Deprecate openID 2.0 support

This commit adds deprecation notice to xml schema, parser of the schema and removes fixme comments.

Fixes gh-7153

config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java

@@ -350,51 +350,7 @@ final class AuthenticationConfigBuilder {
 		RootBeanDefinition openIDFilter = null;
 
 		if (openIDLoginElt != null) {
-			FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser(
-					"/login/openid", null,
-					OPEN_ID_AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache,
-					sessionStrategy, allowSessionCreation, portMapper, portResolver);
-
-			parser.parse(openIDLoginElt, pc);
-			openIDFilter = parser.getFilterBean();
-			openIDEntryPoint = parser.getEntryPointBean();
-			openidLoginProcessingUrl = parser.getLoginProcessingUrl();
-			openIDLoginPage = parser.getLoginPage();
-
-			List<Element> attrExElts = DomUtils.getChildElementsByTagName(openIDLoginElt,
-					Elements.OPENID_ATTRIBUTE_EXCHANGE);
-
-			if (!attrExElts.isEmpty()) {
-				// Set up the consumer with the required attribute list
-				BeanDefinitionBuilder consumerBldr = BeanDefinitionBuilder
-						.rootBeanDefinition(OPEN_ID_CONSUMER_CLASS);
-				BeanDefinitionBuilder axFactory = BeanDefinitionBuilder
-						.rootBeanDefinition(OPEN_ID_ATTRIBUTE_FACTORY_CLASS);
-				ManagedMap<String, ManagedList<BeanDefinition>> axMap = new ManagedMap<>();
-
-				for (Element attrExElt : attrExElts) {
-					String identifierMatch = attrExElt.getAttribute("identifier-match");
-
-					if (!StringUtils.hasText(identifierMatch)) {
-						if (attrExElts.size() > 1) {
-							pc.getReaderContext().error(
-									"You must supply an identifier-match attribute if using more"
-											+ " than one "
-											+ Elements.OPENID_ATTRIBUTE_EXCHANGE
-											+ " element", attrExElt);
-						}
-						// Match anything
-						identifierMatch = ".*";
-					}
-
-					axMap.put(identifierMatch, parseOpenIDAttributes(attrExElt));
-				}
-				axFactory.addConstructorArgValue(axMap);
-
-				consumerBldr.addConstructorArgValue(axFactory.getBeanDefinition());
-				openIDFilter.getPropertyValues().addPropertyValue("consumer",
-						consumerBldr.getBeanDefinition());
-			}
+			openIDFilter = parseOpenIDFilter(sessionStrategy, openIDLoginElt);
 		}
 
 		if (openIDFilter != null) {
@@ -412,6 +368,65 @@ final class AuthenticationConfigBuilder {
 		}
 	}
 
