saving updates to migrate

docs/manual/src/docs/asciidoc/_includes/migrate-3-to-4.adoc

@@ -38,6 +38,9 @@ For thoroughness we have include the related links in the table below.
 | https://jira.spring.io/browse/SEC-2348[SEC-2348]
 | https://github.com/spring-projects/spring-security/commit/eedbf442359f9a99e367f2fdef61deea1cef46c9[eedbf44]
 
+| https://jira.spring.io/browse/SEC-2781[SEC-2781]
+| https://github.com/spring-projects/spring-security/commit/6e204fff72b80196a83245cbc3bd0cd401feda00[6e204ff]
+
 | https://jira.spring.io/browse/SEC-2873[SEC-2873]
 | https://github.com/spring-projects/spring-security/commit/5f57e5b0c3726466db4f5d0521ac26423f0d9cd4[5f57e5b]
 |====
@@ -188,7 +191,7 @@ The configuration will need to be updated to something similar to the following
 [source,xml]
 ----
 <http>
-    <openid-login login-processing-url="/j_spring_openid_security_login"/> <!--1-->
+    <openid-login login-processing-url="/j_spring_openid_security_check"/> <!--1-->
     ...
 </http>
 ----
@@ -354,21 +357,21 @@ For example, if an application using Spring Security 3.2.x contains a configurat
 
 [source,xml]
 ----
-<bean id="casFilter"
-      class="org.springframework.security.cas.web.CasAuthenticationFilter">
-  <property name="authenticationManager" ref="authenticationManager"/>
-</bean>
+<b:bean id="casFilter"
+            class="org.springframework.security.cas.web.CasAuthenticationFilter">
+    <b:property name="authenticationManager" ref="authenticationManager"/>
+</b:bean>
 ----
 
 The configuration will need to be updated to something similar to the following when Spring Security 4.x:
 
 [source,xml]
 ----
-<bean id="casFilter"
-      class="org.springframework.security.cas.web.CasAuthenticationFilter">
-  <property name="authenticationManager" ref="authenticationManager"/>
-  <property name="filterProcessesUrl" value="/j_spring_cas_security_check"/>
-</bean>
+<b:bean id="casFilter"
+            class="org.springframework.security.cas.web.CasAuthenticationFilter">
+    <b:property name="authenticationManager" ref="authenticationManager"/>
+    <b:property name="filterProcessesUrl" value="/j_spring_cas_security_check"/>
+</b:bean>
 ----
 
 *Alternatively*, the `ServiceProperties` can be updated to use the new default:
@@ -394,10 +397,10 @@ For example, if an application using Spring Security 3.2.x contains a configurat
 
 [source,xml]
 ----
-<bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
-    <property name="userDetailsService" ref="userDetailsService" />
-    <property name="targetUrl" value="/" />
- </bean>
+<b:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
+    <b:property name="userDetailsService" ref="userDetailsService" />
+    <b:property name="targetUrl" value="/" />
+</b:bean>
 ----
 
 The configuration will need to be updated to something similar to the following when Spring Security 4.x:
@@ -405,8 +408,8 @@ The configuration will need to be updated to something similar to the following
 [source,xml]
 ----
 <bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
-    <property name="switchUserUrl" value="/login/impersonate" />
-    <property name="exitUserUrl" value="/logout/impersonate" />
+    <property name="switchUserUrl" value="/j_spring_security_switch_user" />
+    <property name="exitUserUrl" value="/j_spring_security_exit_user" />
 
     <property name="userDetailsService" ref="userDetailsService" />
     <property name="targetUrl" value="/" />
@@ -445,10 +448,12 @@ In Spring Security 3.x, the following configuration
 [source,xml]
 ----
 <http>
-   ...
    <headers>
        <frame-options policy="SAMEORIGIN"/>
    </headers>
+
+   ...
+</http>
 ----
 
 would add the following header:
@@ -583,8 +588,10 @@ http
 A number of deprecations were removed in Spring Security 4.
 The following section describes how to migrate the removal of all deprecations.
 
