 public class ExpressionBasedAnnotationAttributeFactory implements PrePostInvocationAttributeFactory {
 
 	private final Object parserLock = new Object();

core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPostInvocationAdvice.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,7 +32,11 @@ import org.springframework.security.core.Authentication;
 /**
  * @author Luke Taylor
  * @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * instead
  */
+@Deprecated
 public class ExpressionBasedPostInvocationAdvice implements PostInvocationAuthorizationAdvice {
 
 	protected final Log logger = LogFactory.getLog(getClass());

core/src/main/java/org/springframework/security/access/expression/method/ExpressionBasedPreInvocationAdvice.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -33,7 +33,11 @@ import org.springframework.util.Assert;
  *
  * @author Luke Taylor
  * @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * instead
  */
+@Deprecated
 public class ExpressionBasedPreInvocationAdvice implements PreInvocationAuthorizationAdvice {
 
 	private MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();

core/src/main/java/org/springframework/security/access/expression/method/PostInvocationExpressionAttribute.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,7 +23,11 @@ import org.springframework.security.access.prepost.PostInvocationAttribute;
 /**
  * @author Luke Taylor
  * @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * instead
  */
+@Deprecated
 class PostInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute
 		implements PostInvocationAttribute {
 

core/src/main/java/org/springframework/security/access/expression/method/PreInvocationExpressionAttribute.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,7 +23,11 @@ import org.springframework.security.access.prepost.PreInvocationAttribute;
 /**
  * @author Luke Taylor
  * @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor}
+ * instead
  */
+@Deprecated
 class PreInvocationExpressionAttribute extends AbstractExpressionBasedMethodConfigAttribute
 		implements PreInvocationAttribute {
 

core/src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java

@@ -104,7 +104,17 @@ import org.springframework.util.CollectionUtils;
  *
  * @author Ben Alex
  * @author Rob Winch
+ * @deprecated Use
+ * {@link org.springframework.security.web.access.intercept.AuthorizationFilter} instead
+ * for filter security,
+ * {@link org.springframework.security.messaging.access.intercept.AuthorizationChannelInterceptor}
+ * for messaging security, or
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor}
+ * and
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * for method security.
  */
+@Deprecated
 public abstract class AbstractSecurityInterceptor
 		implements InitializingBean, ApplicationEventPublisherAware, MessageSourceAware {
 

core/src/main/java/org/springframework/security/access/intercept/AfterInvocationManager.java

@@ -20,6 +20,7 @@ import java.util.Collection;
 
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.Authentication;
 
 /**
@@ -41,7 +42,11 @@ import org.springframework.security.core.Authentication;
  * </p>
  *
  * @author Ben Alex
+ * @see org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor
+ * @see org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor
+ * @deprecated Use delegation with {@link AuthorizationManager}
  */
+@Deprecated
 public interface AfterInvocationManager {
 
 	/**

core/src/main/java/org/springframework/security/access/intercept/AfterInvocationProviderManager.java

@@ -28,6 +28,7 @@ import org.springframework.core.log.LogMessage;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.AfterInvocationProvider;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.Authentication;
 import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
@@ -47,7 +48,11 @@ import org.springframework.util.CollectionUtils;
  * given provider is configured to respond to).
  *
  * @author Ben Alex
+ * @see org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor
+ * @see org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor
+ * @deprecated Use delegation with {@link AuthorizationManager}
  */
+@Deprecated
 public class AfterInvocationProviderManager implements AfterInvocationManager, InitializingBean {
 
 	protected static final Log logger = LogFactory.getLog(AfterInvocationProviderManager.class);

core/src/main/java/org/springframework/security/access/intercept/InterceptorStatusToken.java

@@ -19,6 +19,7 @@ package org.springframework.security.access.intercept;
 import java.util.Collection;
 
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.context.SecurityContext;
 
 /**
@@ -29,7 +30,11 @@ import org.springframework.security.core.context.SecurityContext;
  * can tidy up correctly.
  *
  * @author Ben Alex
+ * @see org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor
+ * @see org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor
+ * @deprecated Use delegation with {@link AuthorizationManager}
  */
+@Deprecated
 public class InterceptorStatusToken {
 
 	private SecurityContext securityContext;

core/src/main/java/org/springframework/security/access/intercept/MethodInvocationPrivilegeEvaluator.java

