Remove Servlet Spec 2.5 Support for SecurityContextHolderAwareRequestFilter

Fixes: gh-6260

web/src/main/java/org/springframework/security/web/servletapi/HttpServlet25RequestFactory.java

@@ -1,44 +0,0 @@
-/*
- * Copyright 2002-2016 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.web.servletapi;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.springframework.security.authentication.AuthenticationTrustResolver;
-
-/**
- * Creates a {@link SecurityContextHolderAwareRequestWrapper}
- *
- * @author Rob Winch
- * @see SecurityContextHolderAwareRequestWrapper
- */
-final class HttpServlet25RequestFactory implements HttpServletRequestFactory {
-	private final String rolePrefix;
-	private final AuthenticationTrustResolver trustResolver;
-
-	HttpServlet25RequestFactory(AuthenticationTrustResolver trustResolver,
-			String rolePrefix) {
-		this.trustResolver = trustResolver;
-		this.rolePrefix = rolePrefix;
-	}
-
-	public HttpServletRequest create(HttpServletRequest request,
-			HttpServletResponse response) {
-		return new SecurityContextHolderAwareRequestWrapper(request, trustResolver,
-				rolePrefix);
-	}
-}

web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java

@@ -48,9 +48,8 @@ import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
 
 /**
- * Provides integration with the Servlet 3 APIs in addition to the ones found in
- * {@link HttpServlet25RequestFactory}. The additional methods that are integrated with
- * can be found below:
+ * Provides integration with the Servlet 3 APIs. The additional methods that are
+ * integrated with can be found below:
  *
  * <ul>
  * <li>{@link HttpServletRequest#authenticate(HttpServletResponse)} - Allows the user to
@@ -71,7 +70,6 @@ import org.springframework.util.CollectionUtils;
  * @author Rob Winch
  *
  * @see SecurityContextHolderAwareRequestFilter
- * @see HttpServlet25RequestFactory
  * @see Servlet3SecurityContextHolderAwareRequestWrapper
  * @see SecurityContextAsyncContext
  */

web/src/main/java/org/springframework/security/web/servletapi/HttpServletRequestFactory.java

@@ -19,13 +19,11 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 /**
- * Internal interface for creating a {@link HttpServletRequest}. This allows for creating
- * a different implementation for Servlet 2.5 and Servlet 3.0 environments.
+ * Internal interface for creating a {@link HttpServletRequest}.
  *
  * @author Rob Winch
  * @since 3.2
  * @see HttpServlet3RequestFactory
- * @see HttpServlet25RequestFactory
  */
 interface HttpServletRequestFactory {
 

web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilter.java

@@ -35,20 +35,14 @@ import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.util.Assert;
-import org.springframework.util.ClassUtils;
 import org.springframework.web.filter.GenericFilterBean;
 
 /**
  * A <code>Filter</code> which populates the <code>ServletRequest</code> with a request
  * wrapper which implements the servlet API security methods.
  * <p>
- * In pre servlet 3 environment the wrapper class used is
- * {@link SecurityContextHolderAwareRequestWrapper}. See its javadoc for the methods that
- * are implemented.
- * </p>
- * <p>
- * In a servlet 3 environment {@link SecurityContextHolderAwareRequestWrapper} is extended
- * to provide the following additional methods:
+ * {@link SecurityContextHolderAwareRequestWrapper} is extended to provide the following
+ * additional methods:
  * </p>
  * <ul>
  * <li>{@link HttpServletRequest#authenticate(HttpServletResponse)} - Allows the user to
@@ -114,8 +108,6 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
 	 * @param authenticationEntryPoint the {@link AuthenticationEntryPoint} to use when
 	 * invoking {@link HttpServletRequest#authenticate(HttpServletResponse)} if the user
 	 * is not authenticated.
-	 *
-	 * @throws IllegalStateException if the Servlet 3 APIs are not found on the classpath
 	 */
 	public void setAuthenticationEntryPoint(
 			AuthenticationEntryPoint authenticationEntryPoint) {
@@ -136,8 +128,6 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
 	 *
 	 * @param authenticationManager the {@link AuthenticationManager} to use when invoking
 	 * {@link HttpServletRequest#login(String, String)}
-	 *
-	 * @throws IllegalStateException if the Servlet 3 APIs are not found on the classpath
 	 */
 	public void setAuthenticationManager(AuthenticationManager authenticationManager) {
 		this.authenticationManager = authenticationManager;
@@ -158,8 +148,6 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
 	 *
 	 * @param logoutHandlers the {@code List&lt;LogoutHandler&gt;}s when invoking
 	 * {@link HttpServletRequest#logout()}.
-	 *
-	 * @throws IllegalStateException if the Servlet 3 APIs are not found on the classpath
 	 */
 	public void setLogoutHandlers(List<LogoutHandler> logoutHandlers) {
 		this.logoutHandlers = logoutHandlers;
@@ -179,8 +167,7 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
 
 	private void updateFactory() {
 		String rolePrefix = this.rolePrefix;
-		this.requestFactory = isServlet3() ? createServlet3Factory(rolePrefix)
-				: new HttpServlet25RequestFactory(this.trustResolver, rolePrefix);
+		this.requestFactory = createServlet3Factory(rolePrefix);
 	}
 
 	/**
@@ -205,11 +192,4 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
 		return factory;
 	}
 
-	/**
-	 * Returns true if the Servlet 3 APIs are detected.
-	 * @return
-	 */
-	private boolean isServlet3() {
-		return ClassUtils.hasMethod(ServletRequest.class, "startAsync");
-	}
 }