+[[m3to4-deprecations-acl]]
 === spring-security-acl
 
+[[m3to4-deprecations-acl-aclimpl]]
 ==== AclImpl
 
 AclImpl had a deprecated constructor removed. Specifically, the constructor that defaults the `PermissionGrantingStrategy` was removed:
@@ -617,6 +624,7 @@ new AclImpl(objectIdentity, id, aclAuthorizationStrategy, permissionGrantingStra
             parentAcl, loadedSids, entriesInheriting, owner);
 ----
 
+[[m3to4-deprecations-acl-ehcachebasedaclcache]]
 ==== EhCacheBasedAclCache
 
 `EhCacheBasedAclCache` had a deprecated constructor removed. Specifically, the constructor that defaults the `PermissionGrantingStrategy` was removed:
@@ -646,8 +654,10 @@ PermissionGrantingStrategy permissionGrantingStrategy =
 new EhCacheBasedAclCache(ehCache, permissionGrantingStrategy);
 ----
 
+[[m3to4-deprecations-cas]]
 === spring-security-cas
 
+[[m3to4-deprecations-cas-serviceauthenticationdetailssource]]
 ==== ServiceAuthenticationDetailsSource
 
 `ServiceAuthenticationDetailsSource` removed the deprecated construtors that defaulted the `ServiceProperties`.
@@ -684,8 +694,11 @@ new ServiceAuthenticationDetailsSource(serviceProperties);
 new ServiceAuthenticationDetailsSource(serviceProperties, artifactId);
 ----
 
+[[m3to4-deprecations-config]]
 === spring-security-config
 
+
+[[m3to4-deprecations-config-fids]]
 ==== filter-invocation-definition-source
 
 The XML element `filter-invocation-definition-source` was removed in favor of <<nsa-filter-security-metadata-source,filter-security-metadata-source>>.
@@ -707,6 +720,7 @@ it needs to be replaced with:
 </filter-security-metadata-source>
 ----
 
+[[m3to4-deprecations-config-http-adp]]
 ==== http@access-denied-page
 The XML attribute `http@access-denied-page` was removed in favor of <<nsa-access-denied-handler-error-page,access-denied-handler@error-page>>.
 This means if you have something like this:
@@ -728,6 +742,7 @@ it needs to be replaced with:
 </http>
 ----
 
+[[m3to4-deprecations-config-http-pt]]
 ==== http@path-type
 The XML attribute `http@path-type` was removed in favor of <<nsa-http-request-matcher,http@request-matcher>>.
 This means if you have something like this:
@@ -749,6 +764,7 @@ it needs to be replaced with:
 </http>
 ----
 
+[[m3to4-deprecations-config-fcm-pt]]
 ==== filter-chain-map@path-type
 The XML attribute `filter-chain-map@path-type` was removed in favor of <<nsa-filter-chain-map-request-matcher,filter-chain-map@request-matcher>>.
 This means if you have something like this:
@@ -770,6 +786,7 @@ it needs to be replaced with:
 </filter-chain-map>
 ----
 
+[[m3to4-deprecations-config-sms-pt]]
 ==== filter-security-metadata-source@path-type
 The XML attribute `filter-security-metadata-source@path-type` was removed in favor of <<nsa-filter-security-metadata-source-request-matcher,filter-security-metadata-source@request-matcher>>.
 This means if you have something like this:
@@ -791,8 +808,10 @@ it needs to be replaced with:
 </filter-security-metadata-source>
 ----
 
+[[m3to4-deprecations-core]]
 === spring-security-core
 
+[[m3to4-deprecations-core-securityconfig]]
 ==== SecurityConfig
 
 `SecurityConfig.createSingleAttributeList(String)` was removed in favor of using `SecurityConfig.createList(String...)`.
@@ -812,6 +831,7 @@ List<ConfigAttribute> attrs =
     SecurityConfig.createList("ROLE_USER");
 ----
 