@@ -43,7 +43,10 @@ import org.springframework.util.Assert;
  * </p>
  *
  * @author Ben Alex
+ * @deprecated Use {@link org.springframework.security.authorization.AuthorizationManager}
+ * instead
  */
+@Deprecated
 public class MethodInvocationPrivilegeEvaluator implements InitializingBean {
 
 	protected static final Log logger = LogFactory.getLog(MethodInvocationPrivilegeEvaluator.class);

core/src/main/java/org/springframework/security/access/intercept/RunAsImplAuthenticationProvider.java

@@ -39,7 +39,12 @@ import org.springframework.util.Assert;
  * <P>
  * If the key does not match, a <code>BadCredentialsException</code> is thrown.
  * </p>
+ *
+ * @deprecated Authentication is now separated from authorization in Spring Security. This
+ * class is only used by now-deprecated components. There is not yet an equivalent
+ * replacement in Spring Security.
  */
+@Deprecated
 public class RunAsImplAuthenticationProvider implements InitializingBean, AuthenticationProvider, MessageSourceAware {
 
 	protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();

core/src/main/java/org/springframework/security/access/intercept/RunAsManager.java

@@ -57,7 +57,11 @@ import org.springframework.security.core.Authentication;
  * </p>
  *
  * @author Ben Alex
+ * @deprecated Authentication is now separated from authorization in Spring Security. This
+ * class is only used by now-deprecated components. There is not yet an equivalent
+ * replacement in Spring Security.
  */
+@Deprecated
 public interface RunAsManager {
 
 	/**

core/src/main/java/org/springframework/security/access/intercept/RunAsManagerImpl.java

@@ -52,7 +52,11 @@ import org.springframework.util.Assert;
  *
  * @author Ben Alex
  * @author colin sampaleanu
+ * @deprecated Authentication is now separated from authorization in Spring Security. This
+ * class is only used by now-deprecated components. There is not yet an equivalent
+ * replacement in Spring Security.
  */
+@Deprecated
 public class RunAsManagerImpl implements RunAsManager, InitializingBean {
 
 	private String key;

core/src/main/java/org/springframework/security/access/intercept/RunAsUserToken.java

@@ -28,7 +28,11 @@ import org.springframework.security.core.SpringSecurityCoreVersion;
  * that supports {@link RunAsManagerImpl}.
  *
  * @author Ben Alex
+ * @deprecated Authentication is now separated from authorization in Spring Security. This
+ * class is only used by now-deprecated components. There is not yet an equivalent
+ * replacement in Spring Security.
  */
+@Deprecated
 public class RunAsUserToken extends AbstractAuthenticationToken {
 
 	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;

core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityInterceptor.java

@@ -36,7 +36,13 @@ import org.springframework.security.access.method.MethodSecurityMetadataSource;
  *
  * @author Ben Alex
  * @author Rob Winch
+ * @deprecated Please use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor}
+ * and
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * instead
  */
+@Deprecated
 public class MethodSecurityInterceptor extends AbstractSecurityInterceptor implements MethodInterceptor {
 
 	private MethodSecurityMetadataSource securityMetadataSource;

core/src/main/java/org/springframework/security/access/intercept/aopalliance/MethodSecurityMetadataSourceAdvisor.java

@@ -51,7 +51,9 @@ import org.springframework.util.CollectionUtils;
  *
  * @author Ben Alex
  * @author Luke Taylor
+ * @deprecated Use {@link EnableMethodSecurity} or publish interceptors directly
  */
+@Deprecated
 public class MethodSecurityMetadataSourceAdvisor extends AbstractPointcutAdvisor implements BeanFactoryAware {
 
 	private transient MethodSecurityMetadataSource attributeSource;

core/src/main/java/org/springframework/security/access/method/AbstractFallbackMethodSecurityMetadataSource.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@ import java.util.Collections;
 
 import org.springframework.aop.support.AopUtils;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
 
 /**
  * Abstract implementation of {@link MethodSecurityMetadataSource} that supports both
@@ -43,7 +44,11 @@ import org.springframework.security.access.ConfigAttribute;
  * @author Ben Alex
  * @author Luke taylor
  * @since 2.0
+ * @deprecated Use the {@code use-authorization-manager} attribute for
+ * {@code <method-security>} and {@code <intercept-methods>} instead or use
+ * annotation-based or {@link AuthorizationManager}-based authorization
  */
+@Deprecated
 public abstract class AbstractFallbackMethodSecurityMetadataSource extends AbstractMethodSecurityMetadataSource {
 