+	/**
+	 * Parses OpenID 1.0 and 2.0 - related parts of configuration xmls
+	 * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+	 * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+	 * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+	 * @param sessionStrategy sessionStrategy
+	 * @param openIDLoginElt the element from the xml file
+	 * @return the parsed filter as rootBeanDefinition
+	 */
+	private RootBeanDefinition parseOpenIDFilter( BeanReference sessionStrategy, Element openIDLoginElt ) {
+		RootBeanDefinition openIDFilter;
+		FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser(
+				"/login/openid", null,
+				OPEN_ID_AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache,
+				sessionStrategy, allowSessionCreation, portMapper, portResolver);
+
+		parser.parse(openIDLoginElt, pc);
+		openIDFilter = parser.getFilterBean();
+		openIDEntryPoint = parser.getEntryPointBean();
+		openidLoginProcessingUrl = parser.getLoginProcessingUrl();
+		openIDLoginPage = parser.getLoginPage();
+
+		List<Element> attrExElts = DomUtils.getChildElementsByTagName(openIDLoginElt,
+				Elements.OPENID_ATTRIBUTE_EXCHANGE);
+
+		if (!attrExElts.isEmpty()) {
+			// Set up the consumer with the required attribute list
+			BeanDefinitionBuilder consumerBldr = BeanDefinitionBuilder
+					.rootBeanDefinition(OPEN_ID_CONSUMER_CLASS);
+			BeanDefinitionBuilder axFactory = BeanDefinitionBuilder
+					.rootBeanDefinition(OPEN_ID_ATTRIBUTE_FACTORY_CLASS);
+			ManagedMap<String, ManagedList<BeanDefinition>> axMap = new ManagedMap<>();
+
+			for (Element attrExElt : attrExElts) {
+				String identifierMatch = attrExElt.getAttribute("identifier-match");
+
+				if (!StringUtils.hasText(identifierMatch)) {
+					if (attrExElts.size() > 1) {
+						pc.getReaderContext().error(
+								"You must supply an identifier-match attribute if using more"
+										+ " than one "
+										+ Elements.OPENID_ATTRIBUTE_EXCHANGE
+										+ " element", attrExElt);
+					}
+					// Match anything
+					identifierMatch = ".*";
+				}
+
+				axMap.put(identifierMatch, parseOpenIDAttributes(attrExElt));
+			}
+			axFactory.addConstructorArgValue(axMap);
+
+			consumerBldr.addConstructorArgValue(axFactory.getBeanDefinition());
+			openIDFilter.getPropertyValues().addPropertyValue("consumer",
+					consumerBldr.getBeanDefinition());
+		}
+		return openIDFilter;
+	}
+
 	private ManagedList<BeanDefinition> parseOpenIDAttributes(Element attrExElt) {
 		ManagedList<BeanDefinition> attributes = new ManagedList<>();
 		for (Element attElt : DomUtils.getChildElementsByTagName(attrExElt,

config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd

@@ -131,7 +131,7 @@
       </xs:annotation>
       <xs:complexType/>
    </xs:element>
-
+  
   <xs:attributeGroup name="password-encoder.attlist">
       <xs:attribute name="ref" type="xs:token">
          <xs:annotation>
@@ -164,7 +164,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="user-property">
       <xs:attribute name="user-property" use="required" type="xs:token">
          <xs:annotation>
@@ -433,7 +433,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="ldap-ap.attlist">
       <xs:attribute name="server-ref" type="xs:token">
          <xs:annotation>
@@ -513,7 +513,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="password-compare.attlist">
       <xs:attribute name="password-attribute" type="xs:token">
          <xs:annotation>
@@ -573,7 +573,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="protect.attlist">
       <xs:attribute name="method" use="required" type="xs:token">
          <xs:annotation>
@@ -817,13 +817,13 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
-
-
-
-
-
-
+  
+  
+  
+  
+  
+  
+  
   <xs:attributeGroup name="protect-pointcut.attlist">
       <xs:attribute name="expression" use="required" type="xs:string">
          <xs:annotation>
@@ -1265,7 +1265,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="access-denied-handler.attlist">
       <xs:attribute name="ref" type="xs:token">
          <xs:annotation>
@@ -1290,7 +1290,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="intercept-url.attlist">
       <xs:attribute name="pattern" type="xs:token">
          <xs:annotation>
@@ -1361,7 +1361,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="logout.attlist">
       <xs:attribute name="logout-url" type="xs:token">
          <xs:annotation>
@@ -1408,7 +1408,7 @@
          <xs:attributeGroup ref="security:ref"/>
       </xs:complexType>
    </xs:element>
-
+  
   <xs:attributeGroup name="form-login.attlist">
       <xs:attribute name="login-processing-url" type="xs:token">
          <xs:annotation>
@@ -1496,7 +1496,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:element name="attribute-exchange">
       <xs:annotation>
          <xs:documentation>Sets up an attribute exchange configuration to request specified attributes from the
@@ -1695,7 +1695,7 @@
          </xs:simpleType>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="http-basic.attlist">
       <xs:attribute name="entry-point-ref" type="xs:token">
          <xs:annotation>
@@ -1711,7 +1711,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="session-management.attlist">
       <xs:attribute name="session-fixation-protection">
          <xs:annotation>
@@ -1767,7 +1767,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="concurrency-control.attlist">
       <xs:attribute name="max-sessions" type="xs:integer">
          <xs:annotation>
@@ -1814,7 +1814,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="remember-me.attlist">
       <xs:attribute name="key" type="xs:token">
          <xs:annotation>
@@ -1912,7 +1912,7 @@
   <xs:attributeGroup name="remember-me-data-source-ref">
       <xs:attributeGroup ref="security:data-source-ref"/>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="anonymous.attlist">
       <xs:attribute name="key" type="xs:token">
          <xs:annotation>
@@ -1945,8 +1945,8 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
-
+  
+  
   <xs:attributeGroup name="http-port">
       <xs:attribute name="http" use="required" type="xs:token">
          <xs:annotation>
@@ -1963,7 +1963,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="x509.attlist">
       <xs:attribute name="subject-principal-regex" type="xs:token">
          <xs:annotation>
@@ -2160,7 +2160,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="ap.attlist">
       <xs:attribute name="ref" type="xs:token">
          <xs:annotation>
@@ -2212,7 +2212,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="user.attlist">
       <xs:attribute name="name" use="required" type="xs:token">
          <xs:annotation>
@@ -2823,4 +2823,4 @@
          <xs:enumeration value="LAST"/>
       </xs:restriction>
   </xs:simpleType>
-</xs:schema>
+</xs:schema>