+[[m3to4-deprecations-core-udsw]]
 ==== UserDetailsServiceWrapper
 
 `UserDetailsServiceWrapper` was deprecated in favor of using `RoleHierarchyAuthoritiesMapper`.
@@ -841,6 +861,8 @@ then it needs to be migrated with something like this:
 
 TBD
 
+
+[[m3to4-deprecations-core-udw]]
 ==== UserDetailsWrapper
 `UserDetailsWrapper` was deprecated in favor of using `RoleHierarchyAuthoritiesMapper`.
 Typically users would not use the `UserDetailsWrapper` directly. However, if they are they can use `RoleHierarchyAuthoritiesMapper`
@@ -861,6 +883,7 @@ UserDetails authenticate =
     new User(userDetails.getUsername(), userDetails.getPassword(), allAuthorities);
 ----
 
+[[m3to4-deprecations-core-aadm]]
 ==== AbstractAccessDecisionManager
 
 The default constructor for `AbstractAccessDecisionManager` has been deprecated along with the `setDecisionVoters` method.
@@ -899,6 +922,7 @@ then it needs to be migrated to:
 </b:bean>
 ----
 
+[[m3to4-deprecations-core-ae]]
 ==== AuthenticationException
 
 The constructor that accepts extraInformation within `AuthenticationException` was removed to prevent accidental leaking of the `UserDetails`.
@@ -927,6 +951,8 @@ to:
 new LockedException("Message");
 ----
 
+
+[[m3to4-deprecations-core-aap]]
 ==== AnonymousAuthenticationProvider
 
 `AnonymousAuthenticationProvider` default constructor and `setKey` method was deprecated in favor of using constructor injection.
@@ -945,6 +971,7 @@ it should be changed to:
 AnonymousAuthenticationProvider provider = new AnonymousAuthenticationProvider(key);
 ----
 
+[[m3to4-deprecations-core-adsi]]
 ==== AuthenticationDetailsSourceImpl
 
 `AuthenticationDetailsSourceImpl` was deprecated in favor of writing a custom `AuthenticationDetailsSource`.
@@ -968,6 +995,7 @@ public CustomSourceAuthenticationDetailsSource implements AuthenticationDetailsS
 }
 ----
 
+[[m3to4-deprecations-core-pm]]
 ==== ProviderManager
 
 `ProviderManager` has removed the deprecated default constructor and the correspdonding setter methods in favor of using constructor injection.
@@ -990,6 +1018,7 @@ then it should be changed to:
 ProviderManager provider = new ProviderManager(parent, providers);
 ----
 
+[[m3to4-deprecations-core-rmap]]
 ==== RememberMeAuthenticationProvider
 `RememberMeAuthenticationProvider` had the default constructor and the `setKey` method removed in favor of constructor injection.
 For example:
@@ -1007,6 +1036,7 @@ should be migrated to:
 RememberMeAuthenticationProvider provider = new RememberMeAuthenticationProvider(key);
 ----
 
+[[m3to4-deprecations-core-gai]]
 ==== GrantedAuthorityImpl
 
 `GrantedAuthorityImpl` was removed in favor of `SimpleGrantedAuthority` or implementing your own.
@@ -1024,12 +1054,15 @@ should be replaced with
 new SimpleGrantedAuthority(role);
 ----
 
+[[m3to4-deprecations-core-imdi]]
 ==== InMemoryDaoImpl
 
 `InMemoryDaoImpl` was replaced in favor of `InMemoryUserDetailsManager`
 
+[[m3to4-deprecations-openid]]
 ==== spring-security-openid
 
+[[m3to4-deprecations-openid-oi4jc]]
 ==== OpenID4JavaConsumer
 
 The `OpenID4JavaConsumer` constructors that accept `List<OpenIDAttribute>` have been removed in favor of using an `AxFetchListFactory`.
@@ -1050,6 +1083,7 @@ RegexBasedAxFetchListFactory factory = new RegexBasedAxFetchListFactory(regexMap
 new OpenIDJavaConsumer(factory);
 ----
 