 	@Override

core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java

@@ -24,6 +24,7 @@ import org.apache.commons.logging.LogFactory;
 
 import org.springframework.aop.framework.AopProxyUtils;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
 
 /**
  * Abstract implementation of <tt>MethodSecurityMetadataSource</tt> which resolves the
@@ -31,7 +32,11 @@ import org.springframework.security.access.ConfigAttribute;
  *
  * @author Ben Alex
  * @author Luke Taylor
+ * @deprecated Use the {@code use-authorization-manager} attribute for
+ * {@code <method-security>} and {@code <intercept-methods>} instead or use
+ * annotation-based or {@link AuthorizationManager}-based authorization
  */
+@Deprecated
 public abstract class AbstractMethodSecurityMetadataSource implements MethodSecurityMetadataSource {
 
 	protected final Log logger = LogFactory.getLog(getClass());

core/src/main/java/org/springframework/security/access/method/DelegatingMethodSecurityMetadataSource.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,6 +27,7 @@ import java.util.Set;
 
 import org.springframework.core.log.LogMessage;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.util.Assert;
 import org.springframework.util.ObjectUtils;
 
@@ -37,7 +38,11 @@ import org.springframework.util.ObjectUtils;
  *
  * @author Ben Alex
  * @author Luke Taylor
+ * @deprecated Use the {@code use-authorization-manager} attribute for
+ * {@code <method-security>} and {@code <intercept-methods>} instead or use
+ * annotation-based or {@link AuthorizationManager}-based authorization
  */
+@Deprecated
 public final class DelegatingMethodSecurityMetadataSource extends AbstractMethodSecurityMetadataSource {
 
 	private static final List<ConfigAttribute> NULL_CONFIG_ATTRIBUTE = Collections.emptyList();

core/src/main/java/org/springframework/security/access/method/MapBasedMethodSecurityMetadataSource.java

@@ -28,6 +28,7 @@ import java.util.Set;
 import org.springframework.beans.factory.BeanClassLoaderAware;
 import org.springframework.core.log.LogMessage;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;
 
@@ -42,7 +43,11 @@ import org.springframework.util.ClassUtils;
  *
  * @author Ben Alex
  * @since 2.0
+ * @deprecated Use the {@code use-authorization-manager} attribute for
+ * {@code <method-security>} and {@code <intercept-methods>} instead or use
+ * annotation-based or {@link AuthorizationManager}-based authorization
  */
+@Deprecated
 public class MapBasedMethodSecurityMetadataSource extends AbstractFallbackMethodSecurityMetadataSource
 		implements BeanClassLoaderAware {
 

core/src/main/java/org/springframework/security/access/method/MethodSecurityMetadataSource.java

@@ -21,12 +21,18 @@ import java.util.Collection;
 
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.SecurityMetadataSource;
+import org.springframework.security.authorization.AuthorizationManager;
 
 /**
  * Interface for <code>SecurityMetadataSource</code> implementations that are designed to
  * perform lookups keyed on <code>Method</code>s.
  *
  * @author Ben Alex
+ * @see org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager
+ * @see org.springframework.security.authorization.method.PostAuthorizeAuthorizationManager
+ * @deprecated Use the {@code use-authorization-manager} attribute for
+ * {@code <method-security>} and {@code <intercept-methods>} instead or use
+ * annotation-based or {@link AuthorizationManager}-based authorization
  */
 public interface MethodSecurityMetadataSource extends SecurityMetadataSource {
 

core/src/main/java/org/springframework/security/access/prepost/PostInvocationAdviceProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,7 +36,11 @@ import org.springframework.security.core.Authentication;
  * @author Luke Taylor
  * @author Alexander Furer
  * @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * instead
  */
+@Deprecated
 public class PostInvocationAdviceProvider implements AfterInvocationProvider {
 
 	protected final Log logger = LogFactory.getLog(getClass());

core/src/main/java/org/springframework/security/access/prepost/PostInvocationAttribute.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,7 +26,11 @@ import org.springframework.security.access.ConfigAttribute;
  *
  * @author Luke Taylor
  * @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * instead
  */
+@Deprecated
 public interface PostInvocationAttribute extends ConfigAttribute {
 