config/src/main/resources/org/springframework/security/config/spring-security-5.4.rnc

@@ -615,7 +615,7 @@ opaque-token.attlist &=
     attribute introspector-ref {xsd:token}?
 
 openid-login =
-	## Sets up form login for authentication with an Open ID identity
+	## Sets up form login for authentication with an Open ID identity. NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a> to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 	element openid-login {form-login.attlist, user-service-ref?, attribute-exchange*}
 
 attribute-exchange =
@@ -627,7 +627,7 @@ attribute-exchange.attlist &=
 	attribute identifier-match {xsd:token}?
 
 openid-attribute =
-	## Attributes used when making an OpenID AX Fetch Request
+	## Attributes used when making an OpenID AX Fetch Request. NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a> to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 	element openid-attribute {openid-attribute.attlist}
 
 openid-attribute.attlist &=

config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd

@@ -124,7 +124,7 @@
       </xs:annotation>
       <xs:complexType/>
    </xs:element>
-
+  
   <xs:attributeGroup name="password-encoder.attlist">
       <xs:attribute name="ref" type="xs:token">
          <xs:annotation>
@@ -408,7 +408,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="ldap-ap.attlist">
       <xs:attribute name="server-ref" type="xs:token">
          <xs:annotation>
@@ -488,7 +488,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="password-compare.attlist">
       <xs:attribute name="password-attribute" type="xs:token">
          <xs:annotation>
@@ -541,7 +541,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="protect.attlist">
       <xs:attribute name="method" use="required" type="xs:token">
          <xs:annotation>
@@ -785,13 +785,13 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
-
-
-
-
-
-
+  
+  
+  
+  
+  
+  
+  
   <xs:attributeGroup name="protect-pointcut.attlist">
       <xs:attribute name="expression" use="required" type="xs:string">
          <xs:annotation>
@@ -960,10 +960,11 @@
             <xs:element ref="security:oauth2-resource-server"/>
             <xs:element name="openid-login">
                <xs:annotation>
-                  <xs:documentation>Sets up form login for authentication with an Open ID identity.
-                      NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
-                      <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
-                      to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+                  <xs:documentation>Sets up form login for authentication with an Open ID identity. NOTE: The OpenID 1.0 and
+                2.0 protocols have been deprecated and users are &lt;a
+                href="https://openid.net/specs/openid-connect-migration-1_0.html"&gt;encouraged to
+                migrate&lt;/a&gt; to &lt;a href="https://openid.net/connect/"&gt;OpenID Connect&lt;/a&gt;, which is
+                supported by &lt;code&gt;spring-security-oauth2&lt;/code&gt;.
                 </xs:documentation>
                </xs:annotation>
                <xs:complexType>
@@ -1239,7 +1240,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="access-denied-handler.attlist">
       <xs:attribute name="ref" type="xs:token">
          <xs:annotation>
@@ -1264,7 +1265,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="intercept-url.attlist">
       <xs:attribute name="pattern" type="xs:token">
          <xs:annotation>
@@ -1321,7 +1322,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="logout.attlist">
       <xs:attribute name="logout-url" type="xs:token">
          <xs:annotation>
@@ -1368,7 +1369,7 @@
          <xs:attributeGroup ref="security:ref"/>
       </xs:complexType>
    </xs:element>
-
+  
   <xs:attributeGroup name="form-login.attlist">
       <xs:attribute name="login-processing-url" type="xs:token">