+[[m3to4-deprecations-taglibs]]
 === spring-security-taglibs
 
 Spring Security's authorize JSP tag deprecated the properties `ifAllGranted`, `ifAnyGranted`, and `ifNotGranted` in favor of using expressions.
@@ -1084,8 +1118,10 @@ can be replaced with:
 </sec:authorize>
 ----
 
+[[m3to4-deprecations-web]]
 === spring-security-web
 
+[[m3to4-deprecations-web-fcp]]
 ==== FilterChainProxy
 
 `FilterChainProxy` removed the `setFilterChainMap` method in favor of constructor injection.
@@ -1121,6 +1157,7 @@ FilterChainProxy filter = ...
 List<SecurityFilterChain> mappings = filter.getFilterChains();
 ----
 
+[[m3to4-deprecations-web-etf]]
 ==== ExceptionTranslationFilter
 
 The default constructor for `ExceptionTranslationFilter` and the `setAuthenticationEntryPoint` method was removed in favor of using constructor injection.
@@ -1139,6 +1176,7 @@ can be replaced with
 ExceptionTranslationFilter filter = new ExceptionTranslationFilter(entryPoint, requestCache);
 ----
 
+[[m3to4-deprecations-web-aapf]]
 ==== AbstractAuthenticationProcessingFilter
 
 `AbstractAuthenticationProcessingFilter` had its `successfulAuthentication(HttpServletRequest,HttpServletResponse,Authentication)` method removed.
@@ -1160,6 +1198,7 @@ protected void successfulAuthentication(HttpServletRequest request, HttpServletR
 }
 ----
 
+[[m3to4-deprecations-web-aaf]]
 ==== AnonymousAuthenticationFilter
 
 `AnonymousAuthenticationFilter` had the default constructor and the `setKey` and `setPrincipal` methods removed in favor of constructor injection.
@@ -1180,6 +1219,7 @@ AnonymousAuthenticationFilter filter =
     new AnonymousAuthenticationFilter(key,attrs.getPassword(),attrs.getAuthorities());
 ----
 
+[[m3to4-deprecations-web-luaep]]
 ==== LoginUrlAuthenticationEntryPoint
 
 The `LoginUrlAuthenticationEntryPoint` default constructor and the `setLoginFormUrl` method was removed in favor of constructor injection.
@@ -1197,10 +1237,12 @@ should be replaced with
 LoginUrlAuthenticationEntryPoint entryPoint = new LoginUrlAuthenticationEntryPoint(loginFormUrl);
 ----
 
+[[m3to4-deprecations-web-pagauds]]
 ==== PreAuthenticatedGrantedAuthoritiesUserDetailsService
 
 `PreAuthenticatedGrantedAuthoritiesUserDetailsService` removed `createuserDetails` in favor of `createUserDetails`.
 
+[[m3to4-deprecations-web-arms]]
 ==== AbstractRememberMeServices
 
 `AbstractRememberMeServices` and its subclasses `PersistentTokenBasedRememberMeServices` and `TokenBasedRememberMeServices` removed the default constructor and the `setKey` and `setUserDetailsService` methods in favor of constructor injection.
@@ -1222,6 +1264,7 @@ PersistentTokenBasedRememberMeServices services =
     new PersistentTokenBasedRememberMeServices(key, userDetailsService, tokenRepository);
 ----
 
+[[m3to4-deprecations-web-rmaf]]
 ==== RememberMeAuthenticationFilter
 
 `RememberMeAuthenticationFilter` default constructor and the `setAuthenticationManager` and `setRememberMeServices` methods were removed in favor of constructor injection.
@@ -1241,6 +1284,7 @@ RememberMeAuthenticationFilter filter =
     new RememberMeAuthenticationFilter(authenticationManager,rememberMeServices);
 ----
 
+[[m3to4-deprecations-web-tbrms]]
 ==== TokenBasedRememberMeServices
 
 `TokenBasedRememberMeServices` default constructor and the `setKey` and `setUserDetailsService` methods were removed in favor of constructor injection.
@@ -1260,6 +1304,7 @@ TokenBasedRememberMeServices services =
     new TokenBasedRememberMeServices(key,userDetailsService);
 ----
 