 }

core/src/main/java/org/springframework/security/access/prepost/PostInvocationAuthorizationAdvice.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,7 +27,11 @@ import org.springframework.security.core.Authentication;
  *
  * @author Luke Taylor
  * @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor}
+ * instead
  */
+@Deprecated
 public interface PostInvocationAuthorizationAdvice extends AopInfrastructureBean {
 
 	Object after(Authentication authentication, MethodInvocation mi, PostInvocationAttribute pia, Object returnedObject)

core/src/main/java/org/springframework/security/access/prepost/PreInvocationAttribute.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,7 +26,11 @@ import org.springframework.security.access.ConfigAttribute;
  *
  * @author Luke Taylor
  * @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor}
+ * instead
  */
+@Deprecated
 public interface PreInvocationAttribute extends ConfigAttribute {
 
 }

core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdvice.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,7 +26,11 @@ import org.springframework.security.core.Authentication;
  *
  * @author Luke Taylor
  * @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor}
+ * instead
  */
+@Deprecated
 public interface PreInvocationAuthorizationAdvice extends AopInfrastructureBean {
 
 	/**

core/src/main/java/org/springframework/security/access/prepost/PreInvocationAuthorizationAdviceVoter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,7 +38,11 @@ import org.springframework.security.core.Authentication;
  *
  * @author Luke Taylor
  * @since 3.0
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor}
+ * instead
  */
+@Deprecated
 public class PreInvocationAuthorizationAdviceVoter implements AccessDecisionVoter<MethodInvocation> {
 
 	protected final Log logger = LogFactory.getLog(getClass());

core/src/main/java/org/springframework/security/access/prepost/PrePostAnnotationSecurityMetadataSource.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -48,7 +48,13 @@ import org.springframework.util.ClassUtils;
  * @author Luke Taylor
  * @since 3.0
  * @see PreInvocationAuthorizationAdviceVoter
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager}
+ * and
+ * {@link org.springframework.security.authorization.method.PostAuthorizeAuthorizationManager}
+ * instead
  */
+@Deprecated
 public class PrePostAnnotationSecurityMetadataSource extends AbstractMethodSecurityMetadataSource {
 
 	private final PrePostInvocationAttributeFactory attributeFactory;

core/src/main/java/org/springframework/security/access/prepost/PrePostInvocationAttributeFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,10 +17,14 @@
 package org.springframework.security.access.prepost;
 
 import org.springframework.aop.framework.AopInfrastructureBean;
+import org.springframework.security.authorization.AuthorizationManager;
 
 /**
  * @author Luke Taylor
  * @since 3.0
+ * @see org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor
+ * @see org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor
+ * @deprecated Use delegation with {@link AuthorizationManager}
  */
 public interface PrePostInvocationAttributeFactory extends AopInfrastructureBean {
 

core/src/main/java/org/springframework/security/access/vote/AbstractAccessDecisionManager.java

@@ -29,6 +29,7 @@ import org.springframework.security.access.AccessDecisionManager;
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.util.Assert;
 
@@ -39,7 +40,10 @@ import org.springframework.util.Assert;
  * Handles configuration of a bean context defined list of {@link AccessDecisionVoter}s
  * and the access control behaviour if all voters abstain from voting (defaults to deny
  * access).
+ *
+ * @deprecated Use {@link AuthorizationManager} instead
  */
+@Deprecated
 public abstract class AbstractAccessDecisionManager
 		implements AccessDecisionManager, InitializingBean, MessageSourceAware {
 

core/src/main/java/org/springframework/security/access/vote/AbstractAclVoter.java

@@ -27,7 +27,10 @@ import org.springframework.util.Assert;
  * particular ACL system.
  *
  * @author Ben Alex
+ * @deprecated Now used by only-deprecated classes. Generally speaking, in-memory ACL is
+ * no longer advised, so no replacement is planned at this point.
  */
+@Deprecated
 public abstract class AbstractAclVoter implements AccessDecisionVoter<MethodInvocation> {
 
 	private Class<?> processDomainObjectClass;

core/src/main/java/org/springframework/security/access/vote/AffirmativeBased.java

@@ -22,13 +22,17 @@ import java.util.List;
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.Authentication;
 