          <xs:annotation>
@@ -1881,7 +1882,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:element name="attribute-exchange">
       <xs:annotation>
          <xs:documentation>Sets up an attribute exchange configuration to request specified attributes from the
@@ -1908,10 +1909,11 @@
   </xs:attributeGroup>
   <xs:element name="openid-attribute">
       <xs:annotation>
-         <xs:documentation>Attributes used when making an OpenID AX Fetch Request.
-             NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
-             <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
-             to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+         <xs:documentation>Attributes used when making an OpenID AX Fetch Request. NOTE: The OpenID 1.0 and 2.0
+                protocols have been deprecated and users are &lt;a
+                href="https://openid.net/specs/openid-connect-migration-1_0.html"&gt;encouraged to
+                migrate&lt;/a&gt; to &lt;a href="https://openid.net/connect/"&gt;OpenID Connect&lt;/a&gt;, which is
+                supported by &lt;code&gt;spring-security-oauth2&lt;/code&gt;.
                 </xs:documentation>
       </xs:annotation>
       <xs:complexType>
@@ -2083,7 +2085,7 @@
          </xs:simpleType>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="http-basic.attlist">
       <xs:attribute name="entry-point-ref" type="xs:token">
          <xs:annotation>
@@ -2099,7 +2101,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="session-management.attlist">
       <xs:attribute name="session-fixation-protection">
          <xs:annotation>
@@ -2155,7 +2157,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="concurrency-control.attlist">
       <xs:attribute name="max-sessions" type="xs:integer">
          <xs:annotation>
@@ -2202,7 +2204,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="remember-me.attlist">
       <xs:attribute name="key" type="xs:token">
          <xs:annotation>
@@ -2300,7 +2302,7 @@
   <xs:attributeGroup name="remember-me-data-source-ref">
       <xs:attributeGroup ref="security:data-source-ref"/>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="anonymous.attlist">
       <xs:attribute name="key" type="xs:token">
          <xs:annotation>
@@ -2333,8 +2335,8 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
-
+  
+  
   <xs:attributeGroup name="http-port">
       <xs:attribute name="http" use="required" type="xs:token">
          <xs:annotation>
@@ -2351,7 +2353,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="x509.attlist">
       <xs:attribute name="subject-principal-regex" type="xs:token">
          <xs:annotation>
@@ -2488,7 +2490,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="ap.attlist">
       <xs:attribute name="ref" type="xs:token">
          <xs:annotation>
@@ -2540,7 +2542,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-
+  
   <xs:attributeGroup name="user.attlist">
       <xs:attribute name="name" use="required" type="xs:token">
          <xs:annotation>
@@ -3180,4 +3182,4 @@
          <xs:enumeration value="LAST"/>
       </xs:restriction>
   </xs:simpleType>
-</xs:schema>
+</xs:schema>

docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc

@@ -33,7 +33,6 @@ This also gives a good idea of the high level flow of authentication and how pie
 * <<servlet-rememberme, Remember Me>> - How to remember a user past session expiration
 * <<servlet-jaas, JAAS Authentication>> - Authenticate with JAAS
 * <<servlet-openid,OpenID>> - OpenID Authentication (not to be confused with OpenID Connect)
-// FIXME: The one above is deprecated. Should it be removed from here as well?
 * <<servlet-preauth>> - Authenticate with an external mechanism such as https://www.siteminder.com/[SiteMinder] or Java EE security but still use Spring Security for authorization and protection against common exploits.
 * <<servlet-x509,X509 Authentication>> - X509 Authentication