+[[m3to4-deprecations-web-cscs]]
 ==== ConcurrentSessionControlStrategy
 
 `ConcurrentSessionControlStrategy` was replaced with `ConcurrentSessionControlAuthenticationStrategy`.
@@ -1283,10 +1328,12 @@ delegates.add(new RegisterSessionAuthenticationStrategy(sessionRegistry));
 CompositeSessionAuthenticationStrategy strategy = new CompositeSessionAuthenticationStrategy(delegates);
 ----
 
+[[m3to4-deprecations-web-sfps]]
 ==== SessionFixationProtectionStrategy
 
 `SessionFixationProtectionStrategy` removed `setRetainedAttributes` method in favor of users subclassing `SessionFixationProtectionStrategy` and overriding `extractAttributes` method.
 
+[[m3to4-deprecations-web-baf]]
 ==== BasicAuthenticationFilter
 
 `BasicAuthenticationFilter` default constructor and the `setAuthenticationManager` and `setRememberMeServices` methods were removed in favor of constructor injection.
@@ -1307,6 +1354,7 @@ BasicAuthenticationFilter filter =
     new BasicAuthenticationFilter(authenticationManager,entryPoint, ignoreFailure);
 ----
 
+[[m3to4-deprecations-web-scpf]]
 ==== SecurityContextPersistenceFilter
 
 `SecurityContextPersistenceFilter` removed the `setSecurityContextRepository` in favor of constructor injection.
@@ -1325,6 +1373,7 @@ should be replaced with
 SecurityContextPersistenceFilter filter = new SecurityContextPersistenceFilter(securityContextRepository);
 ----
 
+[[m3to4-deprecations-web-rcaf]]
 ==== RequestCacheAwareFilter
 
 `RequestCacheAwareFilter` removed the `setRequestCache` in favor of constructor injection.
@@ -1343,6 +1392,7 @@ should be replaced with
 RequestCacheAwareFilter filter = new RequestCacheAwareFilter(requestCache);
 ----
 
+[[m3to4-deprecations-web-csf]]
 ==== ConcurrentSessionFilter
 
 `ConcurrentSessionFilter` removed the default constructor and the `setExpiredUrl` and `setSessionRegistry` methods in favor of constructor injection.
@@ -1362,6 +1412,7 @@ should be replaced with
 ConcurrentSessionFilter filter = new ConcurrentSessionFilter(sessionRegistry,expiredUrl);
 ----
 
+[[m3to4-deprecations-web-smf]]
 ==== SessionManagementFilter
 
 `SessionManagementFilter` removed the `setSessionAuthenticationStrategy` method in favor of constructor injection.
@@ -1380,6 +1431,7 @@ should be replaced with
 SessionManagementFilter filter = new SessionManagementFilter(securityContextRepository, sessionAuthenticationStrategy);
 ----
 
+[[m3to4-deprecations-web-rm]]
 ==== RequestMatcher
 
 The `RequestMatcher` and its implementations have moved from the package `org.springframework.security.web.util` to `org.springframework.security.web.util.matcher`.
@@ -1393,6 +1445,7 @@ Specifically
 * `org.springframework.security.web.util.RequestMatcherEditor` -> `org.springframework.security.web.util.matcher.RequestMatcherEditor`
 * `org.springframework.security.web.util.RegexRequestMatcher` -> `org.springframework.security.web.util.matcher.RegexRequestMatcher`
 
+[[m3to4-deprecations-web-wseh]]
 ==== WebSecurityExpressionHandler
 
 `WebSecurityExpressionHandler` was removed in favor of using `SecurityExpressionHandler<FilterInvocation>`.
@@ -1411,6 +1464,7 @@ it needs to be updated to
 SecurityExpressionHandler<FilterInvocation> handler = ...
 ----
 
+[[m3to4-role-prefixing]]
 == Automatic ROLE_ prefixing
 
 Spring Security 4 made the use of ROLE_ consistent.