 /**
  * Simple concrete implementation of
  * {@link org.springframework.security.access.AccessDecisionManager} that grants access if
  * any <code>AccessDecisionVoter</code> returns an affirmative response.
+ *
+ * @deprecated Use {@link AuthorizationManager} instead
  */
+@Deprecated
 public class AffirmativeBased extends AbstractAccessDecisionManager {
 
 	public AffirmativeBased(List<AccessDecisionVoter<?>> decisionVoters) {

core/src/main/java/org/springframework/security/access/vote/AuthenticatedVoter.java

@@ -45,7 +45,11 @@ import org.springframework.util.Assert;
  * All comparisons and prefixes are case sensitive.
  *
  * @author Ben Alex
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.AuthorityAuthorizationManager}
+ * instead
  */
+@Deprecated
 public class AuthenticatedVoter implements AccessDecisionVoter<Object> {
 
 	public static final String IS_AUTHENTICATED_FULLY = "IS_AUTHENTICATED_FULLY";

core/src/main/java/org/springframework/security/access/vote/ConsensusBased.java

@@ -22,6 +22,7 @@ import java.util.List;
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.Authentication;
 
 /**
@@ -32,7 +33,10 @@ import org.springframework.security.core.Authentication;
  * "Consensus" here means majority-rule (ignoring abstains) rather than unanimous
  * agreement (ignoring abstains). If you require unanimity, please see
  * {@link UnanimousBased}.
+ *
+ * @deprecated Use {@link AuthorizationManager} instead
  */
+@Deprecated
 public class ConsensusBased extends AbstractAccessDecisionManager {
 
 	private boolean allowIfEqualGrantedDeniedDecisions = true;

core/src/main/java/org/springframework/security/access/vote/RoleHierarchyVoter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,7 +29,11 @@ import org.springframework.util.Assert;
  *
  * @author Luke Taylor
  * @since 2.0.4
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.AuthorityAuthorizationManager#setRoleHierarchy}
+ * instead
  */
+@Deprecated
 public class RoleHierarchyVoter extends RoleVoter {
 
 	private RoleHierarchy roleHierarchy = null;

core/src/main/java/org/springframework/security/access/vote/RoleVoter.java

@@ -48,7 +48,11 @@ import org.springframework.security.core.GrantedAuthority;
  *
  * @author Ben Alex
  * @author colin sampaleanu
+ * @deprecated Use
+ * {@link org.springframework.security.authorization.AuthorityAuthorizationManager}
+ * instead
  */
+@Deprecated
 public class RoleVoter implements AccessDecisionVoter<Object> {
 
 	private String rolePrefix = "ROLE_";

core/src/main/java/org/springframework/security/access/vote/UnanimousBased.java

@@ -23,13 +23,17 @@ import java.util.List;
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.core.Authentication;
 
 /**
  * Simple concrete implementation of
  * {@link org.springframework.security.access.AccessDecisionManager} that requires all
  * voters to abstain or grant access.
+ *
+ * @deprecated Use {@link AuthorizationManager} instead
  */
+@Deprecated
 public class UnanimousBased extends AbstractAccessDecisionManager {
 
 	public UnanimousBased(List<AccessDecisionVoter<?>> decisionVoters) {

web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,7 +37,9 @@ import org.springframework.web.context.ServletContextAware;
  * @author Ben Alex
  * @author Luke Taylor
  * @since 3.0
+ * @deprecated Use {@link AuthorizationManagerWebInvocationPrivilegeEvaluator} instead
  */
+@Deprecated
 public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPrivilegeEvaluator, ServletContextAware {
 
 	protected static final Log logger = LogFactory.getLog(DefaultWebInvocationPrivilegeEvaluator.class);

web/src/main/java/org/springframework/security/web/access/expression/WebExpressionVoter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -35,7 +35,9 @@ import org.springframework.util.Assert;
  *
  * @author Luke Taylor
  * @since 3.0
+ * @deprecated Use {@link WebExpressionAuthorizationManager} instead
  */
+@Deprecated
 public class WebExpressionVoter implements AccessDecisionVoter<FilterInvocation> {
 
 	private final Log logger = LogFactory.getLog(getClass());

web/src/main/java/org/springframework/security/web/access/intercept/FilterSecurityInterceptor.java

@@ -41,7 +41,9 @@ import org.springframework.security.web.FilterInvocation;
  *
  * @author Ben Alex
  * @author Rob Winch
+ * @deprecated Use {@link AuthorizationFilter} instead
  */
+@Deprecated
 public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
 
 	private static final String FILTER_APPLIED = "__spring_security_filterSecurityInterceptor_filterApplied";